vowe dot net :: Weird Windows problem

Weird Windows problem

by Volker Weber

I have come across a problem with my Windows 2000 Server that I cannot get a grip on. Here is what is happening: The HKEY_LOCAL_MACHINE\SOFTWARE key cannot be opened. In Regedit the little plus sign in front of "Software" goes away. A reboot cures the problem and after a few days the key becomes unavailable again. I have absolutely no clue of what is going on.

Any ideas?

2004-06-13 :: email :: bookmark :: digg

Comments

Perhaps there's an app on the machine that opens the key using win32 apis, and leaves it open? A reboot would fix that until the app (or service, or whatever) starts running again.

Bob Balaban, 2004-06-13 02:39

There are several Outlook-spread worms that exhibit this behavior, IIRC.

Nathan T. Freeman, 2004-06-13 07:18

Bob, how would I find out?

Nathan, highly unlikely. There is no Outlook on the machine, but it is patched every day and the virus scanner is happy. Can you point me to a specific worm?

Volker Weber, 2004-06-13 11:08

How did you get rid of Outlook? As far as I know you can only disable access to it (from the desktop, there might still be other ways to access it), but you can't easily remove it. Any hints that don't require major surgery are welcome.

Armin, 2004-06-13 13:27

Outlook is part of Microsoft Office. There is no Office installed on the server.

Volker Weber, 2004-06-13 14:03

Oops, sorry, overlooked the "Server". I thought you were talking of "normal" Windows 2000, where Outlook Express comes with the IE, if you like it or not.

Armin, 2004-06-13 14:24

Outlook Express and Outlook share nothing but the name.

Internet Explorer is installed on the server. As is Outlook Express. However there is no account configured in Outlook Express so it is not operational. Additionally you can delete imn.exe (from its original name "Internet Mail & News").

Volker Weber, 2004-06-13 14:35

Hi Volker,
eventuallt this: http://www.blunck.info/dp.html tool might come in handy to find out what is running when the content of software dissappears.
;-) stw

Stephan Wissel, 2004-06-13 16:41

How to find out.... yes, that's the issue I guess. If you can access the key "for a while" after rebooting, perhaps you can try this:
reboot, immediately open Regedit and access the key
See if any running processes display errors because they can't access the key

If you boot into safe mode, does it still happen? Safe mode with networking? Have you checked your startup folder recently?

Bob Balaban, 2004-06-14 00:04

I can get into the key for days. And then suddenly I can no longer. I notice this when the virus scanner wants to read its login information from the registry in order to authenticate against the download server.

So, I have to wait for this to happen and then I can try and find out what is blocking access. I was thinking about using some of the tools from SysInternals.

The behaviour is actually not new. The machine developed it months ago but I never cared enough to cure it.

Volker Weber, 2004-06-14 00:13

it's hard to solve such sorts of problems - even more if they just tend to happen from time to time.

my bet is some sort of spyware/malware.

virusscanner is happy here, too - all the day. today i manually cleaned up the system - using a combination of adaware, hijackthis and spybot search & destroy. the result was shocking.

i bought norton antivirus 2004 because i had positive experiences with prior versions plus the 2004 release now comes with integrated malware/spyware detection.

my mind changed and i will nomore buy any update extension nor any new version of NAV. it's just too unsatisfying in it's results.

i had some irc bot virus/spyware combination on my system for nearly 2 weeks and it didn't get catched by NAV. kaspersky trial found and removed it on the first tryout.

enigma, 2004-06-14 19:21

The Swen.A virus is known to block access to the registry and if I recall correctly also exhibits some of the other symptoms alluded to here.

http://chris-linfoot.net/plinks/CWLT-5RJDJA

Chris Linfoot, 2004-06-15 14:09