Recently encountered problems getting Windows Explorer shell to load in Windows XP after cleaning a spyware infection. I found there are two registry keys that are critical in relation to loading explorer on boot, you should check them first if you even encounter a problem getting Explorer.exe to load.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
shell=”explorer.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
userinit=C:windowssystem32userinit.exe
Watch out for trailing comma’s on userinit.exe (userinit.exe, ) as this is where malware likes to insert itself to load during windows startup.
You have exceeded your profile space!
Came across an interesting issue today while cleaning a Malware infection from a client computer. Once I had cleaned the system up enough to load Windows XP in normal mode, I noticed a strange icon in the system tray. It was a large red circle with a white X, and when the mouse was hovered over the icon the message “Warning! You have exceeded your profile space by XXX KB” was displayed. Opening the program displayed a more detailed message:
Profile Storage Space
You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage
This was on a computer that is not attached to a domain, with no quotas enabled by the administrator.
It seems that the Malware infection implemented a local security policy on the PC restricting the users profile storage space. Manually deleting unneeded files from My Documents to reduce the size of the profile had no affect.
Luckily I came across this registry modification that removed the quota and corrected the problem.
Take this code and paste it into notepad. Save the file as quotarem.reg (make sure to save as type All Files to avoid the .TXT extension) and then double click on it to merge the changes into your Windows registry.
Code:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem] "EnableProfileQuota"=- "ProfileQuotaMessage"=- "MaxProfileSize"=- "IncludeRegInProQuota"=- "WarnUser"=- "WarnUserTimeout"=-
Migrating a Windows XP user profile to a new domain without FAST
This technique can be useful when you need to migrate users to a new network domain, and want to retain all the users profile data for use in the new domain. Using this simple registry modification saves the time required for a tool like the Files and Settings Transfer Wizard (FAST), but unlike FAST cannot be used to move a users profile from one PC to another.
1 ) Log in to the PC as the user who’s profile you intend to migrate. Lets call the account TESTUSER.
2 ) Check the users profile path typically located in C:Documents and SettingsTESTUSER and make note of the exact directory path.
3 ) Login as a user with administrative rights and join the new domain. Reboot the PC.
4 ) Log in after rebooting with the users (TESTUSER) new domain account to create a new profile, the log out.
5 ) Log in with a domain admin account.
6 ) Give the TESTUSER@newdomain account full NTFS permissions to the old account profile path you noted earlier. It’s best to Apply the changes before pressing Okay, as I’ve found that they don’t stick when you simply press Okay after adding the permissions.
7 ) Open Regedit and navigate to HKLMsoftwaremicrosoftwindows ntcurrent versionprofile list
8 ) You will see a list of all the profiles on the machine. Be aware that these profile folders are named according to the user security IDs (SIDs) and not according to the user names. You should find a number of profiles including the old user profile (TESTUSER) and the new domain user profile (TESTUSER.domain). The easiest way to determine which profile belongs to which user is to compare the ProfileImagePath key data to see which account is referenced in the path.
9 ) Edit the domain user profile (TESTUSER.domain) ProfileImagePath key to point to the old user profile path. For example: “C:documents and settingsTESTUSER.domain” <changes to> “C:documents and settingsTESTUSER”
10 ) Once complete, login using the domain account and test it out. The desktop should change, the My Documents should contain all their documents, etc. Make sure to check Outlook to confirm the email profile was migrated correctly, I’ve seen a few instances where this did not happen and Outlook required reconfiguration.
Manually disable Internet Explorer 7 (IE7) Run Once page
If a user is unable to save the “Run Once” page that comes up after installing IE7 (http://rononce.man.com/runonce3.aspx), there is a manual way of disabling it.
Open regedit, goto [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
Look for the following two keys.
RunOnceHasShown
RunOnceComplete
If the keys aren’t there create both as new DWORD Value and set the value to 1 for each.
Re-enable Registry Editing (regedit)
Often, we run across spyware that may disable registry editing. When you try to access regedit, you may get the following prompt:
“Registry editing has been disabled by your administrator.”
There are several methods to re-enable the registry editing from this point. First, the easiest is usually to run this command from the run command or from a command prompt:
REG add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
Log off then back on and try again. If that didn’t work, you can try the other steps below:
Use GPEDIT to modify the local security policy:
- Click Start, Run
- Type GPEDIT.MSC and Press Enter
- Go to the following location
- User Configuration
- Administrative Templates
- System
- In the Settings Window, find the option for “Prevent Access to Registry Editing Tools” and double-click on it to change.
- Select Disabled or Not Configured and choose OK
- Close the Group Policy Editor and restart your computer
- Try opening REGEDIT again
Download this VBS file:
Missing Tabs In Display Properties
Some spyware may create a desktop background to replace your own. After doing this, I’ve seen the display properties tabs for modifying the screensaver and wallpaper disappear to prevent the user from getting rid of the malicious wallpaper. To bring these tabs back, navigate to the following Registry string:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
Here, you will find the keys responsible. They are:
NoDispBackgroundPage
NoDispAppearancePage
These will likely be set to 1. Set them to 0 or delete them to get your tabs back.
BIOS Beep codes
When troubleshooting a computer that beeps when trying to start the computer, usually referring to the motherboard manual or OEM User manual is the quickest way to find out what is causing the computer from not booting. Here is a couple of links to motherboard and OEM beep codes.
Tech Republic – Beep codes for desktops
Repair Windows File Associations
This link provides helpful registry scripts to repair windows file associations:
Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
A client of mine recently had 2 CDRom drives that weren’t showing in My Computer. In the device manager, they showed up with exclamation points. Double-clicking them told me that the driver was installed properly but:
“Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)”
After some research, the solution I found was to remove the LowFilter and UpperFilter entries from this registry area:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{4D36E965-E325-11CE-BFC1-08002BE10318}
Note that you may have several identical keys like this (4D36E965-E325-11CE-BFC1-08002BE10318). The one you are looking for will list DVD/CD Rom Drives as the very first entry.
Reboot after making changes.
Cannot Set Default Printer in Vista
I recently came across an issue on a client PC where i could not set a printer to be the default. When I right-clicked the printer and chose the “Set as Default Printer” option, absolutely nothing happened. After researching the issue, I was able to manually make the printer the default by adding the following registry key:
Name: Device
Type: Reg_SZ (String Value)
Value: “printername, winspool, portname”
Location: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
In my case, the Windows key didnt exist under CurrentVersion and had to be created.