When removing malware from an infected computer, the experienced IT support technician normally uses the Windows utility program Regedit to remove malicious entries from the Registry. But what do you do if Regedit won't run?
Many viruses and rogue security programs will delete or corrupt regedit.exe or block your ability to run it. They may use many techniques to produce this result. This article will suggest various alternatives that should solve the problem.
- If regedit.exe is not found on the local hard drive or shows symptoms of being corrupted, copy a fresh version of the file from another computer running the same version of Windows
- If you have a Windows Install CD or DVD of the same version as the infected computer, run the System File Checker program, SFC.exe, with the /Scannow option
- If regedit.exe has been blocked from running, try running regedt32 instead
- Copy regedit.exe to regedit.com and try running it under that name
- Copy regedit.exe to [random name].exe and try running it under that name
- Copy regedit.exe to [random name].com and try running it under that name
- Using Group Policy Editor, see if "Prevent access to registry editing tools" has been enabled; if so, change to "Not configured"
- Using Group Policy Editor, see if "Don't run specified Windows applications" has been enabled; if so, change to "Not configured"
- If you are a graduate of the Virus Remediation Training workshop, run the program Enableregedit from the Virus Repair Toolkit that is included with that course
In those rare situations when none of these approaches successfully restore the functionality of Regedit, there are additional methods you can use to change the contents of the Registry. Here are five more approaches you may take:
- Import a .reg file by double-clicking on it
- Import a .reg file in Safe Mode Command Prompt Only by entering "regedit [filename].reg" (without the quotes)
- Install a .inf file by right-clicking on it and selecting "Install"
- From a Command Prompt, use the Reg command to add, change, or delete an entry in the Registry; repeat as necessary
- If the computer is a member of a Domain environment, you may be able to use Remote Registry Editing to view and change the Registry from another computer on the network
All of these techniques are covered in greater detail in the Virus Remediation Training workshop. As you can see, a well-trained technician should be able to change the Registry as required to remove any traces of today's malware.
Do you have some other method for dealing with this common challenge? If so, I'd love to hear about it. Please send your tips directly to me, at firstname.lastname@example.org. I'll also be interested in hearing which of these approaches you find easiest or most effective.
Happy malware hunting!