Page 1 of 1

Remote Edit a Registry Hive Repair Windows XP Logout issue (userinit.exe) Rate Topic: -----

#1 no2pencil  Icon User is online

  • Dic Head
  • member icon

Reputation: 5163
  • View blog
  • Posts: 26,836
  • Joined: 10-May 07

Posted 25 March 2010 - 02:51 AM

Windows XP Logs out when you Log on? Your System has been compromised!

When you log into your Windows XP machine, one of the last files to load is userinit.exe. The reason why this file becomes a target is because it's guaranteed to run, so viruses & malware will often hijack this file to assure that their nasty programs continue to run or to keep you off your machine while the programs continue to run. What makes the fix truly difficult is that in order to fix it you must get into the system registry, but you can't very well do that if you can't log in :)

So what this tutorial will show you is how to load a registry hive from another machine, so you can throw this drive onto a thumb drive & edit the registry on another machine.

The registry key that we are looking for is :
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Since this is under software, we are concerned with the registry hive C:\WINDOWS\system32\config\software\.

Step 1 : Pull your hard drive out of the infected machine, & place it onto the USB chain of another Windows XP Machine.

Step 2 : open RegEdit & select one of the five main registry hives. I'm going to use HKeyLocalMachine in this example.

Attached Image

Step 3 : Click on File & Select Load Hive

Attached Image

Step 4 : Navigate though the folders to the hive list. In my example the drive is J: so we'll look for J:\WINDOWS\system32\config\software

Attached Image

Attached Image

Step 5 : Once we select the software hive (from the infected machine) we need to give it a unique name. I will use RegFix for obvious reasons.

Attached Image

Step 6 : From Step 5 (above), we can now see the RegFix entry in our previously selected hive on the non infected machine.

Attached Image

Step 7 : Under the RegFix entry, we will navigate to the userinit entry (\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)

Attached Image

Notice how it's WinLogon.exe & not userinit.exe :) Problem solved!

Step 8 : On the infected machine, verify that userinit.exe exists in the correct system folder (C:\WINDOWS\system32\) & that it's file date & size is correct. If it's missing or not correct, we can pull it from DLL Cache (C:\WINDOWS\system32\dllcache\) or from the XP CDRom.

Attached Image

Step 9 : After we've verified that we have a file we can use, we want to update the registry entry to point to the now correct file location.

Attached Image

Attached Image

Step 10 : The last thing that we need to do is unload the registry hive. We can do this by highliting our hive RegFix & clicking on file & selecting unload hive.

Attached Image

The only thing left to do now is to pull the drive out & put it back into it's original machine.

I really meant to write up this tutorial about a year ago, so I do apologize to anyone whom may have reinstalled their OS over such a relatively easy fix.

Is This A Good Question/Topic? 0
  • +

Replies To: Remote Edit a Registry Hive

#2 Guest_Mugelex*


Posted 05 May 2010 - 09:25 AM

This solution was very useful. Thanks.
Instead off moving your harddisk on an other machine, you can remote connect it through the LAN.
1) Boot the infected machine from the Windows install CD and choose repair
2) Copy the software registry file to softrepair
3) Restart the infected machine as usual but do not logon
4) From an other machine on the LAN connect the infected machine C$ share
5) Aply the registry change as explained in this solution
6) Restart the infected machine from the WIndows install CD and choose repair
7) Copy the softrepair registry file back to software
8) Restart as usual

It worked for me.
Was This Post Helpful? 0

#3 ???  Icon User is offline

  • New D.I.C Head

Reputation: 3
  • View blog
  • Posts: 48
  • Joined: 25-November 10

Posted 16 September 2011 - 02:18 PM

When you said "Remote" in the title I thought you meant via wireless or LAN, but once I read your post I was impressed and surprised!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1