Came across an interesting issue today while cleaning a Malware infection from a client computer.  Once I had cleaned the system up enough to load Windows XP in normal mode, I noticed a strange icon in the system tray.  It was a large red circle with a white X, and when the mouse was hovered over the icon the message “Warning! You have exceeded your profile space by XXX KB” was displayed. Opening the program displayed a more detailed message:

Profile Storage Space
You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage

This was on a computer that is not attached to a domain,  with no quotas enabled by the administrator.

It seems that the Malware infection implemented a local security policy on the PC restricting the users profile storage space.  Manually deleting unneeded files from My Documents to reduce the size of the profile had no affect.

Luckily I came across this registry modification that removed the quota and corrected the problem.

Take this code and paste it into notepad. Save the file as quotarem.reg (make sure to save as type All Files to avoid the .TXT extension) and then double click on it to merge the changes into your Windows registry.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=-
"ProfileQuotaMessage"=-
"MaxProfileSize"=-
"IncludeRegInProQuota"=-
"WarnUser"=-
"WarnUserTimeout"=-

This technique can be useful when you need to migrate users to a new network domain,  and want to retain all the users profile data for use in the new domain.   Using this simple registry modification saves the time required for a tool like the Files and Settings Transfer Wizard (FAST),  but unlike FAST cannot be used to move a users profile from one PC to another.

1 ) Log in to the PC as the user who’s profile you intend to migrate.  Lets call the account TESTUSER.

2 ) Check the users profile path typically located in C:\Documents and Settings\TESTUSER\ and make note of the exact directory path.

3 ) Login as a user with administrative rights and join the new domain. Reboot the PC.

4 ) Log in after rebooting with the users (TESTUSER) new domain account to create a new profile, the log out.

5 ) Log in with a domain admin account.

6 ) Give the TESTUSER@newdomain account full NTFS permissions to the old account profile path you noted earlier.  It’s best to Apply the changes before pressing Okay,  as I’ve found that they don’t stick when you simply press Okay after adding the permissions.

7 ) Open Regedit and navigate to HKLM\software\microsoft\windows nt\current version\profile list

8 ) You will see a list of all the profiles on the machine.  Be aware that these profile folders are named according to the user security IDs (SIDs) and not according to the user names.  You should find a number of profiles including the old user profile (TESTUSER) and the new domain user profile (TESTUSER.domain). The easiest way to determine which profile belongs to which user is to compare the ProfileImagePath key data to see which account is referenced in the path.

9 ) Edit the domain user profile (TESTUSER.domain) ProfileImagePath key to point to the old user profile path.  For example:  “C:\documents and settings\TESTUSER.domain”  <changes to> “C:\documents and settings\TESTUSER”

10 ) Once complete, login using the domain account and test it out. The desktop should change, the My Documents should contain all their documents, etc.  Make sure to check Outlook to confirm the email profile was migrated correctly,  I’ve seen a few instances where this did not happen and Outlook required reconfiguration.

If a user is unable to save the “Run Once” page that comes up after installing IE7 (http://rononce.man.com/runonce3.aspx), there is a manual way of disabling it.

Open regedit, goto [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Look for the following two keys.
RunOnceHasShown
RunOnceComplete

If the keys aren’t there create both as new DWORD Value and set the value to 1 for each.

Often, we run across spyware that may disable registry editing.  When you try to access regedit, you may get the following prompt:

“Registry editing has been disabled by your administrator.”

There are several methods to re-enable the registry editing from this point.  First, the easiest is usually to run this command from the run command or from a command prompt:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

 Log off then back on and try again.  If that didn’t work, you can try the other steps below:

Use GPEDIT to modify the local security policy:

1. Click Start, Run
2. Type GPEDIT.MSC and Press Enter
3. Go to the following location
   • User Configuration
   • Administrative Templates
   • System
4. In the Settings Window, find the option for “Prevent Access to Registry Editing Tools” and double-click on it to change.
5. Select Disabled or Not Configured and choose OK
6. Close the Group Policy Editor and restart your computer
7. Try opening REGEDIT again

Download this VBS file:

www.dougknox.com/security/scripts_desc/regtools.htm

Some spyware may create a desktop background to replace your own.  After doing this, I’ve seen the display properties tabs for modifying the screensaver and wallpaper disappear to prevent the user from getting rid of the malicious wallpaper.  To bring these tabs back, navigate to the following Registry string:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Here, you will find the keys responsible.  They are:

NoDispBackgroundPage
NoDispAppearancePage

These will likely be set to 1.  Set them to 0 or delete them to get your tabs back. 

When troubleshooting a computer that beeps when trying to start the computer, usually referring to the motherboard manual or OEM User manual is the quickest way to find out what is causing the computer from not booting. Here is a couple of links to motherboard and OEM beep codes.

Tech Republic - Beep codes for desktops

http://www.bill-cash.com/bios_beep_codes.htm

This link provides helpful registry scripts to repair windows file associations:

http://www.dougknox.com/xp/file_assoc.htm

A client of mine recently had 2 CDRom drives that weren’t showing in My Computer. In the device manager, they showed up with exclamation points. Double-clicking them told me that the driver was installed properly but:

“Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)”

After some research, the solution I found was to remove the LowFilter and UpperFilter entries from this registry area:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

Note that you may have several identical keys like this (4D36E965-E325-11CE-BFC1-08002BE10318). The one you are looking for will list DVD/CD Rom Drives as the very first entry.

Reboot after making changes.

I recently came across an issue on a client PC where i could not set a printer to be the default.  When I right-clicked the printer and chose the “Set as Default Printer” option, absolutely nothing happened.  After researching the issue, I was able to manually make the printer the default by adding the following registry key:

Name: Device
Type: Reg_SZ (String Value)
Value: “printername, winspool, portname”
Location: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\

 In my case, the Windows key didnt exist under CurrentVersion and had to be created.

In Vista, I have seen my network and sound icons disappear from the notification area quite often.  Microsoft KB article 945011 explains why and how to workaround the issue.  Unfortunately, this isnt a permanent fix and they still seem to disappear occasionally.  I have created a batch file to do the work for you so that you can run it often if need be.  Take the following text, paste it into a text file and then save it as restore_icons.bat or something similar (must end in .bat).  Run it to restore your icons.

 NOTE! This blog breaks up the first two lines at the first space.  Make sure you piece the code back together as it should be.

reg delete “HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify” /v IconStreams /f