Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi all -
I'm trying to automate the process of disabling various junkware from running at boot on a number of public machines I manage.
I need to write a .bat file to execute 2 reg files in order. The first is to blank various registry keys (eg, [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run])
and similar, the second is to rebuild the keys clean, starting only the desired apps.The .reg files work fine on their own, when I execute them manually, and either will work with a batch file which calls only the one .reg file.
I've tried the following batch file to execute both in sequence, but it doesnt work. Any ideas why not? Have I got the syntax wrong?
@ECHO OFF
regedit /s prog1.reg
regedit /s prog2.reg
clsAny suggestions appreciated!
Wolfpeach
wolf-
The above script worked for me...I don't know what the problem might be. If it persists, you may want to check out http://www.computing.net/programming/wwwboard/forum/8218.html for links to other methods of deleting registry entries automatically.
-SN
0 
=================================================
Wolfpeach,The problem you are having may have to do with your current file associations in Windows. If the batch file is called from within Win98 then you can try to simply call the reg files by name without using regedit at all. ie:
@ECHO OFF
prog1.reg
prog2.reg
clsAs long as the file associations have not been changed incorrectly then Windows should automatically call regedit for you and do the job. It may or may not work but it is a different way to try it out. Let us know, ok?
borelli35
0
John's approach may also work...Although I'm not sure how file associations would stop the first script from working. But note that you give up the chance to use the /s switch, so windows will prompt you twice if you want to enter the information in the files into the registry.
Either way, post back and let us know if anything worked. This is a common enough question that I'd like to have a "for sure" answer.
-SN
0
OK. Got this cracked now.
SN, many thanks for the suggestions & pointers re use of .inf files.
I've now managed to execute automated registry clearances with a batch file using both the .reg and .inf methods. Having tried both, I think that using .reg files is the better solution, a) because the scripting is more intuitive, and b) because using .inf files requires you to know in advance exactly what junk you want to remove. Using 2 .reg files to first delete, then rebuild, keys with only the desired values only requires you to know what you *want*, rather than what you dont want, so is lower-maintainance.
I was on the right track with using a .bat file to call 2 .reg files originally, but must have screwed up somewhere... PICNIC (problem-in-chair-not-in-computer) ;-)
For the record, and benefit of any other newbie sysadmins trying this, here is a brief howto for the process that should work on a win98se machine: (***note***, I've only just figured this one out this morning using dummy registry keys and values, so not live tested yet!)
1) Identify what services you actually *want* to run at startup. Check start/run/msconfig/startup tab & reference with http://www.answersthatwork.com/Tasklist_pages/tasklist_r.htm
or other resources on the web if unsure.2) With a trial (ie, non mission-critical) machine, start/run/regedit & backup (export all) registry before doing anything else just in case!
3) Clean the registry so that only the services you want will run at startup. Look in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and also ...\RunOnce, ...\RunServices, ...\RunOnceEx, ...\RunServicesOnce and the same keys in HKCU\Software\Microsoft\Windows\CurrentVersion etc.
Carefully delete the unwanted values, then export the various cleaned keys as .reg files.3) Open them all with notepad or wordpad (right-click/edit is easy). Compile into a single .reg file by copying & pasting values - here is an example from my machine (set up only to run norton AV + various system services at boot) :
######################################
REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"vptray"="c:\\Program Files\\Norton AntiVirus\\vptray.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"rtvscn95"="c:\\Program Files\\Norton AntiVirus\\rtvscn95.exe"
"defwatch"="c:\\Program Files\\Norton AntiVirus\\defwatch.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
###############################
(note single return at end of file)Save this as a .reg file (with a .reg extension, save as 'all files'). This will be the file which rebuilds your registry after all the junk has been deleted. Name it 'rebuild.reg' or somesuch.
4) Open rebuild.reg in notepad again, and save it as 'clean.reg'. This will be the file which deletes the (dirty) registry keys. Delete all the the dword values, and add a "-" to the start of each line, so that it looks something like this:
########################################
REGEDIT4[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
###########################
Save. You now have 2 reg files, first clean.reg to delete the registry keys, and then rebuild.reg to remake them. Important to execute these in the right order! I'm not sure if it matters too much where you save them, but I put them in C:\windows, along with the batch file.
5) Open notepad again to write a batch file to execute them.
