Greets Members:

I thought this app just might be of some assistance for any of you who have been a long time user of RegCrawler that i been using since Win98 to review, learn, and especially in my case finally delete registry keys that otherwise simply give an error "Cannot Open" to get rid of them when they show up in the ERROR section of RegCrawler for no reason i could ever understand.
This is the Registry Crawler Program i always used because it is lightning quick to locate and jump to lines in the real registry for finding necessary lines to view or even delete, especially if it's malware. It jumps to the item and all you need do is switch permissions to manually delete malware entries. It's been a time saver and a helper in yanking malware entries they lodge in the registry instead of the time consuming MS Regedit search way. LInk Below It's worth every penny i spent a million times over for years.

http://www.4developers.com/regc/


Now to a peculiar very occasional problem. Theres been times when while searching RegCrawler it literally hopped over an ERROR although it still finishes it's search just fine. Again today i encountered a registry KEY that no matter what showed no permissions but a blank screen and it kept returning that annoying ERROR "Cannot Open" even though the entire CLSID type full length of the number was in clear view. But it refused tio delete no matter what. I was about to pull my hair out when i remember i ran into this long time ago and used another alternative to REGEDIT named NTRegedit courtesy & author Dan Madden to finally remove the both the unmovable useless key and eliminate Regcrawler's ERROR message to my relief.

I hope if anyone else runs into this seemingly impossible predicament can make use of this free application ntRegedit, because it lifts out the key with a simple stroke.

More can be found here as well as the authors comments in this article.

http://www.boot-land.net/forums/index.php?showtopic=3782

I rarely encounter such an issue but since it doesn't happen that often at all, i completely forgot how or what to use to fix this nusance.

It can be downloaded as link #5 Download all demos (VC++ 6, 7.1, 8) - 394 Kb only as far as i know from Code Project where he frequents often.
http://www.codeproject.com/KB/applications/NtRegEdit.aspx

You will need to sign up & join which is a piece of cake really and give you access to the entire projects that developers and experimenters alike post up for download.

Also since it might be needed for XP anyway, 2 dlls that support it can be found at DLL-files.com and they are respectively, msvcp71.dll & mfc71.dll in order for the app to function properly. You can keep them in the same folder as ntRegedit.

You can learn a lot about the registry and how malware manipulates by hiding keys etc. since it also has a feature you can create "hidden keys", then use your security tools or programs to try to locate them. Don;t worry, ntREGEDIT will easily remove your "hidden keys" if you run out of apps to find them with. I think that just about covers things on this for now.

So for any RegistryCrawler users, this is the program that can fix those type of mysterious errors and remove those useless but unrelenting registry keys that otherwise won't budge for anything but ntRegedit as for as i know.

Thanks, and i hope this is useful for some of you who have run into this issue before and just gave up after spending too much time trying other methods.

EASTER

SCREENSHOT

Have you ever tried changing permission using standard regedit?

Sul.

Thanks Easter,

Lately I have been trying to learn more about windows registry and trying to do some manual cleaning. My only problem is that some registry keys just won't go away! I hope this app will help me...

-{ Quote: "Have you ever tried changing permission using standard regedit?

Sul." }-

Useless

When all you get when opening Permissions is a purely blank screen.

This app removes that nonsense, PERIOD!

I've recently had to cleanup a friends pc and do an AV switch for him. Unfortunately the malware really screwed up the permissions of removing mainly autorun entries, would this app help easily reset those permissions?

-{ Quote: "Thanks Easter,

Lately I have been trying to learn more about windows registry and trying to do some manual cleaning. My only problem is that some registry keys just won't go away! I hope this app will help me..." }-
You need to understand that values deleted from one branch can be actually stored in another branch, and deleting them will only work until registry is reload (like logoff/logon), then they will be 'refreshed'.

@Easter, what do you mean blank? Are you saying that a key is hidden, and you cannot see it to actually set registry permissions? What about the parent key? Is it not just a case of the current user (being admin I assume) has not privelages to read a certain subkey? If you are admin, can you not on each main hive key (HKLM.HKCU,etc) set permissions for full control? I know a lot of portions of the registry are locked down even from admin, especially legacy hardware and driver areas.

