Registry Key Deletion

[Neil_G]

I am running a program called ErrorSmart which is a registry cleaner and it is giving me the message below. It tells me that these should be deleted and then supposedly deletes them. I then rerun the program and get the same messages. I tried using regedit to delete them but I get told that they can not be deleted. When I try to look at the permissions of the subkey it says "can not display security information" and the once I say okay it says can't open ...error while opening key.

Does anyone have any idea if I should really delete these items and if so how? These keys do not appear tohave any data in them.

Error added: 1

ErrorCategoryNames[CurrentCategory] = "ActiveX, OLE, and COM"

CurrentTitle = "{71AAA611-245D-D09F-882845FC5EAA24CC}"

errorDescription = "%1!s! has an invalid class identifier format."

keyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71AAA611-245D-D09F-882845FC5EAA24CC}"

valueName = ""

Error added: 2

ErrorCategoryNames[CurrentCategory] = "ActiveX, OLE, and COM"

CurrentTitle = "{945169D7-C27E-315B-97A3E6913A1C7622}"

errorDescription = "%1!s! has an invalid class identifier format."

keyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}"

valueName = ""

Error added: 3

ErrorCategoryNames[CurrentCategory] = "File Associations"

CurrentTitle = "MSCFile"

errorDescription = "%1, contains no data and can be deleted."

keyPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithList"

valueName = ""

[Geej]

May I suggest you seek another opinion with another registry cleaner such as CCleaner (addon are available) before you allow any program to delete important registry key automatically?

The fact that you encounter "can not display security information" probably means it is a very important key.

I would assume CurrentTitle = "MSCFile" is "Microsoft Management Console Snap-in Control File" which may be too important to be deleted normally.

[Dude111]

Another good cleaner is REGSEEKER (I love it)

http://www.hoverdesk.net

Edited September 2, 2013 by Dude111

[CharlotteTheHarlot]

Does anyone have any idea if I should really delete these items and if so how? These keys do not appear tohave any data in them.

First, export the entire registry to a file, this gives you the ability to copy the keys from there into a .REG file for re-insertion back into the registry if needed. The keys that you have are:

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{71aaa611-245d-d09f-882845fc5eaa24cc}]

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{945169d7-c27e-315b-97a3e6913a1c7622}]

Both of these CLSID are suspect. Amazingly each has only one or two Google hits. It looks they are related to some Spyware Rootkits. The first {71aaa611-245d-d09f-882845fc5eaa24cc} may be Exploit EXP/Agent. B and {945169d7-c27e-315b-97a3e6913a1c7622} is unidentified. I would export the registry and text search for each CLSID (the characters between the {} brackets) because there may be a bigger problem than just these two keys. You would be wise to get a BartPE/Knoppix style bootable CDROM with a current AntiVirus and thoroughly scan the drive (targeting all files, not just programs) to be sure. That's what I would do. If you already have some installed antivirus it could already be compromised.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithList]

The OpenWithList key is common, I have the same empty one on a PC here. There are many empty OpenWithList keys in there. I believe those keys are actually used WITHOUT data values being present (empty keys can still be useful to certain functions). I forget how that function works, but you should be able to find the answer from someone. Please post back with the answer.

[Neil_G]

Thank you all for the replies. It will take me some time follow up on the suggestions but I will give them a try. I do have ZoneAlarm Securyity Suite installed and it does not find any virus or spyware.

In a genereal question, how is it possible that a program can add something to my registry but yet I can not delete this same item from the registry?

Edited October 3, 2008 by Neil_G

[CharlotteTheHarlot]

Thank you all for the replies. It will take me some time follow up on the suggestions but I will give them a try. I do have ZoneAlarm Securyity Suite installed and it does not find any virus or spyware.

In a genereal question, how is it possible that a program can add something to my registry but yet I can not delete this same item from the registry?

To prevent you from deleting keys someone could employ ACL's (aka permissions). On the NT platform the ability exists to control access to objects like registry keys, folders, and files. Such access includes read/write/delete etc. In plain English, it means I could select any key in your registry and easily make it so that myself, or anyone, or no-one can read/write/delete it. The key could be effectively 'locked'. Reclaiming ownership from mangled ACL's can be a pain because you may need to use some mega-hacker tool like SetAcl or SubinAcl; but you should first try the proper: REGEDIT -> right-click the key -> Permissions.

Sometimes the locking of files and registry keys occurs only when the program or service is actually running (I'm still unclear on whether persistent ACL's are the mechanism here or its simply a consequence of 'them opening' a file or key). But in this case you can usually enter Safe Mode (or MSCONFIG's diagnostic mode) and delete stuff.

Such tactics are often employed by the white hats to thwart the black hats. For example McAfee and Norton (maybe ZoneAlarm?) use some variation of these techniques to make certain registry keys READable but not WRITEable or DELETEable. This may be why you cannot delete those keys. This exact situation became infamous recently when a WinXP SP3 update component ran amok on computers with active Antivirus somehow 'locking' registry keys causing all kinds of mayhem.

It is also possible that those keys you cannot delete are owned by rootkits (Google those CLSID's) as mentioned in that previous post.

[Neil_G]

Thanks for a very understandable explanation.