We've seen a number of machines with McAfee on them where the update killed them and that was not the only issue, it was the userint.exe (as Tammy suggested). Our solution was to use Autoruns on a WinPE disk and remove the virus entries sitting in the key.
If you could get someone else trusted to boot into the recovery console then they could change the registry manually. Would the "Suit" allow for a more technical user to follow a precise set of instructions on your behalf? E.g. insert XP Cd, turn on desktop, open recovery console, read registry line, fix, reboot? Mike -----Original Message----- From: Peter van Houten [mailto:[email protected]] Sent: 14 May 2010 13:14 To: NT System Admin Issues Subject: Re: XP Box inaccessible Thanks Tammy; most of my attempts at remote access were fruitless. Besides breaking the login process, the code *seems* to have disabled all access vectors that I know of, with the exception of IPC$ (with null credentials only) via which I have made a connect/disconnect but nothing more and was hoping that some bright spark knew of an attack via this route. It does appear to parse the initial login credentials correctly (and probably stores them). Have nmap scanned aggressively and shown ports 139 & 445 open, hence the partial netbios access as above. The suit using this PC won't allow anyone else other than myself within 50 paces but was able to defer the requirement for the important docs on the system's desktop [say goodbye to his write access to /desktop :-) ], so I have a weekend reprieve (and more time to hack it). -- Peter van Houten On the 14 May, 2010 04:10, Tammy wrote the following: > Can you access the machine's registry from a machine on the network > using remote registry? It has worked for me a few times. (assuming > userinit.exe exists& is intact) > > Worth a look to see if the userinit value in registry is hosed. > > Key: BrokenMachine\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon > > Normally the value for userinit is c:\windows\system32\userinit.exe, > > Fix the value, disconnect registry& reboot the box. > > Just in case they have windows installed to a different > directory/drive etc though might want to check here first: > > Brokenmachine\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sess > ion > Manager\Environment > > Regards, > > Tammy Stewart (coppertop) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
