Yeah, that's a puzzler - sounds like some sort of restriction, like 'DisableRegistryTools' Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0

Yeah, this was the .inf file that fixed the 'registry editing has been disabled. . . ' [version] signature=$chicago$ [defaultinstall] delreg=regedit [regedit] HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,"DisableRegistryTools" HKLM,Software\Microsoft\Windows\CurrentVersion\Policies\System,"DisableRegistryTools" [End] But there's something else that's blocking any file named 'regedit' from running in a windows environment. I'd like to figure it out if only for my own satisfaction. It seems to run OK. I just need to copy everything over to an 80 gig drive. I'm sure they'll be happy with it. It runs a lot better than when I got it.

0

Sure, sometimes it's nice to know the 'why' "It runs a lot better than when I got it." I'll bet it does Most (if not all) of the ones I see are messed up either with malware or half installed applications, often both. Got to be aggravating to use. Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0

Hi DAVEINCAPS, jboy, ham30, hello everyone, DAVEINCAPS, I've created a .reg file for you. The first two lines will remove all policies. The other lines will restore the default values for regedit and the associations for .reg files. It sounds like you won't be able to run it from Windows in normal mode but you could try it in Safe-Mode. If that doesn't pan out try merging it from a DOS prompt after starting the computing using a bootdisk. Not sure if your familiar with merging a .reg file from a DOS prompt so I shall include the command. Start the computer with a bootdisk. REGEDIT /S C:\DAVE.REG Here's the file. Best Regards, Mesich

0

If it is just a naming problem then copy regedit to the desktop and rename the copy to dave.exe and try it. I just did that and it runs just fine. Fix your problems and then hopefully you can run regedit.exe from the command line. Bryan

0

Do a search for the file REGEDIT.COM There is a virus that drops copies of itself as REGEDIT.COM, PING.COM and a bunch of other standard utilities. COM files get run before EXE files (with the same name). ALCRA http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html PICRATE http://securityresponse.symantec.com/avcenter/venc/data/w32.picrate.a@mm.html Run an online scan Panda http://www.pandasoftware.com/activescan/activescan/ascan_1.asp HouseCall http://housecall.trendmicro.com/

0

Hi DAVEINCAPS, jboy, ham30, Bryco, WhitPhil, hello everyone, Bryco, As always, it's an extreme pleasure to be active in a thread with yourself. I can most certainly see where you are coming from with your logic but, I would be very interested in how to disable a word within Win98. WhitPhil, It's an extreme pleasure to be active in a thread with yourself, DAVINCAPS, jboy, ham30 and Bryan. I am honored to share this thread with yourself and the others. You mentioned that .com files get run before .exe files. Isn't that within DOS and not Win98? Best Regards, Mesich

0

It's also true via Start > Run.

0

Hi DAVEINCAPS, jboy, ham30, Bryco, WhitPhil, hello everyone, WhitPhil, Thank you, it's always nice to learn something new! I just checked it out by creating a file named regedit.com. I then ran regedit from Start/Run and the DOS window, as described by DAVEINCAPS, popped right up. Thanks again! Best Regards, Mesich

0

http://www.sysinternals.com/Utilities/RootkitRevealer.html is a very interesting article about how malware hide themselves within the registry. There is also an application to reveal them at the bottom of the page. I have not tried it out yet. I got the link from a recent Langa newsletter. Mesich, thank you for your kind words and I feel the same way too. It is good to see you all in a thread. Bryan

0

August company indeed : ) Yes, that's where I was going with my #1 - specifying the full path name & extension defeats that kind of thing Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0

True. But that's hardly a solution when a virus is involved. And, in a good, normal environment it shouldn't be required. At least the extension, and in the case of a Windows utility, the full path.

0

Oh, no - not a solution but a workaround (and something of a test) Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0

Thanks for the help everyone. Mesich, I installed the .reg file and unfortunately got the same results. When I'd earlier gotten regedit to open by renaming it I checked the keys that I thought might relate but didn't find anything. WhitPhil, I did searches for any files named 'regedit' and didn't find any other executables. I'm going to tell them to run an online virus scan when they get it back. I know there's got to be a lot of virus files still on the drive. I deleted a few of the obvious ones but didn't have the capability to do a complete scan. But I think I've kept most of the stuff from loading. Bryan, I'd decided to rename it as 'regedt.exe' and leave it as that but your idea of moving it to the desktop was something I hadn't tried. I went through 'my computer' to the windows folder and double clicked on it (as regedit) and it opened just fine. Then I thought about jboy's original advice about the full path. I hadn't considered actually entering the path info since the windows folder was already in the path. But I went ahead and entered c:\windows\regedit in the run line and again it opened just fine. So it's only when 'regedit' is entered by itself in the run line that the problem occurs. If they don't come and get it this evening I may look at it again and focus on why that should make any difference. Thanks again for the help. I really appreciate it.