########################
regedit /s clean.reg
regedit /s rebuild.reg
cls
##########################Save file as "clean.bat" (save as "all files (*.*)") in the same place as the .reg files.
6) Automate the process by telling windows to execute the batch file on startup. Using windows explorer, right click and drag clean.bat to C:\WINDOWS\Start Menu\Programs\StartUp and select 'create shortcut'. (I think that this may also be used with c:\windows\all users\Start Menu\Programs\Startup), which fewer users will know about & hence should be less prone to tampering.
Note that not all programs which run at startup launch from the registry, some will also go from the 2 folders mentioned above, so perhaps a way to autoclean these is also needed?
(more discussion of the earlier stages & background of this one here:
http://www.computing.net/windows95/wwwboard/forum/150123.html)
All the best,
wolfpeach
0
WolfPeach,
Wow! Now there is a tutorial! Glad you got it worked out.
SN,
I was actually referring to 2 different possible conditions. The file association could have been a problem and if it was that latter option of not using regedit in the batch file would not have worked. The second condition was to try not using regedit but it was just to try something different, nothing more.
borelli35
0
Sorry guys - I've just had it pointed out that the example above wont work, because windows executes progs in the startup folder right at the end of bootup, after all the malware has already started up. (and will reinsert itself in the registry at next bootup again?)
see:
http://www.computing.net/windows95/wwwboard/forum/150123.htmlI've tried using autoexec.bat to call the .bat file to execute the .reg files earlier in the bootup sequence, but that is not working. (see link for details).
Any ideas why not?
0
curiouser & curiouser.
Just tried manually executing (double-clicking) autoexec.bat, and it *works* to call the bat to execute the .reg files...
But when I reset the registry & reboot, it doesnt do it. How can a batch file do one thing when I execute it manually, and another when it fires off at boot?? Weird.
0
Is it a question of program execution order? I mean, is this all happening in startup correctly at all or not? Try making a backup copy of the registry in that batch file and compare the two after reboot.
borelli35
0
I was thinking this would probably happen...Probably should have mentioned it. I have a few theories, but nothing I've tested.
<theories and fixes>
1. Regedit may be a windows program, or at least require that windows be running. So putting it in autoexec.bat wouldn't do any good.2. If you put it in autoexec.bat, it may not have path variables set yet, so try using the full path (ie c:\windows\regedit.exe /s clear.reg)
3. Many windows systems have placeholders for autoexec.bat...I'm not sure exactly why, but make sure your autoexec.bat is the one being executed. Try putting a command that will give an error and see if you can see it being executed.
4. If none of the above help to solve the problem, then try running the batch by putting it into the "runservices" or run startup group in the registry (yes, the very folder it deletes)...I believe runservices is executed before run, but try both just to be sure. It may have a chance of starting before the malware there. Make sure it comes first in the folder...I don't know if this influences the order in which it is executed, but might as well make sure.
</theories and fixes><general comments>
You seem like a smart enough guy to know that the best option is to actually get rid of the malware altogether, so I'll assume you have reasons for not doing this (my guess would be that you are using some kind of free program that checks to see if the malware is installed before you can run it so you can't enjoy the program without suffering the malware consequences.) Nevertheless, if getting rid of it completely is an option, I'm sure the guys in the windows and/or security forums would be glad to help. Adaware will come through every time:-)If the malware is in startup, and it is removed from startup, how is it getting back in there each time the computer restarts? Again, I'll assume the free program mentioned above puts it in the registry.
</general comments>-SN
0
Hi wolfpeach, SN, borelli35, hi everyone,Thank you for this discussion!
I took part in the #150123 thread on windows95/wwwboard and find the subject very exciting!
I'm very glad to have had the opportunity to meet SN and borelli35 and appreciate your knowledge!Have a good day,
Gérard from Paris, France
0
Hi wolfpeach, SN, borelli35, Gérard, hi everyone
I would like to thank Gérard for bringing the Automate disabling of junkware? thread to my attention, it's a intriguing one. Thank you Gérard. :-)
(http://www.computing.net/windows95/wwwboard/forum/150123.html)SN, I hope your offer still stands regarding the frames issue, hopefully I'm able to sent you the email somewhere during the day tomorrow.
Back to the topic. :-)
This may be a little drastic add first sight, and I admit I haven't tested it, but if you have a machine you could test it on.
