Quads wrote:I have now asked another MR and updated my post above.
MSCONFIG works differently to tasks.
Yes, absolutly different, but the same concept. It's disabling a command that starts a program through the registry.
A scheduled task is a command that starts a program in another way.
I assume it's being exploited because it can bypass UAC and run programs with elevated credentials.
Oh I will have to remember that when I am removing objects like Browser objects, services Run Objects or an oject in the BCD that I am not doing malware removal after all I am just removing whatever but it is not Malware Removal.
It depends on what your removing Quads. I remove items from the BCD and make edits to it quite often. But I'm not a removalist or trying to remove malware. I'm a guy that dual boots a lot of systems and does a lot of testing with imaging programs.
Removing even a task that belongs to a program (bad or good) you are still removing part of that program. Simple
Sorrywe disagree
If you removed a task that was actually required by that program and now the program does not want to work correctly then ummm that is because what was deleted belongs to the program. Same if you delete any registry key that is required and the program does not run correctly after that is because they belong to that program
I absoluty agreed with you here. Your example of if I was removing registry entries required by a program like Norton I would be removing part of Norton and therefore trying to be a "removalist".
However, my example is also correct, If I remove an entry in the Run section of the registry I am not removing the program or pretending to be a "removalist". I am simply not allowing it to start with windows. Such an entry is not "required by the program to run correctly" I would be making no changes to the program or removing any part of it.
Same as above Quads, it depends on what your removing, it's incorrect to say any changes to the registry is being a removalist and it is incorrect to say any edit to the BCD is being a removalist. It depends on what changes you are making or what your removing.
The fact the hives belong to Windows does not mean all the regisry keys belong to Windows,
Actually they do belong to Windows because it's the Windows registry, but thats just a technicality.
Hmmm now I have to think about what I will say to a user where I was going to remove registry keys for PUP's but I will have to tell them I am not doing malware or PUP removal.
NO, you just have to consider what your doing and what your removing.
If someone asks you for help in stopping the automatic update of flash player or Java and you suggest they remove the registry Run key. Then you are not removing malware or the program involved or damaging the program in any way.
If you give instructions to remove malware entries then your being a removalist.
If you give instructions to fix or replace registry entries that were deleated or damaged by malware then your repairing the damage as part of fixing the system after removing the malware.
Like I said, it's all a matter of what your removing.
Quads
Dave