0

Dave: If you are doing Start > Run > Regedit and SOMETHING is starting, other than REGEDIT.com, there HAS to be files on the system called REGEDIT, other than the exe. And, they do not have to be in \Windows

0

WhitPhil, you're a genius. I was going to point out that I'd done full drive scans for any file named regedit and hadn't found any other executable. But I went back and did it again. This time before running it I chose the 'show all files' option, just in case the 'find' fuction didn't check for hidden files. The search found a hidden system file named regedit.com in the windows\system folder. I renamed it to something else (just in case it was legit) and typed in 'regedit' on the run line. Regedit ran normally. After the initial scans didn't find other files I had assumed something was preventing regedit from running normally when it was actually a second file. Thanks for the insisting there must be another file. Since I wasn't thinking in that direction I doubt I would have figured it out.

0

Dave: Glad you found it. It sounds like the Alcra virus. Check my link above, then Technical Details and you will see the other files that get dropped there, as well as the others it drops. And, check the Picrate link. It does similar things, but also drops the SpyBot virus.

0

Yeah, that must be it. Now that I knew what to look for I checked for hidden files in the system folder and found all the other ones listed on the alcra site. I think I'll check the other files and registry entries it lists there to see what else the virus left.

0

I just wanted to thank everyone again. The suggestions you gave all pointed in the right direction but I had my sights set on a registry problem. I've deleted the files now but I think the reason it ran successfully from the windows\system folder is because it had a system attribute. Even when I renamed the legitimate regedit.exe to regedit.com the virus version ran instead. Apparently with similarly named files, the one with the system attribute has priority.

0

I "think" that it was System Restore that got in your way. When you did the rename, Restore saw this action happen, and since it was one of it's protected files, "restored" the correct Regedit.exe, leaving the viral Regedit.com still there. Thus, doing a run, still found the COM file first.

0

I'm not exactly sure what you mean. Regedit.exe was in the windows folder and the virus regedit.com was in windows\system. When I renamed regedit.exe to regedit.com it stayed that way. So I had 2 different files named regedit.com--one in windows and one in windows\system. The only reason I could think of why the OS would prefer the virus version is it had the system attribute whereas the legitimate version didn't. Now my curiosity has been piqued again. I've still got the original drive. When I get around to it I'll experiement with the virus version of the file and see if changing its system attribute makes any difference.

0

Sorry Dave, forgot the forum I was in. When you do Start > Run, it finds the file based on PATH first, and then looks for COM, EXE, BAT Check your PATH I am presuming it will show \Windows\System prior to \Windows Running apps don't pay any attention to the attributes

0

The path was just c:\windows;c:\windows\command. That's why I was kind of suprised it was running from the system folder. You're right about the system attribute being irrelevent. I just created a text file on my computer and saved it as 'regedit.com' with no attributes in the system folder. I ran 'regedit' from the run line and got the same error as with the virus. Then, what's odd, I renamed it 'regedit.exe' and then 'regedit.bat'. With .exe I got 'regedit is not a valid win32 application'. With .bat it ran as a batch file would. All this with the real regedit.exe sitting in the windows folder. So it looks like it's checking the windows\system folder first and running it if it's there, regardless of the extension. I guess windows sets its priority folder as windows\system regardless of the dos path.

0

I think if you specify the complete address of the file it will get priority over c:\windows\system. I believe Dos and Windows only use the path if the file isn't found in the current folder or the folder designated.

0

Specifying the full path name means that the PATH won't be searched even if the file isn't there. The request is for the file at that location only Specifying the extension means that the default priority of execution (COM over EXE over BAT) does not come into play either. It does seem odd that \windows\system would have priority over \windows - maybe it is a Windows quirk, or by design. In DOS the last folder (directory) accessed becomes the current 'default' directory for that drive - although I don't know if that's the case here Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0

Windows dumps its dll, vxd and other files it needs to access there but I never thought of it as part of the path. The path (I thought) was just the route the OS takes to find a command or executable file, not its ancillary files. But I guess that's not quite right. I wonder if any other unexpected folders are in the path. I moved regedit.exe to system32 and system\iosubsys to see if windows would find it when it ran but got the 'this file does not have a program associated with it. . . ' I did a brief google search to see if I could find what the real windows path is but couldn't find anything.

0

You're absolutely right Jboy. I don't know where my mind was. Dan, you can check the path by typing 'path' in dos or a dos window. Just add c:\windows\system in front of the displayed path.

0

OOps sorry Dave. I'm getting too careless. I better straighten up.

0

In DOS there was the 'append' command to allow: "programs to open data files in specified directories as if they were in the current directory" Likely there's a similar arrangement in Windows (things were simpler in DOS) Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0

Typing the dos PATH won't show the system folder unless it's been added in autoexec.bat or updated at a dos prompt. But it's obviously there as part of a windows path. Maybe it is something like 'append'. Some other .exe files run from the system folder, msconfig being one. I'm thinking the system folder isn't in the dos path because anything that runs from there is exclusively a windows program.

0

Must be something like that - just tried (from the prompt) running a DOS app moved to \system - - 'bad command' etc. From the 'run' box - no problemo Computers in the future may have only 1,000 vacuum tubes and perhaps only weigh 1 1/2 tons. - Popular Mechanics, 1949

0