How to stop auto-changing registry values?

0

1

My computer (Windows XP Home Edition SP3) is changing registry values by itself.

Under HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, I have DisableRegistryTools and DisableTaskMgr set to 0:

enter image description here

However, for some reason, the values jump back to 1 after a couple of seconds. And regardless of how many times I set it to 0, it will soon jump back to 1 after a while.

Thinking that it may be some rogue program, I downloaded Process Explorer and took a look at the running processes:

enter image description here

All the processes are from Microsoft, Apple, NVIDIA, and Oracle, and they look pretty authentic.

Next, as suggested, I killed rundll32.exe and ran Process Monitor. In Regedit I queried HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools (it returns 1). Then I changed the value to 0, as shown:

... (there's alot of entries, I was searching for the string "disableregistrytools") ...
12:25:34.8264490 AM regedit.exe 3192    RegQueryValue   HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools SUCCESS Type: REG_DWORD, Length: 4, Data: 1
12:25:34.8264696 AM regedit.exe 3192    RegQueryValue   HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools SUCCESS Type: REG_DWORD, Length: 4, Data: 1
12:25:35.9547009 AM regedit.exe 3192    RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools SUCCESS Type: REG_DWORD, Length: 4, Data: 0
...

I waited for roughly 2 minutes. Process Monitor is constantly updating its values, yet searching for the string "disableregistrytools" yields no furthur results. Then at 12:27:35, I performed a double-click in the Registry Editor program on the value DisableRegistryTools so that I can read its updated value:

enter image description here

The value jumped from 0 to 1.

Returning back to Process Monitor, now I see two additional entries when searching for the string "disableregistrytools":

...
12:27:35.6996148 AM regedit.exe 3192    RegQueryValue   HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools SUCCESS Type: REG_DWORD, Length: 4, Data: 1
12:27:35.6996148 AM regedit.exe 3192    RegQueryValue   HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools SUCCESS Type: REG_DWORD, Length: 4, Data: 1
...

For some reason Process Monitor seems to fail to log the registry change.

What may be causing the problem?

Pacerier

Posted 2013-06-02T14:30:45.703

Reputation: 22 232

1Use Process Monitor to see what's changing the key. – David Marshall – 2013-06-02T15:37:10.123

@DavidMarshall, it doesn't show... (see update) – Pacerier – 2013-06-02T16:49:46.267

How did you search for the results? What happens if you add the filter Path ends with DisableRegistryTools Include. It should then only show records where that registry key was involved (Also be extra sure you are running it as an admin, I think it automatically self elevates, but just make sure). – Scott Chamberlain – 2013-06-02T16:58:13.743

@ScottChamberlain, I've found the culprit, but I think it may have been a scape goat. Every 27 seconds Explorer.EXE will set the values back to 1: http://screenshoot.me/GAjlFj and http://screenshoot.me/xGI2P0 . Since Explorer.EXE is from microsoft it couldn't have been the culprit right.. how do we know who is the real culprit?

– Pacerier – 2013-06-02T18:39:28.630

@ScottChamberlain, I've tried killing Explorer.EXE. True enough, the real culprit simply finds a new scapegoat. Now Process Monitor is showing itself (ProceMon.exe) as the culprit! – Pacerier – 2013-06-02T18:47:59.763

Answers

1

Use the Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

enter image description here

More informations, read this page: http://technet.microsoft.com/en-us/sysinternals/bb896645

stderr

Posted 2013-06-02T14:30:45.703

Reputation: 9 300

For some reason Process Monitor seems to fail to log the registry change. (see update). What may be causing the problem? – Pacerier – 2013-06-02T16:50:04.940

Try that:

Click Start, Run and type gpedit.msc and press ENTER.

Go to following location:

User Configuration > Administrative Templates > System.

Double-click Disable registry editing tools and set it to Not Configured. – stderr – 2013-06-02T17:22:39.117

1I'm on Windows XP Home Edition. There's no gpedit.msc. – Pacerier – 2013-06-02T18:28:04.717

0

Dont change the permissions. It will corrupt your system. You will have to reinstall windows to correct the issue.

Raj Bharmal

Posted 2013-06-02T14:30:45.703

Reputation: 1

0

I don't know if you still need this, but I had the same problem as you. It took me 3 days to find out to fix it.

Just go to

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

Then change the values to 0.

Then, quickly, right click the 'system folder', go to permissions and REMOVE ALL THE PERMISSIONS (Admin, SYSTEM and everything else), then apply and ok. It may ask you if you are sure about this, just click ok.

Now that no one (neither you nor the system) has the permition to change those values, it'll keep as 0 forever.

ighor

Posted 2013-06-02T14:30:45.703

Reputation: 11

2What do you mean by "System folder"? C:\Windows\System? – nixda – 2013-09-29T16:14:12.170

1@ighor Can you explain what does this do? It seems to make my system weaker and more susceptible to attacks right? – Pacerier – 2013-09-30T03:03:35.580

Asked: 2013-06-02T14:30:45.703

Viewed: 16 566 times

Active: 2019-02-15T15:25:01.220