In the following key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,"

Can the following be used instead...

"Userinit"="%windir%\system32\userinit.exe,"

or

"Userinit"="%SYSTEMROOT%\system32\userinit.exe,"


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

In microsoft.public.win2000.registry David H. Lipman wrote:

> In the following key...
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon]
> "Userinit"="C:\WINNT\system32\userinit.exe,"
>
> Can the following be used instead...
>
> "Userinit"="%windir%\system32\userinit.exe,"
>
> or
>
> "Userinit"="%SYSTEMROOT%\system32\userinit.exe,"

No. The value Type does not support that. I doubt you can change
the type and make it work but have never tried. (warning: OS might
not boot) It might be that this key is read too early anyway for
those variables to be available yet. Sorry not to have a definitive
answer.

From: "Mark V" <notvalid@nul.invalid>

| No. The value Type does not support that. I doubt you can change
| the type and make it work but have never tried. (warning: OS might
| not boot) It might be that this key is read too early anyway for
| those variables to be available yet. Sorry not to have a definitive
| answer.

That's what I wanted to know. I write anti malware scripts and this key is associated with
a few Trojans and I have been investigating scripting a fix using this key. Since the Root
OS folder can be C:\windows, c:\winnt or other, I was curious about.

So you are saying the REG_SZ can't be used with Environmental variables or it just won't be
interpreted correctly ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman <DLipman~nospam~@verizon.net> wrote:
> From: "Mark V" <notvalid@nul.invalid>

> | No. The value Type does not support that. I doubt you can change
> | the type and make it work but have never tried. (warning: OS might
> | not boot) It might be that this key is read too early anyway for
> | those variables to be available yet. Sorry not to have a definitive
> | answer.

> That's what I wanted to know. I write anti malware scripts and this key is associated with
> a few Trojans and I have been investigating scripting a fix using this key. Since the Root
> OS folder can be C:\windows, c:\winnt or other, I was curious about.

> So you are saying the REG_SZ can't be used with Environmental variables or it just won't be
> interpreted correctly ?

The type would have to be REG_EXPAND_SZ in order to have the expansion
occur. Whether the variable would be available at the right time is an
interesting question.

--
Gary L. Smith
Columbus, Ohio

On Sat, 22 Oct 2005 19:21:27 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

>In the following key...
>
>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
>"Userinit"="C:\WINNT\system32\userinit.exe,"
>
>Can the following be used instead...
>
> "Userinit"="%windir%\system32\userinit.exe,"
>
>or
>
> "Userinit"="%SYSTEMROOT%\system32\userinit.exe,"


I tried it and it doesn't work.

First I ran:

REG ADD "HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit /T REG_EXPAND_SZ /F /D ^%SYSTEMROOT^%\system32\userinit.exe

Then I verified with

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit

I shut down and restarted.

It would not get to the logon, but was apparently close enough for

REG ADD "\\JSI003\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit /T REG_SZ /F /D C:\Windows\system32\userinit.exe
to fix it.

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

In microsoft.public.win2000.registry Jerold Schulman wrote:

> On Sat, 22 Oct 2005 19:21:27 -0400, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
>>In the following key...
>>
>>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Winlogon]
>>"Userinit"="C:\WINNT\system32\userinit.exe,"
>>
>>Can the following be used instead...
>>
>> "Userinit"="%windir%\system32\userinit.exe,"
>>
>>or
>>
>> "Userinit"="%SYSTEMROOT%\system32\userinit.exe,"
>
>
> I tried it and it doesn't work.
>
> First I ran:
>
> REG ADD "HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon" /V
> Userinit /T REG_EXPAND_SZ /F /D
> ^%SYSTEMROOT^%\system32\userinit.exe
>
> Then I verified with
>
> REG QUERY "HKLM\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon" /V Userinit
>
> I shut down and restarted.
>
> It would not get to the logon, but was apparently close enough
> for
>
> REG ADD "\\JSI003\HKLM\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon" /V Userinit /T REG_SZ /F /D
> C:\Windows\system32\userinit.exe to fix it.

Interesting and thanks for the acid test confirmation Jerold!
Frankly, I am a bit surprised the remote access even worked. :)

From: "Jerold Schulman" <Jerry@jsiinc.com>

| On Sat, 22 Oct 2005 19:21:27 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
|
>> In the following key...
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
>> "Userinit"="C:\WINNT\system32\userinit.exe,"
>>
>> Can the following be used instead...
>>
>> "Userinit"="%windir%\system32\userinit.exe,"
>>
>> or
>>
>> "Userinit"="%SYSTEMROOT%\system32\userinit.exe,"
|
| I tried it and it doesn't work.
|
| First I ran:
|
| REG ADD "HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit /T REG_EXPAND_SZ
| /F /D ^%SYSTEMROOT^%\system32\userinit.exe
|
| Then I verified with
|
| REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit
|
| I shut down and restarted.
|
| It would not get to the logon, but was apparently close enough for
|
| REG ADD "\\JSI003\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit
| /T REG_SZ /F /D C:\Windows\system32\userinit.exe to fix it.
|
| Jerold Schulman
| Windows Server MVP
| JSI, Inc.
| http://www.jsiinc.com
| http://www.jsifaq.com

Jerold:

Thank you for taking the time to test this for me. It was *greatly* appreciated !!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm