When you log into your Windows XP machine, one of the last files to load is userinit.exe. The reason why this file becomes a target is because it's guaranteed to run, so viruses & malware will often hijack this file to assure that their nasty programs continue to run or to keep you off your machine while the programs continue to run. What makes the fix truly difficult is that in order to fix it you must get into the system registry, but you can't very well do that if you can't log in
So what this tutorial will show you is how to load a registry hive from another machine, so you can throw this drive onto a thumb drive & edit the registry on another machine.
The registry key that we are looking for is :
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Since this is under software, we are concerned with the registry hive C:\WINDOWS\system32\config\software\.
Step 1 : Pull your hard drive out of the infected machine, & place it onto the USB chain of another Windows XP Machine.
Step 2 : open RegEdit & select one of the five main registry hives. I'm going to use HKeyLocalMachine in this example.
Step 3 : Click on File & Select Load Hive
Step 4 : Navigate though the folders to the hive list. In my example the drive is J: so we'll look for J:\WINDOWS\system32\config\software
Step 5 : Once we select the software hive (from the infected machine) we need to give it a unique name. I will use RegFix for obvious reasons.
Step 6 : From Step 5 (above), we can now see the RegFix entry in our previously selected hive on the non infected machine.
Step 7 : Under the RegFix entry, we will navigate to the userinit entry (\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
Notice how it's WinLogon.exe & not userinit.exe
Problem solved!Step 8 : On the infected machine, verify that userinit.exe exists in the correct system folder (C:\WINDOWS\system32\) & that it's file date & size is correct. If it's missing or not correct, we can pull it from DLL Cache (C:\WINDOWS\system32\dllcache\) or from the XP CDRom.
Step 9 : After we've verified that we have a file we can use, we want to update the registry entry to point to the now correct file location.
Step 10 : The last thing that we need to do is unload the registry hive. We can do this by highliting our hive RegFix & clicking on file & selecting unload hive.
The only thing left to do now is to pull the drive out & put it back into it's original machine.
I really meant to write up this tutorial about a year ago, so I do apologize to anyone whom may have reinstalled their OS over such a relatively easy fix.
MultiQuote
| 