Your Ad Here
Aeon

Sunday, March 22, 2009

How to enable/disable Registry Editor

This hack will allow you to enable or disable the registry editor. If registry editing is disabled by malware or by administrator, you can use this tweak to regain registry access. Also you can disable registry editing if you don't want to allow anyone to perform any changes to the registry, especially in a public computer like in a cybercafe.
There are three possible ways to do this:
  1. First of all open notepad or a text editor of your choice. Then copy the following text into it and save it as "Enable Regedit.reg". Double-click the file and select yes when prompted and Registry Editor will be enabled. You can also right-click the file and select "Merge".

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000000


    To disable the registry editor just change the dword value to 1. Or you can create another file and name it as "Disable Regedit.reg". Here is the code:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000001

  2. This method is possible only if Group Policy Editor is enabled. Click Start Menu and select Run... Type "gpedit.msc" (without the quotes) in the Run dialog box and press Enter. When the Group Policy Editor opens, Go to User Configuration --> Administrative Templates --> System. Now in the right pane, double-click "Prevent Access to Registry Editing Tools". In the dialog box that opens,
    • Select Disable - To Enable Registry Editor.
    • Select Enable - To Disable Registry Editor.
    Choose OK, close the Group Policy Editor and Restart the computer.

  3. This method is the easiest, click Start Menu, select Run. In the Run dialog box, type the following code and press enter.
    • To enable Registry Editor:
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
    • To disable Registry Editor:
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    You can also save these codes into a text file and rename it as *.bat (replace * with your desired name). On double-clicking the batch file the required action will be performed. These codes will also work in the command prompt.

These tweaks are for experienced users, modifying registry can make the system unstable. So do this at your own risk.
Bookmark and Share How to enable/disable Registry EditorSocialTwist Tell-a-Friend

Friday, March 20, 2009

Common Language Infrastructure

The Common Language Infrastructure (CLI) is the core of the .NET Framework. It is an open specification developed by Microsoft which allows .NET code to run on different platform without the code being rewritten. The advantage of CLI is that it supports multiple high-level languages. For a complete list of .NET aware languages go to http://www.dotnetpowered.com/languages.aspx. The CLI specification applies to Microsoft .NET Framework, Portable .NET, Mono, etc. The CLI consists of:-
  1. Common Language Runtime (CLR) - The CLR is the implementation of CLI which runs the Common Intermediate Language (CIL) and converts it into the native executable code supported by the platform at runtime with the help of Just-in-time (JIT) compiler. The core of the CLR is the library named mscoree.dll (Common Object Runtime Execution Engine). When an assembly (*.dll or *.exe) is called, mscoree.dll is automatically loaded, which in turn loads the required assembly into memory. The CIL or managed code is compiled only when needed, i.e., the JIT compiler converts the CIL to native code on demand at runtime. The CLR defines the Common Type System (CTS), which is a standard type system used by all .NET languages. During the execution, the CLR also provides the following services:
    1. Memory Management
    2. Thread Management
    3. Garbage Collection
    4. Exception Handling
    5. Security
  2. Common Language Specification (CLS) - It is a basic set of rules to which any language implementing the CLI must conform, so that it can seamlessly interoperate with other CLS-compliant languages. The advantage of CLS is that, the code written in any CLS-compliant language, when compiled will give the same CIL code. To check for CLS-compliance you can use a .NET attribute:
    <Assembly: System.CLSCompliant(True)>
    This will instruct the Visual Basic compiler to check your code for CLS-compliance and will give a compile time error if any CLS rule is violated.
  3. Common Type System (CTS) - It defines a number of types which can be used by all .NET languages, i.e., programs written in all CLS-compliant languages can use these types. It is categorized into value types and reference types. The CTS types are:
    1. Class
    2. Structure
    3. Interface
    4. Enumeration
    5. Delegate
  4. Common Intermediate Language (CIL) - Any .NET compliler converts the source code into managed code or CIL. CIL is the lowest-level human readable programming language. At runtime CIL is converted into native code by CLR's Just-in-time compiler. In producing the CIL code, the compiler also creates metadata and manifests which are embedded within the executable file.
  5. Base Class Libraries (BCL) - Base Class Libraries are available to all .NET programming languages. These libraries contain various namespaces which provide a number of functions such as Database Access, Threading, File I/O, Security, etc.
  6. Metadata - The information about classes and objects and their members are stored as metadata. In addition to this information about the assembly such as version information, external references, etc. are also stored in the metadata and is known as the assembly manifest.


Bookmark and Share Common Language InfrastructureSocialTwist Tell-a-Friend

Monday, March 16, 2009

How to remove a virus or malware

In the earlier post I described how to take precaution against viruses. But in case your computer is already infected, those precautions are of no use. Most of the viruses are always running in the memory which means if you delete them from your computer, it will make a copy of itself. To add to your pain these malwares can also disable task manager1, which makes it more difficult to remove the process2 from the memory.

There are two ways in which such viruses can be removed:-
  1. These viruses can be removed automatically by using antivirus softwares (if such software has the correct definition of the malware present in your system). There are many good antivirus softwares3 in the market, some of which will cost you for protection, but some won't cost a penny.

