I was wondering if somone can shed some light on this tough predicament that one
of my clients ran into. While troubleshooting a virus issue, the user
inadvertently set the permissions for the entire HKEY_CLASSES_ROOT reg hive to
deny for the Everyone and Administrator group.

If you have a test machine you can try this and it will render the machine
useless because you won’t be able to execute anything. I was wondering if there
is had a tool to fix this or any workarounds possible. Tests though Active
Directory GPO’s have proven possible but this is not an option for the client who
is NOT on a Domain.

Is it possible that something can/may be done in the "Safe Mode with Command
Prompt" mode ?

Thanx in advance !

BTW: I should have Cross-Posted this, instead of multi-Posting, this to
microsoft.public.windowsxp.help_and_support -- Sorry !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Seems to me I have seen something in the plugins for BartPE
that allows you to get in and load registry stuff. You might
want to check out that avenue http://www.nu2.nu/pebuilder/

mikey

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uO19Q4bBGHA.3936@TK2MSFTNGP12.phx.gbl...
> I was wondering if somone can shed some light on this tough
predicament that one
> of my clients ran into. While troubleshooting a virus issue, the user
> inadvertently set the permissions for the entire HKEY_CLASSES_ROOT reg
hive to
> deny for the Everyone and Administrator group.
>
> If you have a test machine you can try this and it will render the
machine
> useless because you won't be able to execute anything. I was
wondering if there
> is had a tool to fix this or any workarounds possible. Tests though
Active
> Directory GPO's have proven possible but this is not an option for the
client who
> is NOT on a Domain.
>
> Is it possible that something can/may be done in the "Safe Mode with
Command
> Prompt" mode ?
>
> Thanx in advance !
>
> BTW: I should have Cross-Posted this, instead of multi-Posting, this
to
> microsoft.public.windowsxp.help_and_support -- Sorry !
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

I have never had to deal with that but maybe he could boot into Bart's PE or
put the drive into another computer, use regedit to load the problem hive
from \Windows\system32\config, change the permissions to what they should be
or at least remove the deny permission, and then unload the hive. Offhand I
am not sure which file that hive relates to but would start with system.
Good luck. --- Steve


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uO19Q4bBGHA.3936@TK2MSFTNGP12.phx.gbl...
>I was wondering if somone can shed some light on this tough predicament
>that one
> of my clients ran into. While troubleshooting a virus issue, the user
> inadvertently set the permissions for the entire HKEY_CLASSES_ROOT reg
> hive to
> deny for the Everyone and Administrator group.
>
> If you have a test machine you can try this and it will render the machine
> useless because you won't be able to execute anything. I was wondering if
> there
> is had a tool to fix this or any workarounds possible. Tests though
> Active
> Directory GPO's have proven possible but this is not an option for the
> client who
> is NOT on a Domain.
>
> Is it possible that something can/may be done in the "Safe Mode with
> Command
> Prompt" mode ?
>
> Thanx in advance !
>
> BTW: I should have Cross-Posted this, instead of multi-Posting, this to
> microsoft.public.windowsxp.help_and_support -- Sorry !
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>

| I have never had to deal with that but maybe he could boot into Bart's PE or
| put the drive into another computer, use regedit to load the problem hive
| from \Windows\system32\config, change the permissions to what they should be
| or at least remove the deny permission, and then unload the hive. Offhand I
| am not sure which file that hive relates to but would start with system.
| Good luck. --- Steve

What file would be loaded for HKEY_CLASSES_ROOT ?

Can; "reg load .\path\file be used ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

That seems to be the problem as I was just trying it out on a test computer
that I have dual boot on and was not able to load a registry hive to change
the permissions. The link below explains HKEY_CLASSES_ROOT more and there is
no single file for it. Sorry about the dead end on that one.

http://msdn.microsoft.com/library/de...s_root_key.asp

Another possibility that I have not tried either is to look at using setacl
which can change registry key permissions and do it from a remote computer.
Offhand I don't know if it will work on HKEY_CLASSES_ROOT. An upgrade/repair
install might be something to consider and of course possibly service pack
and definitely security updates would need to be redone. If the secedit
command can be run then it may be worth while trying per KB313222 and the
/areas regkeys switch could be used to reset only registry. --- Steve

http://setacl.sourceforge.net/ -- setacl
http://support.microsoft.com/default...b;EN-US;313222

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23f3UCVdBGHA.3936@TK2MSFTNGP12.phx.gbl...
> From: "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>
>
> | I have never had to deal with that but maybe he could boot into Bart's
> PE or
> | put the drive into another computer, use regedit to load the problem
> hive
> | from \Windows\system32\config, change the permissions to what they
> should be
> | or at least remove the deny permission, and then unload the hive.
> Offhand I
> | am not sure which file that hive relates to but would start with system.
> | Good luck. --- Steve
>
> What file would be loaded for HKEY_CLASSES_ROOT ?
>
> Can; "reg load .\path\file be used ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net>

| That seems to be the problem as I was just trying it out on a test computer
| that I have dual boot on and was not able to load a registry hive to change
| the permissions. The link below explains HKEY_CLASSES_ROOT more and there is
| no single file for it. Sorry about the dead end on that one.
|
|
http://msdn.microsoft.com/library/de...s_root_key.asp
|
| Another possibility that I have not tried either is to look at using setacl
| which can change registry key permissions and do it from a remote computer.
| Offhand I don't know if it will work on HKEY_CLASSES_ROOT. An upgrade/repair
| install might be something to consider and of course possibly service pack
| and definitely security updates would need to be redone. If the secedit
| command can be run then it may be worth while trying per KB313222 and the
| /areas regkeys switch could be used to reset only registry. --- Steve
|
| http://setacl.sourceforge.net/ -- setacl
| http://support.microsoft.com/default...b;EN-US;313222


Thanks Steve, they look promising.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Steven L Umbach
> http://setacl.sourceforge.net/ -- setacl

David H. Lipman wrote:
> Thanks Steve, they look promising.

SETACL is something I use all the time - and for a long time now. Great
application.
(Although your customers problem is pretty special. heh)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

From: "Shenan Stanley" <newshelper@gmail.com>


|
| SETACL is something I use all the time - and for a long time now. Great
| application.
| (Although your customers problem is pretty special. heh)
|
| --
| Shenan Stanley
| MS-MVP

Sometimes a user's home redmedy needs a remedy :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm