I am working on a friend's computer and need some help. Seems it is infected. Tried scans to no avail. Nothing showing. I have most of it up and running as it should, but one issue is too much. The Remote Registry Service will not stay disabled. I re-boot and it's back on. What is the reg path and how do I disable it there? Windows 10. I know this is a sloppy way to 'fix' things. Not my first choice.
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Set the 'Start' DWORD to 4 (disabled), but this shoud not be necessary, the service should not be starting on its own.
I also agree and the service is disabled by default in Win 7. As I said I think messing around this way is a waste of time. Person wants to stay with current system as is. I am working on convincing otherwise. Thanks for path Seer. I shall do that and fully expect things to revert back.
Try to limit remote access as much as possible, unless needed, including remote assistance and remote desktop. Code: sc config RemoteRegistry start= disabled sc config TermService start= disabled schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable reg add "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictReceivingNTLMTraffic" /t REG_DWORD /d "2" /f reg add "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictSendingNTLMTraffic" /t REG_DWORD /d "2" /f reg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" /v "AllowRemoteShellAccess" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicited" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicitedFullControl" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSAppCompat" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSEnabled" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSUserEnabled" /t REG_DWORD /d "0" /f A firewall would not hurt either (like Free Firewall by Evorim), since a remote user has to login in order to remotely control registry.
This service is configured (by design) to stop after 10 mins of idling, even when set to start automatically. When you set it like that, it has a trigger of NETWORK EVENT (you can query it with the 'sc qtriggerinfo' command), so it will start on itself again only when it detects an IP address. This is the default behavior. If it does not behave like that, then you may have a malicious svchost somewhere there. Have you checked the 2 'Run' keys in the registry?
Ok.thanks guys.Good stuff. Yes, I set up WFC a week ago. I have no reason to run Remote Registry and every reason not to. The person who owns the computer is into those cheap online games so my first suspicion goes there. That game habit has now stopped. Thanks again.
infected? remote access from hackers? nothing to do for you except data rescue with live linux and installing windows from scratch. the problem ist that YOU dont know what has been changed to get remote access again. curiosity why that has to be pointed out because it is well known for infected systems, in special remote
I understand Brummelchen. Not my box and I tried but........... Ten minutes ago I learned owner is willing to do things the right way. Thanks for responding.