Nice tutorial, thank you. But what should a user do on a Windows machine if System restore points creation is turned off? In such a case your System Volume Information/_restore{xxx} folder will be empty.
In connection with the Windows viruses and impossibility to start regedit or Windows in whole, sometimes Windows users need to edit the registry from outside. I've found, so far, the only utility in Linux chntpw, which was originally designed to reset passwords, and then acquired the registry editing ability.
Editing the registry:
1. Boot from a LiveCD or install a second system Ubuntu.
2. Install chntpw utility:
Code:
sudo aptitude install chntpw
3. Mount Windows partition:
Find the Windows partition:
Assume it is on /dev/sda2. Next step is mounting of the partiotion:
Code:
$ sudo mkdir /media/windows
$ sudo mount /dev/sda2 /media/windows
4. Registry editing
Code:
$ chntpw -l /media/windows/Windows/system32/config/software
Move to registry branch you need, for example:
Code:
$ cd Microsoft\Windows NT\CurrentVersion\Winlogon
and edit a key, for example:
Password resetting:
1. See 1-3 of the previous section
4. Find the user whose password will be changed
$ chntpw -l /media/windows/Windows/system32/config/SAM
5. Password resetting
Code:
$ chntpw /media/windows/Windows/system32/config/SAM -u Administrator
Just cite the places in the registry where they can hide a record of running viruses:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The default values in Regedit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe"
"Userinit" = "C:\WINDOWS\system32\userinit.exe"
Check the Explorer.exe file to the presence of double ... the right place for the file is Windows\ but not Windows\System32\ ...
Bookmarks