    Some of the most popular ones are:-

    I have been using avast antivirus since I had my own PC and touch wood not a single virus has infected my computer. So, I would recommend you Avast Home Edition as it is free of cost.
  2. You can also manually remove memory resident viruses, but you need to have some experience using windows, so that you don't accidentally delete a system file. This method is only possible if the malware has not done any serious damage to the computer or has not made it unusable. The tools required for this method are:-
    • Sysinternals Process Explorer (This may not be required if task manager is not disabled. But Process Explorer is a better and more advanced software.)
    • Sysinternals Autostart Program Viewer (Without this you will have to edit the registry manually which may be tricky for beginners.)
    • An active internet connection (Experienced user may not need this)

    Now, first you have to know the name of the process or the executable(virus) which is running in the background. For this, start process explorer. You will see a list of processes running in the memory. This is a hit and trial method, so try to find any process which looks suspicious to you and then go to www.processlibrary.com and search for the process name (You can also search in google). If you see "Oooops... Process Not Found" then you can be sure that this is a virus but for confirmation you should google search that process name.
    If Process Library returns a result, it provides detailed information about the process, but then there may be two possibilities:-
    1. If the result returned contains both windows process and potential virus suspects - As most malwares create a copy of itself in the system folders, so it may replace the matching executable when copying. But in this condition the system may be very much unstable and/or unusable. So you have little chance of recovering the system. You can try to repair the Operating System using the recovery disc or you can try System Restore.
    2. It returns a result which classifies it only as a virus - Check it with google.

    Now once you identify the virus or malware using this hit and trial method, you have to stop that process immediately before it does any harm. To terminate that process, right-click the process name and select "Kill Process". You have to remove all the memory resident malware using this method, otherwise it can again make a copy of itself. But before killing the process, note down the path of the process or the folder where it is stored. After terminating the process, go to that folder, and remove those executables (Delete them permanently, don't send them to recycle bin). Finally, start Autostart Program Viewer, and after the scan is complete, do a search for the suspicious process name which you just deleted. And again note down the directories or paths where such process name is mentioned. Delete those entries by right-clicking and selecting Delete and afterwards go the path you just noted and delete any occurence of the suspicious file.

After these steps you'll have to reboot the system and then see if the same processes are relaunched and if so you will have to repeat the whole process over again. To make the process a lot easier you have to make sure that the virus is not in the memory before removing the autorun entries, i.e., the suspicious process is not running in the background (Recheck Process Explorer before deleting the Autoruns entry). Because if the virus is in the memory, it can re-create the autorun entry just after you delete it.

This method may look a lot hectic to you, but this works when all anti-virus softwares fail. Some malwares are even capable of disabling the anti-virus software. But I recommend that even, if you remove the virus manually, do a boot-time scan using your favorite anti-virus.


References:
  1. ^ Task Manager - Windows Task Manager is a task manager application included with Microsoft Windows NT family of operating systems that provides detailed information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and statistics, logged-in users, and system services. Source:http://en.wikipedia.org/wiki/Windows_Task_Manager
  2. ^ Process - In computing, a process is an instance of a computer program that is being sequentially executed by a computer system that has the ability to run several computer programs concurrently. Source:http://en.wikipedia.org/wiki/Process_(computing)
  3. ^ List of Antivirus Softwares

Bookmark and Share How to remove a virus or malwareSocialTwist Tell-a-Friend

Thursday, March 12, 2009

Tips for precaution against Viruses and Malware

Nowadays most of the viruses and malware1 infect the computers through pen drives or USB Thumb drives. Pen drives having such malware has an autorun.ini which contains code to automatically run the malware when the pen drive is attached to the target computer. This happens normally when the "windows autorun" feature is enabled in the target computer. So to stop viruses from infecting your computer, I recommend that you should disable the "windows autorun" feature as this feature is seldom required by most of us.

The process for disabling Windows Autorun:-
  • Go to Start Menu and click Run...
  • Open the Group Policy Editor by typing gpedit.msc at the run prompt and hit enter.
  • In the Group Policy Editor that opens up, choose Local Computer Policy -> Computer Configuration -> Administrative Templates -> System. In the right pane find a setting named "Turn off Autoplay" and double click it.
  • In the "Turn off Autoplay Properties" dialog box, select Enabled(for disabling autoplay) and "For all drives" from the drop-down menu. And, then click apply and OK.
  • Autoplay is now disabled. Close the Group Policy Editor.



This will prevent the malware from running automatically and help you keep your system clean. Generally most antivirus softwares are capable of handling such threats but they may not prevent a new virus from running. So to be on the safer side use this tip. Also I should recommend that you always access your removable drives from the address bar rather than double-clicking them to open or using right-click options because some malwares come with autorun.ini which has code to link the executable to the default Open command or Explore command of the Explorer. To access your removable drive from the address bar, just enter the drive letter of your removable drive and a colon and press enter(e.g., "F:" or "G:").

Usually these worms are hidden and have system attribute so you will not be able to see these files unless the "Show hidden files and folders" is selected and "Hide protected operating system files" is unchecked in the Folder Options dialog box under the View tab. If you see any suspicious file or folder in the root of the removable drive which you have not created or saved in the drive, remove these files immediately. You can also scan the files with your antivirus software.

These malwares if executed may create a copy of the executables in the "[System Drive]2:\Windows", "[System Drive]:\Windows\System32" folders and in the roots of all the drives, and also in any other attached removable drive. They also create autorun entries for the executables so they can automatically start each time windows is started. Most of the viruses try to disable the task manager or the registry editor so that it is dificult to remove the malware from the memory.

I will also write a post which describes how to remove such malwares from the active memory and your computer if it is infected.



References

  1. ^ Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. Source: http://en.wikipedia.org/wiki/Malware

  2. ^ System Drive is the partition or drive in which windows is installed.

Bookmark and Share Tips for precaution against Viruses and MalwareSocialTwist Tell-a-Friend

Search 2.0

Search