Editing Registry of 2nd hdd connected through USB

little man disorder

Hi,

I am Trying to edit the registry of a second hdd connected to my laptop through usb, I successfully get to opening the hive but when loading the reg key itself I get the ERROR of the file is in use ,
now the key I want is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit

The OS of that second drive is XP PRO SP3 being edited on win8 enterprise.

I tried editing through XP PRO aswell connected as a slave drive but with the exact same error as below but a little further on, In XP I got passed this stage and loading the actual key userinit that's when I got the same error as below the file is in use.

Now with that error in mind I immediately stopped the explorer.exe process under task manger and tried it again with the service stopped but to no avail.

I also then gave myself full permission to the folder containing the files on the drive but still not working.

I was thinking I could backup the key through mini XP then image the drive with acronis then reinstall XP,restore the drive key in question then edit it and then restore it again through mini XP, a lot of work really!!
The PC in question is a payroll PC with a lot of outdated software and the last thing I want to do is rebuild this PC.

Any suggestions to edit this error would be grateful and I would prefer not to use 3rd party software
(sorry for the image quality)

28064212

Why would you not just run "regedit" in XP? Why are you trying to do it through the file?

edanto

Overall, what are you trying to do?

Is this an old XP machine with some accounting software, and you are trying to do some kind of move/repair on it? Trying to repair malware damage?

little man disorder

28064212 wrote: »

Why would you not just run "regedit" in XP? Why are you trying to do it through the file?

The computer got hit with malware and I found the source of the problem and verified it to be the root. I cannot edit it locally because the malware logs off any user immediately after they logon wether it be localy or domain there for I cannot edit the registry. Now I know theres know malware there as I ran multiple scans through a few scanners (malwarebytes,housecall, eset online scanner)

edanto wrote: »

Overall, what are you trying to do?

Is this an old XP machine with some accounting software, and you are trying to do some kind of move/repair on it? Trying to repair malware damage?

Yes repair malware damage on an old XP machine with accounting software.

little man disorder

*Update*
I tried editing the registry today with some tools of the hirens boot CD but still no luck

edanto

There's a malware removal forum here, try and get this thread moved.

In the meantime, try the bitdefender live cd

http://www.makeuseof.com/tag/live-cd-antivirus-scanners-windows-start/

It's rare that manually removing malware is the right thing. The right thing is generally always recover data from backup, rebuild machine.

Irish Steve

Been a while since I did this, but if I remember correctly, it should be possible to boot from an XP CD into safe mode without using any information or data from the HDD, and then load regedit from the CD, and that should make it possible to get into the data files and edit them.

Another option would be to scan the drive as an external drive on another system with something like Malwarebytes anti malware, which should be able to remove the files that cause the infection, so even if the registry entries are still present at that stage, they won't work because the files that are loaded have been removed.

If worst comes to worst, "borrow" a spare HDD from a friend, and put that in the machine, install XP on it, and use that as the system disc to start up, which will then allow any software to run and access the infected drive.

little man disorder

edanto wrote: »

There's a malware removal forum here, try and get this thread moved.

In the meantime, try the bitdefender live cd

http://www.makeuseof.com/tag/live-cd-antivirus-scanners-windows-start/

It's rare that manually removing malware is the right thing. The right thing is generally always recover data from backup, rebuild machine.

I don't need any malware removal tips rite now or am I looking to do that! I just want to edit the registry like it says, thanks tho

edanto

little man disorder wrote: »

I don't need any malware removal tips rite now

It sounds like you're considering putting a compromised XP machine that deals with financial/payroll data back into production after a manual malware removal. I'm only trying to help here, but I do think you need malware removal tips. Maybe I'm wrong, maybe you're 100% sure the machine is clean?

I don't know how to do the specific thing with the XP registry that you're asking, so I'll just bow out of your thread and leave you to it.

little man disorder

Irish Steve wrote: »

Been a while since I did this, but if I remember correctly, it should be possible to boot from an XP CD into safe mode without using any information or data from the HDD, and then load regedit from the CD, and that should make it possible to get into the data files and edit them.

Do you mean boo into mini xp from hirens disc or actually safe mode from an XP disc? If it's the latter I never heard of this and a quick google comes up with nothing? if its possible what can you do with it??

Another option would be to scan the drive as an external drive on another system with something like Malwarebytes anti malware, which should be able to remove the files that cause the infection, so even if the registry entries are still present at that stage, they won't work because the files that are loaded have been removed.