A machine, that it's doesn't hurt if it's OS gets messed up, you could give it a try.Clean out all mallware/junkware as you are accustomed to. If you aren't already running AdAware run it with the latest updates available, also run Spybot Search&Destroy After downloading, click the online button and download the updates. Then run it.
(http://www.lavasoft.com)
(http://spybot.eon.net.au)Run a up to date Anti-virus program, and a registry packer like WinRescue 98 and when you find the computer is absolutely clean, shut down and reboot into MS-DOS (prompt only).
(http://superwin.com)Remove the file attributes for the registry files.
Copy the registry files, System.da? and User.da? to a folder other than the Windows folder.
Do the same for the Win.ini and System.ini files, thus copying them to the other folder.attrib -h -r -s c:\windows\system.da?
attrib -h -r -s c:\windows\user.da?
copy c:\windows\system.da? c:\other folder
copy c:\windows\user.da? c:\other folder
copy c:\windows\system.ini c:\other folder
copy c:\windows\win.ini c:\other folderSo you would be having at least four files in your other folder.
Now this was the easy part, now for the more drastic part. :-)Stay with DOS a little longer.
Modify your Autoexec.bat file by entering the following lines.
___________________________________________________________Autoexec.bat
@Echo off
prompt $p$g
path c:\;c:\windows;c:\windows\command; etc.
set temp=c:\temp
set tmp=c:\temp
attrib -h -r -s c:\windows\system.da?
attrib -h -r -s c:\windows\user.da?
copy c:\other folder\system.da? c:\windows /y
copy c:\other folder\user.da? c:\windows /y
copy c:\other folder\system.ini c:\windows /y
copy c:\other folder\win.ini c:\windows /y
attrib +h +r +s c:\windows\system.da?
attrib +h +r +s c:\windows\user.da?
___________________________________________________________Now you can reboot the computer, and see how it turns out. Remember I haven't tested the above procedure, as I don't have a computer available to test it with. :-(
Ooh... and another thing you may like, you can hide the other folder i.e. set it to hidden.
As long as the proper path is entered in the Autoexec.bat, if I remember correct the files will be copied.Any comments? Have I missed something? :-/
Of course it would be preferred to use this procedure, if it works that is, with the least of unnecessary programs installed to have nice small registry files.
Good luck and keep us posted!
Greetz,
The Count
0
A comment on the Count's method...
If this were one user on a home or business machine, I would say that deleting and restoring the entire registry may be a little extreme and cause unwanted side effects. But now that I know my "free program theory" wasn't true and that we'll be running this stuff on computers that are simply used by anonymous users all day that are constantly screwing crap up, I think it's got some benefits over the more precise, surgical method we've been perfecting. (holy run-on batman)
The biggest advantage, obviously, is that not only are you removing registry entries that run on startup, you're getting rid of all the other crap these users are putting on your precious machines in the first place. You'll spend less time in maintenance, and have ready "perfect" registries available should they do something bad.
The disadvantages are reasonably minor...You lose some speed in startup, and you have to repeat this process every time you put on a legitimate program. The process may need to be changed when you switch to XP.
I haven't tested it either, but I'm sure the Count is plenty familiar with the windows registry. Anybody know what that winstart.bat file is? I still think that if we're sticking to the original method, it might be worth investigating. I'm not positive which method is better (even assuming we can get the original one to work), but it's nice to have options.
My $.02,
SN
0
Hi wolfpeach, The Count, SN, borelli35, hi everyone,Damn! restoring entire registry... The Count, I just suggested the same idea as yours on the Win95 forum! (I did this today before reading it here)
Advantage of restoring entire Registry over the .reg files:
- reg files get rid of some malware only (think of IE startpage hijacking), restoring entire registry gets rid of any or so!Disadvantages:
- if restoring entire registry rids all the "pointers" (keys) to malware on disk, the viruses, Troyans and other malwares will still sit on the hard disk... OK they won't get activated till a customer clicks
- Startup folders (normal and "All users") items are not in the registry and they must also be cleaned!Remarks:
- viruses can also be boot ones not taken into account by both .reg and entire-registry methods
- I wrote above that despite registry restore, viruses were still on the disk... maybe good to reinstall periodically (eg a ghost can reinstall the system within about 20 minutes).HTH
Have a good day,
Gérard from Paris, France
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
