Need Registry Path

Discussion in 'other software & services' started by Rainwalker, Nov 6, 2018.

  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    I am working on a friend's computer and need some help. Seems it is infected. Tried scans to no avail. Nothing showing. I have most of it up and running as it should, but one issue is too much. The Remote Registry Service will not stay disabled. I re-boot and it's back on. What is the reg path and how do I disable it there? Windows 10. I know this is a sloppy way to 'fix' things. Not my first choice.
     
  2. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
    Set the 'Start' DWORD to 4 (disabled), but this shoud not be necessary, the service should not be starting on its own.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I agree since by default the service is disabled in Win 10.
     
  4. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    I also agree and the service is disabled by default in Win 7. As I said I think messing around this way is a waste of time. Person wants to stay with current system as is. I am working on convincing otherwise. Thanks for path Seer. I shall do that and fully expect things to revert back.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,417
    Location:
    Slovakia
    Try to limit remote access as much as possible, unless needed, including remote assistance and remote desktop.
    Code:
    sc config RemoteRegistry start= disabled
    sc config TermService start= disabled
    schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
    
    reg add "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictReceivingNTLMTraffic" /t REG_DWORD /d "2" /f
    reg add "HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0" /v "RestrictSendingNTLMTraffic" /t REG_DWORD /d "2" /f
    reg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f
    reg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" /v "AllowRemoteShellAccess" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicited" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicitedFullControl" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSAppCompat" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSEnabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSUserEnabled" /t REG_DWORD /d "0" /f
    A firewall would not hurt either (like Free Firewall by Evorim), since a remote user has to login in order to remotely control registry.
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    This service is configured (by design) to stop after 10 mins of idling, even when set to start automatically. When you set it like that, it has a trigger of NETWORK EVENT (you can query it with the 'sc qtriggerinfo' command), so it will start on itself again only when it detects an IP address. This is the default behavior. If it does not behave like that, then you may have a malicious svchost somewhere there. Have you checked the 2 'Run' keys in the registry?
     
  7. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    Ok.thanks guys.Good stuff. Yes, I set up WFC a week ago. I have no reason to run Remote Registry and every reason not to. The person who owns the computer is into those cheap online games so my first suspicion goes there. That game habit has now stopped. Thanks again.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,858
    infected? remote access from hackers? nothing to do for you except data rescue with live linux and installing windows from scratch.

    the problem ist that YOU dont know what has been changed to get remote access again.

    curiosity why that has to be pointed out because it is well known for infected systems, in special remote
     
  9. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    I understand Brummelchen. Not my box and I tried but........... Ten minutes ago I learned owner is willing to do things the right way. Thanks for responding.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.