wscntfy

B

Brian

Can anyone tell me what the combination of "debugger" and "wscntfy" does and
if it is ever legitimate in this context?

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options

We had a PC get hit by a piece of spyware that evidently created many keys
here, each having the name of an EXE and a string value named "debugger",
value "wsconfty". This prevented that particular EXE from running.

Most notably were these:

Regedit
MSC
Taskmgr
MSConfig

Because this entry prevented these programs from starting, this effectively
kept me from getting to my usual tools for almost six hours until I dug
through the registry, exported, then deleted these keys.

Is a "wscntfy" value ever valid as "debugger" and/or in this section of the
registry? Should I just delete the rest to prevent other problems?
 
A

a_nonymous

Brian said:
Can anyone tell me what the combination of "debugger" and "wscntfy" does and
if it is ever legitimate in this context?

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options

We had a PC get hit by a piece of spyware that evidently created many keys
here, each having the name of an EXE and a string value named "debugger",
value "wsconfty". This prevented that particular EXE from running.

Most notably were these:

Regedit
MSC
Taskmgr
MSConfig

Because this entry prevented these programs from starting, this effectively
kept me from getting to my usual tools for almost six hours until I dug
through the registry, exported, then deleted these keys.

Is a "wscntfy" value ever valid as "debugger" and/or in this section of the
registry? Should I just delete the rest to prevent other problems?
Click to expand...

Brian,
Over at http://blogs.msdn.com/oldnewthing/ Raymond Chen [MSFT] wrote an
article about the purpose of the string value named "debugger".

Normally, you would not have such an entry.
It is for debugging applications, but can be MISused as a prank,
e.g. launching calc.exe instead of notepd.exe,
or, more darkly, to hi-jack regedit.exe etc.

Read Raymond's article before you delete those entries.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

diagnosing regsvr32 return code 0x8002801c (aka TYPE_E_REGISTRYACCESS) 7
Setting Up NTP Servers from Target Designer 1
Is "BrowseNewProcess" a subkey or a value? 3
Manually Removing Certain Registry Key Types 5
Locked reg key 28
Cannot view hidden files 5
What is "Impersonation" in these files? 1
program startup mechanisms - apologies for previosu empty post 1

Top