uminds Posted March 4, 2010 Posted March 4, 2010 I am trying to diagnose a malware problem on a XP machine and used the Windows PE 3.0 CD to boot the system. When I ran regedit, I can't see any startup program at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I tried it on various XP installation and got the same result. Can someone tell me what am I missing?Thanks
uid0 Posted March 5, 2010 Posted March 5, 2010 I've not used PE3, but I imagine regedit by default will show you the registry of the PE, not the one on the windows install - try loading the hives manually?There are lots of other locations to check too - try autoruns for a more complete list.
Tripredacus Posted March 5, 2010 Posted March 5, 2010 This is correct. You need to load a registry hive, and select the file on the XP drive. The hives are located inC:\Windows\System32\ConfigYou will want to load the one called SYSTEM. Make sure to unload the hive before closing regedit, I hear bad things can happen if you don't. That is to say, I've always followed the unload rule!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now