If worst comes to worst, "borrow" a spare HDD from a friend, and put that in the machine, install XP on it, and use that as the system disc to start up, which will then allow any software to run and access the infected drive.

I cannot boot the computer as it keeps logging out any user that's logs in
Do you mean boot into mini XP from hirens disc or actual safe mode from an XP disc? If it's the latter I never heard of this and a quick google comes up with nothing? if its possible what can you do with it?? Is it normal safe mode?? I really never heard of this!!

There is no malware on the drive anymore I Think at least I personally did not find the malware that done the damage or any when I done the scans stated below, I took out the hdd and scanned it through my laptop with several scanners malwarebytes, housecall, eset online scanner and so on.. So now at this I just need to edit the registry. I have I identified the source of the problem but with that I ran into another. Which is the locked file while editing the registry.

I hope have explained this right.

little man disorder

edanto wrote: »

It sounds like you're considering putting a compromised XP machine that deals with financial/payroll data back into production after a manual malware removal. I'm only trying to help here, but I do think you need malware removal tips. Maybe I'm wrong, maybe you're 100% sure the machine is clean?

I don't know how to do the specific thing with the XP registry that you're asking, so I'll just bow out of your thread and leave you to it.

I can see where your coming from but I have gave it a fare going over, The other thing about this that shows me its not malware is I can take out the hdd put into a another old hp pc (onsite) from the compaq (problem child PC) which is older and it boots fine in the HP, I then access the registry look at the exact key stated and see the key is pointing to the right place for the userinit key, which for the user session, which points to C:\WINDOWS\system32\config
when I then put the hdd back into the compaq boot it up under normal conditions it wont logon again but another hdd will like the HP, boot up of the hirens cd access the registry under mini xp and see its pointing to the orignal install folder \I386 folder which is commonly know to happen after malware/virus and this Key is well documented under many forums and microsoft KB articles that this happens. So I just want to change it back to normal to get that computer running while the client is awaiting support for other accounting software and upgrade pcs before the April 2014 deadline for XP users.

Irish Steve

I am slightly confused now as well. IF the disc is put in the HP, is it being booted as the system disc, or is it being opened as another disc with the system disc of the HP providing the operating system?

Either way, I did a quick search on the basis of some of the comments in the last couple of messages.

Have a look at this site, I think from a quick scan that this is exactly what's happened to you

http://www.raymond.cc/blog/how-to-edit-windows-registry-key-values-without-booting-in-windows/

Hope this helps some. the first example there looks remarkably like what's happening to that machine.

little man disorder

Yes this is what I am talking about. Ok the Compaq PC has the problem, take out its hdd and put it into hp and it boots fine, I know its different hardware slightly but obviously there is a file recognizing the hardware on the compaq stopping it to boot and I know it not a hardware problem on the compaq because the HP hdd boots on it so?? Headscratcher , HAL file? maybe? ntuser.dat file even but I don't know exactly, everything I found was just saying replace the userinit.exe file first and then change the registry location which all look right to me when I boot into it from the HP PC with compaq HDD.

I did Method 2 from this article and booted into Mini XP but this is where i got stuck,still stuck but I am gone try a few more of thjese methods from that article, thank you again.

Irish Steve

OK, I am going to go to another possibility here,

If it's Compaq, there will have been various OEM specific files on the machine for things like log on logos, and other stuff that's specific to Compaq. Is there any possibility that some of those specific files have been either removed or "updated" with Microsoft vanilla files that are not suitable for the Compaq, so it's barfing when it tries to load some Compaq specific code.

Is the Userinit.exe Compaq specific, but has been lost and replaced by a Microsoft generic file in among all the repairs?

Another possible is that there is code in the MBR, master boot record, that has been replaced by a repair tool, so again, the Compaq specific stuff is going loopy when it doesn't find the compaq code.

Do you have Compaq CD's or is it a separate folder or partition on the disc?

If you have a Compaq CD, it may be possible to run a routine called System File Checker to validate the files from the CD and later updates.

Another link that may well provide some clues, clearly this is a regular issue, and it does look like you are in the right area, we just have to nail the specific

http://en.kioskea.net/forum/affich-27775-pc-logs-on-then-off-again

There is a lot of discussion on that site about this problem, and it may well be worth printing it off and having an in depth read to get the full picture.