Environmental variable in Registry key

[David H. Lipman]

In the following key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,"

Can the following be used instead...

"Userinit"="%windir%\system32\userinit.exe,"

or

"Userinit"="%SYSTEMROOT%\system32\userinit.exe,"

 

[Mark V]

In the following key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,"

Can the following be used instead...

"Userinit"="%windir%\system32\userinit.exe,"

or

"Userinit"="%SYSTEMROOT%\system32\userinit.exe,"

No. The value Type does not support that. I doubt you can change
the type and make it work but have never tried. (warning: OS might
not boot) It might be that this key is read too early anyway for
those variables to be available yet. Sorry not to have a definitive
answer.

 

[David H. Lipman]

From: "Mark V" <[email protected]>

| No. The value Type does not support that. I doubt you can change
| the type and make it work but have never tried. (warning: OS might
| not boot) It might be that this key is read too early anyway for
| those variables to be available yet. Sorry not to have a definitive
| answer.

That's what I wanted to know. I write anti malware scripts and this key is associated with
a few Trojans and I have been investigating scripting a fix using this key. Since the Root
OS folder can be C:\windows, c:\winnt or other, I was curious about.

So you are saying the REG_SZ can't be used with Environmental variables or it just won't be
interpreted correctly ?

 

[Gary Smith]

From: "Mark V" <[email protected]>

| No. The value Type does not support that. I doubt you can change
| the type and make it work but have never tried. (warning: OS might
| not boot) It might be that this key is read too early anyway for
| those variables to be available yet. Sorry not to have a definitive
| answer.

That's what I wanted to know. I write anti malware scripts and this key is associated with
a few Trojans and I have been investigating scripting a fix using this key. Since the Root
OS folder can be C:\windows, c:\winnt or other, I was curious about.

So you are saying the REG_SZ can't be used with Environmental variables or it just won't be
interpreted correctly ?

The type would have to be REG_EXPAND_SZ in order to have the expansion
occur. Whether the variable would be available at the right time is an
interesting question.

 

[Jerold Schulman]

In the following key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,"

Can the following be used instead...

"Userinit"="%windir%\system32\userinit.exe,"

or

"Userinit"="%SYSTEMROOT%\system32\userinit.exe,"

I tried it and it doesn't work.

First I ran:

REG ADD "HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit /T REG_EXPAND_SZ /F /D ^%SYSTEMROOT^%\system32\userinit.exe

Then I verified with

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit

I shut down and restarted.

It would not get to the logon, but was apparently close enough for

REG ADD "\\JSI003\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit /T REG_SZ /F /D C:\Windows\system32\userinit.exe
to fix it.

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Mark V]

In the following key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,"

Can the following be used instead...

"Userinit"="%windir%\system32\userinit.exe,"

or

"Userinit"="%SYSTEMROOT%\system32\userinit.exe,"

I tried it and it doesn't work.

First I ran:

REG ADD "HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon" /V
Userinit /T REG_EXPAND_SZ /F /D
^%SYSTEMROOT^%\system32\userinit.exe

Then I verified with

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon" /V Userinit

I shut down and restarted.

It would not get to the logon, but was apparently close enough
for

REG ADD "\\JSI003\HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon" /V Userinit /T REG_SZ /F /D
C:\Windows\system32\userinit.exe to fix it.

Interesting and thanks for the acid test confirmation Jerold!
Frankly, I am a bit surprised the remote access even worked.

 

[David H. Lipman]

From: "Jerold Schulman" <[email protected]>

In the following key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINNT\system32\userinit.exe,"

Can the following be used instead...

"Userinit"="%windir%\system32\userinit.exe,"

or

"Userinit"="%SYSTEMROOT%\system32\userinit.exe,"

|
| I tried it and it doesn't work.
|
| First I ran:
|
| REG ADD "HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit /T REG_EXPAND_SZ
| /F /D ^%SYSTEMROOT^%\system32\userinit.exe
|
| Then I verified with
|
| REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit
|
| I shut down and restarted.
|
| It would not get to the logon, but was apparently close enough for
|
| REG ADD "\\JSI003\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V Userinit
| /T REG_SZ /F /D C:\Windows\system32\userinit.exe to fix it.
|
| Jerold Schulman
| Windows Server MVP
| JSI, Inc.
| http://www.jsiinc.com
| http://www.jsifaq.com

Jerold:

Thank you for taking the time to test this for me. It was *greatly* appreciated !!