| View previous topic :: View next topic |
| Author |
Message |
gahbmwM5
Cadet
Joined: Jan 06, 2006
Posts: 3
Location: USA
|
 Posted: Fri Jan 06, 2006 5:54 am Post subject: Deleting AppInit_DLLs registry key after applying MS... |
|
|
Official patch is ok...?
Hello,
I just wanted to make sure that I'm interpreting this correctly, as I 'did apply' ilfak's wmffix.exe 1.2 a couple of days ago on my single user WinXP SP2 Home laptop...
I have reviewed the WMF Exploit FAQs section (updated by Paul), and was able to successfully remove the wmffix.exe 1.2 through my Add/Remove section, then rebooted and applied the Official MS patch, but I read this section of FAQs and was curious:
#14 # Are any changes made to the Registry?
The installer injects this DLL to processes in the system using the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
I deleted this \AppInit_DLLs key (which showed a blank value after using the wmffix.exe 1.2 uninstaller, and was still present after applying the Official MS patch...
Is this fine? Just want to make sure that this 'key is no longer needed'
Thanks for all the work to ilfak & Paul... 
|
|
| Back to top |
|
 |
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
gahbmwM5
Cadet
Joined: Jan 06, 2006
Posts: 3
Location: USA
|
| Posted: Fri Jan 06, 2006 6:24 am Post subject: |
|
|
| Paul wrote: | | You could have left it blank, but that's fine. |
Hi Paul,
Very good, as that is what I thought, but sometimes I 'read too much into events'...lol
Thanks for the prompt reply, as I have 'made this Forum' be known on some other sites where there is some confusion...
What better way to obtain 'accurate info' then from a MS-MVP Windows Security (yourself) and from the author of the various wmffix.exe patches,.msi installers, ect and vunerability checker, ilfak (himself)...there is no better, reliable source.
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
gahbmwM5
Cadet
Joined: Jan 06, 2006
Posts: 3
Location: USA
|
| Posted: Fri Jan 06, 2006 9:33 pm Post subject: |
|
|
| Paul wrote: | Why thank you, and welcome to CC. Here is a better explanation:
 /HijackThis.html#o20
So you can see normally the value is left blank. |
Very good Paul and thanks again...
I added it back again as a string value: {Data = blank}
Name Type Data
AppInit_DLLs REG_SZ
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Metallica
Site Moderator
Premium Member
Joined: Dec 11, 2002
Posts: 4909
Location: Netherlands
|
| Posted: Sun Jan 08, 2006 11:42 am Post subject: |
|
|
I have a few questions about this registry entry:
- Is it correct that the patch adds an extra space before it's entry in the AppInit_DLLs value in the registry?
- If so, does it only do this when another value is present on install or is this default behavior
- Is it correct that the extra space does not get removed at uninstall?
Not that it does any harm, but we found kit left behind on some occasions and in one of them AdWatch got in a loop where it kept asking at every boot if the change was OK.
Thanks for any answers you may be able to provide.
Regards,
Pieter
_________________
MS-MVP Consumer Security
|
|
| Back to top |
|
|
ilfak
Hexblog Host
Joined: Jan 03, 2006
Posts: 21
Location: Belgium
|
| Posted: Sun Jan 08, 2006 9:57 pm Post subject: |
|
|
Yes, there is might be a space character left after unistalling the hotfix. It does no harm because the system ignores white space in this key. You may safely accept the changes.
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
