Impossible to remove registry key

1

I have a very stubborn registry key which is impossible to delete or access: HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion. When I try to open it in regedit, it says "An error is preventing this key from being opened. Details: The system cannot find the file specified."

When I try to delete the whole branch, all I get is "Error while deleting key".

Following some advice I found elsewhere, I tried downloading the RegDelNull utility from Sysinternals, but scanning the whole HKLM tree did not reveal any items to delete. However, when I specified the entire path to the bad key, I got the following message:

"A null context handle was passed from the client to the host during a remote procedure call."

Why did regedit complain about being unable to find the file specified? Is it something related to the way registry entries are stored?

More importantly, how do I delete the keys when they cannot even be deleted by the utility made for precisely this purpose?

JohnEye

Posted 2016-02-12T15:05:08.750

Reputation: 1 208

What is the path to the key, and do you have permissions for it? – Jonno – 2016-02-12T15:05:43.290

Key added. Being the admin of the system, I have all the permissions I should need. – JohnEye – 2016-02-12T15:11:27.707

Not necessarily - registry keys have their own permissions (right click -> Permissions). Make sure administrators/your account has permission to modify. – Jonno – 2016-02-12T15:12:14.357

A permission problem would manifest differently though, wouldn't it? I have checked though and have both read and write permissions set to Allow for the account I'm using. – JohnEye – 2016-02-12T15:14:20.333

Some keys need "full access," not just read-write. For my system builds, there's at least one registry key I have to go give full access to my account (or all accounts). – bgStack15 – 2016-02-12T16:39:10.090

Sorry, what I meant to say is that I have "Read" and "Full control" privileges. There's no "Write" permission, apparently my brain just made that up when seeing "Read" :-) – JohnEye – 2016-02-12T16:43:51.977

You did pass the -s flag to RegDelNull, right? Can you use RegEdit's Permissions UI to take ownership of the key? – Ben N – 2016-02-12T16:59:53.130

Is Symantec EP still installed/running on the system? – Ƭᴇcʜιᴇ007 – 2016-02-12T18:05:44.957

You may have to change the owner in permissions for that registry key. – Moab – 2016-02-12T22:11:00.213

@BenN: Sure I did. The owner is the Administrators group which I am a member of. – JohnEye – 2016-02-15T16:12:37.357

@Ƭᴇcʜιᴇ007: No, it was removed, although apparently not as cleanly as I would like it to be. – JohnEye – 2016-02-15T16:13:17.443

Answers

1

I had a similar issue on my Windows 7 box. I eventually figured out that the key was a broken symbolic link. The built-in regedit tool does not seem to properly support these, and acts as described when trying to access such a key.

I managed to delete the broken symbolic link using https://github.com/tenox7/regln like this:

C:\Users\Zero3\Desktop>regln-x64.exe -d "\Registry\User\S-1-5-21-1688150413-3759
594893-2435602081-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extension
s\Approved"

You will need to adapt the path to your use case, of course.

(For reference, I noted that a similar issue was posted here: https://serverfault.com/questions/796797/regedit-error-cannot-find-the-file-specified-accessing-key/963975)

Zero3

Posted 2016-02-12T15:05:08.750

Reputation: 569

Asked: 2016-02-12T15:05:08.750

Viewed: 1 813 times

Active: 2019-04-21T14:51:15.113