This is interesting.

Sul.

-{ Quote: "I've recently had to cleanup a friends pc and do an AV switch for him. Unfortunately the malware really screwed up the permissions of removing mainly autorun entries, would this app help easily reset those permissions?" }-

Hi funkydude

Permissions in the registry went undocumented untill rootkit authors dug them up and used them to blast the dickens out of users ability to reset them to defaults again.

There are some tools that reset permissions as well as tools to correct them, but this is an area i shutter to tamper with for fear of creating a worse situation.

There should be some members here however that might guide you in that direction however.

NtRegedit as far as i know just removes those blank reg permissions that refuse to delete but have no useful purpose but only to confuse the user as well as it did my RegCrawler App. It couldn't deal with the removal but NtRegedit easily dispensed it and now i get a full reg scan free of errors.

EASTER

The registry permissions really work just like file and directory permissions. Typically, for say HKLM/software, admins or other higher level groups will have read/write/modify permissions, but users will have only read, or maybe not that.

Areas that house hardware, are often times restricted to only read by even admins. Sometimes you need to go in there and change something so you change permissions for full control. However, IMO this defiantely needs to be changed back to read only. Not that it cannot be done, but it is restricted so that you don't end up with bsod's or even worse, entries that actually keep the OS from booting. I have written custom reg scripts that mimic say what install shield does when installing an antivirus or even better, a firewall. I was quite suprised to find many locked. I dug around a bit in installshield databanks, and found some info on how to do it, but I don't really want to learn installshield scripting for just that.

I have not tried to see if registry keys inherit permissions or not. That is to say, if you set admin to full control for HKLM, if all subkeys will likewise inherit this. If this is so, I would never do it. For fear of not knowing if changing HKLM back would restore the child permissions that were there to begin with.

Easter, I think your program deserves a better look. It is possible that it navigates the permissions in the registry without completely mucking it up. And that would be a great thing. However, never having tried it, I would wish to play with it someday to see what it does exactly after it is ran, if it leaves areas better left locked, unlocked or not.

As I said, very intersting topic you brought up here.

Sul.

Well, guess what?

I ran into another ERROR from RegCrawler in yet another of my 9 FD-ISR snapshots and this one was the worse of all. Not even NtRegedit was able to pull it out. It kept on deleting the SubKey located in HKEY_USERS S-1-5 etc. at the console key aptly showing a simple question mark ? with a immediate reboot over and over again.

So come to the rescue was Google! I read some similar articles and the solution this time was to download Sysinternal's Regdelnull.exe in dOS mode and Lo & Behold it showed a about 6 lines of pure garabage. It removed the subkey ? in nothing flat and preserved the console key of course.

This is the article that led me to exercise Regdelnull to remove it. WORKED and now it's a part of my toolbox should this ever happen again.

-{ Quote: "Hi

This is the exact procedure i followed after helpful advice from Mamrehto's response to my original posting.

I downloaded Regdelnull.exe and placed it in C:

Downloaded RootkitRevealer, let it run to completion. Sure enough it revealed null in:
hku\S-1-5-21-1409082233-115176313-725345543-1003\Zepter Software

Opened command prompt(using Xp-start-programs-accessories). Changed directory to C:\ Typed in regdelnull hku -s Regdelnull advised of null in:
hlu\S-1-5-21-1409082233-115176313-725345543-1003\Zepter Software

Regdelnull then gives you the choice to delete null, naturally you type (y) and then hit enter.

Then you can manually delete Zepter Software folder from registry.

Did a full search of Regedit (F3) and I can guarrantee that Zepter Software is no longer on my system.

That is the procedure I followed and it worked for me. Whole process takes about 10-15 seconds.

Regards

noels7 " }-

Please see http://www.wilderssecurity.com/showthread.php?t=206528&highlight=Malware+removed+keys+remain+locked.

Windows is a funny fickle machine, I ran into another same problem lately, NtRegedit didn;t do it, Regdelnull showed nothing, but when i went to manually remove this item HKEY_USERS\\.inf_ ? ? ? ? ?, it deleted normally from regedit.