Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Apr 2010
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Repair corrupt registry key

    Running XP SP3, latest updates.

    When the Plug and Play service is enabled, services.exe goes into an endless loop (100%) and after running the SysInternals utility Procmon.exe, it showed that it was in an endless loop trying to read what appears to be a corrupt registry key (under HKLM\...\<some guid that represents Plug and Play Monitor>\mode\<corrupt key>. If I try device mgr to uninstall Plug and Play Monitor, it hangs. If I try to read that key, an err msg appears "unable to read...".

    The virus had apparently wiped out previous restore points, so I'm left with hoping there's a way to forcibly remove that errant key (so it could be rebuilt) or some other way, so the system could be made usable. This is such a tight loop, that only procexp.exe (not taskmgr) can at least lower the priority to idle to allow anything else to run (although slowly).

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 984 Times in 914 Posts
    If you can't read the key there are 2 possibilities.
    1. You don't have permission.
    2. The registry is corrupt.
    As this is the legacy of a virus I would re-load from scratch, because you don't know what other damage has been done.

    cheers, Paul

  3. #3
    New Lounger
    Join Date
    Apr 2010
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm logged in as admin, so it's not a permissions issue. I can't even check permissions. I'm quite sure the key is corrupt.

    There's software installed that would be difficult to replace, so I'm looking for a creative way to fix the single, corrupt key (nothing else appears to be damaged). I had previously done a chkdsk/f and it found no problems.

    I've run several different AV and rootkit scanners (MBAM, TDSSKiller, ComboFix, etc.), so I'm reasonably sure that there are no virus remnants remaining.

    I've tried a XP repair install, but that fails to detect an existing XP installation (has anyone ever gotten that to work? I've tried that several times on various XP computers, but it never properly detects an existing XP installation to allow the repair)
    Last edited by danno3; 2012-04-14 at 11:37.

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 984 Times in 914 Posts
    Having admin access is no guarantee. If the permission has been changed you need to fix it.
    Start > Run > regedit
    Navigate to the troublesome entry - HKLM = HKEY_LOCAL_MACHINE.
    Right click on the entry and select Permissions.
    Administrators and SYSTEM should have Full Permission. What does yours show?

    cheers, Paul

  5. #5
    New Lounger
    Join Date
    Apr 2010
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I had full permission to the parent key of the 'problem' key.

    After getting some sleep, I found the creative solution I was looking for. In \windows\system32\config (where the registry files are located), there were a number of *.bak files. The only problem I had was a single corrupt key in the system hive (HKLM\system\CurrentControlSet...) and the corresponding registry file in \windows\system32\config is named SYSTEM. Once I was able to swap system.bak with system, everything was good and the corrupt key was gone. I really needed to find a surgical fix to this rather than a brute force nuking.

    Thanks for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •