REGEDIT – using the Windows Registry Editor to diagnose slow computer

Regedit is the Windows Registry Editor used to make changes to the database (registry) that controls the Windows Operating System.

CAUTION: Though it is easy to use, be careful. Making changes to the registry can render your system unusable. The Windows Registry is immense and will easily drive you crazy trying to understand the intricacies of it’s function and structure.

You’ll be using the registry editor to search for some of the clues you picked up using the Event Viewer and Task Manager to diagnose your slow computer. This will help you identify running process and applications in order to determine if they are legitimate.

To open the Registry Editor, type “regedit” (no quotes) into the RUN box from the START menu. Resize the window and columns to be able to view all the information.

The registry is made up of five hives:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

You’ll be working with the HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM) hives. The other hives get into the computer hardware configurations and system security/permissions. You’re looking for registry locations that determine the software that runs when the computer is started.

Clicking on the “+” sign next to each hive expands the hive to show the keys within the hive.

Expand the following hive to see what software is set to run at startup for the current user.

There are many startup locations within the registry. You’ll learn more about these startup keys using some of the tools on the {Utilities} page.

Navigate to the following key by clicking on the “+” next to each key to expose the sub-keys.

HKEY_CURRENT_USER|Software|Microsoft|Windows|CurrentVersion|Run
Regedit - HKCU-run

There usually isn’t very much in this key because it controls startup programs for the current user. Hackers want their payload to run every time the computer starts up, not just when a specific user logs in.

Take a little time to get comfortable navigating the hive/key structure. Look around a bit and get familiar with the registry. It is a wealth of information – some of useful, some really cryptic. But for those of you that like to get their hands in the clay – here it is!

Now navigate to the following:

HKEY_LOCAL_MACHINE|SOFTWARE|Microsoft|Windows|CurrentVersion|Run
Regedit - HKLM - run

This hive is what is shown on the STARTUP tab of the msconfig utility. You should recognize all of the entries here. Some things you’ll want here – antivirus program, itunes helper, video driver application, sound and others.

You’ll also see things listed that you DON’T need or want to run – rogue security, registry booster/cleaners, toolbars and the like.

You may notice that some of the entries correspond to what you found using the tools from the Diagnostics page. If not, that’s OK. You’re just learning your way around and this information is just another piece that will give you a better understanding of how this all fits together.

For now, if there’s something here you want to stop auto-starting, click on the key name in the right hand pane. Press DEL to remove the key.

If you’re trying to sanitize your system, make note of the filename and location in the RUN key. Later you’ll find and delete that file/program from the location given here.

Now for the sleuthing part. Having gathered information about the unknown applications, processes and services from the Diagnostics page, you’ll use the search function to locate them in the registry to learn what they are.

Navigate back to HKEY_CURRENT_USER hive. From here, press ctrl-F to open the search box and enter the name of what you are looking for. The search will begin at the selected hive and search down through the registry stopping on the first occurance of your search string. To find the next occurrence, press F3.

If you’ve discovered the name of the file, program or process that your virus is using, this is the most efficient way to find the pest and cripple or kill him.

CAUTION: your search string may be contained within other, LEGITIMATE, registry keys. Make sure you’ve identified the found key as part of the infection before deleting anything.

As a safety precaution, you can export, to a file, the key you’re about to delete. Just highlight the parent hive in the left pane that contains the key your want to delete. R-click and select “Export” to save it to a file. Later, if you want to restore the key, you can import it back into the registry.

Some viruses install their startup in the hive that loads legacy drivers. These keys are protected by Windows and have the permissions set to read-only. Using the search function, I have found several rogue security applications running from these locations.

In order to delete the pest, you have to change the security of key to allow full control.

Regedit - permissions

R-click on the key you want to delete and select permissions. In the permissions dialog window, check the box to allow full control for the selected user (everyone). Click OK/apply and now you can delete the key.

Registry Utilities

The internet is littered with sites and blogs selling registry cleaners, boosters, defragmenters and the like.

As hackers create more problems with computers, people search for help on the internet. And the hackers have the answer – an application that will “fix” your computer (and install their goods as well).

There are some very legitimate companies with great products/utilities on the internet. You just can’t believe everything website tells you about a product being sold.

For any repair software you’re interested in, a little bit of research can save you a ton of headache (links will open new window):

  • Examine/read the website carefully – proper grammer, punctuation and spelling?
  • Visit their support page – address, phone number or just an email form?
  • Cruise their forums – current posts, accountability or is it a false positive from your AV?
  • Google the name/company – pages of glowing reviews and downloads and no complaints?
  • Search Complaints Board for company/product name
  • Look up the domain information DNS Stuff