Monday, January 14, 2008

Fix: disabled task manager.

A very famous virus ... actually it's not one virus, there is a lot of new computer viruses that do the samething ... DISABLE WINDOWS TASK MANAGER .

Some anti-viruss are just able to remove the virus but without fixing this problem... others are able to fix it also known as anti-spywares ... now how this process take place, how the infection is done ... and how to fix it yourself ?

The "Disable windows task manager" is not an overrided process, it's an option built in the windows to let administrators able to prevent limited users from opening the task manager, that's why if someone is infected with this virus and press the [Alt+Ctrl+Del] buttons the windows pop-up a message saying (Task Manager has been disabled by your administrator.) !!
Well let's first discuss how, as a system administrator can disable the task manger :
-Open Run
-Type "gpedit.msc"
-Press Enter
-Open User Configurations >> Administrative Templates >> System >> Ctrl+Alt+Del Options
-Open "Remove Task Manager"
-Now you have three options, not configured and disabled are closely the same, enabled is what's enable the -remove task manger- operation ... i.e. disable it !

Now, why such option exists in the windows ?
It's a very useful option when you're an administrator and don't want to let other users use the task manager by a way to view running process, close any of them, view other users or many other controls ...

Obviously ... the lately mentioned configuration should exists in the windows registry, so all we need now is to know where is it exactly and see how we can deal with it to enable/disable the task manager ...

-Open the windows registry [Run, type "regedit" then press enter]
-Open "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\" (HKCU is HKEY_CURRENT_USER)
-If there isn't a subkey called "System" then you don't have any configured administrative operation on the system section ... ok let's open the "gpedit.msc" again and disable the "Remove Task Manger" option ... after a refresh you'll be able to see this subkey "System" and contains a DWORD value called "DisableTaskMgr" , and its value is set to "0" ...
-Actually the value "DisableTaskMgr" should not exists if "Remove Task Manger" is set to "Not Configured" ... or if it has a value so "0" means "Disabled" and "1" means "Enabled" .

Now as you can see, all you need to do is to play with this value ... a virus generally set it to "1" so removing it or setting it to "0" could be a solution ... changing it from "gpedit.msc" also could be a solution ...
The problem is when the virus disable by the same method the "gpedit.msc" and the "regedit" !! [I'll discuss this later, they are the same methods generally ...]

The solution could be simply by a "reg" script or just a vbscript ... it's very easy :
Regscript:
-Open a text file
-Write in it:
Windows Registry Editor Version 5.00
#By Amahdy www.amahdy.com
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=dword:00000000

-Save the file as "EnableTaskMgr.reg" (be careful the extension should be ".reg" not ".txt")
-Double click on the file ...
-Press "Yes" then "Ok" and that's all, you're done !

VBScript:
-Open a text file
-Write in it:
Option Explicit
' By Amahdy www.amahdy.com
Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
MsgBox "DONE!"

-Save the file as "EnableTaskMgr.vbs" (be careful the extension should be ".vbs" not ".txt")
-Double click on the file ...
-Wait the confirmation "DONE!" message .. and you're done ...

NOTES:
-The first method doesn't let a limited user activate this option but the second one does ...
-I'm assuming you're using it when you're infected with the virus, so unexpected errors due to for example the "System" subkey doesn't exists isn't my case here.
-All the previous work is similar with the "HKLM" or "HKEY_LOCAL_MACHINE" ... many viruses attack both locations also ... but this is the most important.

I have just started with the task manager because it's the most important to start killing the virus process from it... after that you may repair every thing quietly ... I believe task manager is really the most important you need just to open it... the virus maybe timed to disable the task manager but once you open it , the virus can't do anything unless it's timed also to end the task manager process so do it quickly and end the virus process before it ends you ! finally the worst case is the virus which remove the task manager at all ... I'll discuss solutions for this later !

This method can helps fixing virus problems, without the need to install anti-viruses, or any extra fixing tool .. and scan the pc and make it hangs up ...etc ... I'll try to discuss many of those methods here ... the handy fixing methods ;-)
By at
Labels:

9 comments:

  1. AnonymousMay 15, 2008 at 9:08 PM

    In my case tehre is no "System" folder - what can be done then?

    Craig

    ReplyDelete
  2. AnonymousMay 15, 2008 at 11:51 PM

    Hey Craig .. well I said in the post that : [quote]

    If there isn't a subkey called "System" then you don't have any configured administrative operation on the system section

    ..what's your problem exactly ? what do you want to do and you cannot ?

    ReplyDelete
  3. AnonymousJune 15, 2008 at 11:59 PM

    I did both scripts and neither made a difference. What does that mean?

    ReplyDelete
  4. AnonymousJune 16, 2008 at 1:12 AM

    Well maybe [but not sure] u have a virus that keep killing the "task manager" process.
    Seems you need to end the virus process first ...
    second guess is that you are trying to do that as a limited user in an administratively protected PC .. what's so far ?

    ReplyDelete
  5. AnonymousJuly 6, 2008 at 6:54 PM

    I cannot follow any of the suggestions, because the virus has taken my desktop and task bars. Any ideas on this one?? Also, I shut my pc completely down, leave the room and it comes back on, completely booted?? HELP!!!

    ReplyDelete
  6. AnonymousJuly 6, 2008 at 7:14 PM

    Man if you just write any of the scripts in a txt file and "RUN" it, this will just return the TASK-MANAGER back to u and then u have to search for the virus process and kill it.
    If you lost all control in the desktop and can't do anything, try to log-in as administrator or maybe return to an earlier restoration point. hope this can help.

    ReplyDelete
  7. AnonymousOctober 10, 2008 at 10:43 AM

    hey amahdy. im using a vbs file to open regedit as the virus in my computer disabled my taskmgr and regedit. i tried setting the DisableTaskMgr value to 0 or deleting it to enable my task manager. but everytime after i close my regedit. the DisableTaskMgr will come back to 1 again. the virus in my comp is W32/sality.

    ReplyDelete
  8. AmahdyFebruary 23, 2009 at 12:08 PM

    Chun, seems ur virus continuously check the reg. value and reset it to 1, u need to try to add extra code line in the script that execute the taskmanger directly after changing the value, something like:
    Shell "taskmgr"

    then whenever the virus change the value again u'll have the taskmanager opened from which u should be able to end the virus task ...

    ReplyDelete
  9. Sunit AcharyaMay 12, 2010 at 12:04 PM

    This comment has been removed by the author.

    ReplyDelete

Subscribe to: Post Comments (Atom)