How do I locate a script that re-writes a registry value?

winpigler · 28 Dec 2011

Right now I am running on Windows 7 home premium 64-bit. There is a legalnoticecaption and legalnoticetext enabled in the registry, and when I delete these values and restart, they re-appear! I've even tried deleting them altogether. I'm guessing there is some sort of script enabled that re-writes the registry values upon deletion, and I need some help identifying and getting rid of said script. Or, if you have any suspicions on what else it may be, please do not hesitate to tell me to check it out.

Thanks!

Brink · 28 Dec 2011

Hello Winpigler, and welcome to Seven Forums.

It is normal for these two registry entries to be here. By default their "Data" field is empty.

These two registry entries are for having a logon title and message as in METHOD TWO of the tutorial below if wanted. You can just right click on them, click on Modify, and leave the "Data" empty to not have a custom message.

Logon Title and Text Message - Vista Forums

Hope this helps,
Shawn

winpigler · 28 Dec 2011

I understand that they are there by default, but when we purchased the laptop, these registry values were filled with text, and when I try and delete the text, it always re-appears upon startup. I am suspecting that there is a script running that auto-fills the values when they have been edited, and I was wondering if there was a way to find the script and delete it, so that when I delete the legalnoticecaption and legalnoticetext, they are gone for good.

I hope that clarifies my question a little. Thank you!

**cluberti** · 28 Dec 2011

Can you get a process monitor log of the boot process? Seeing which process is writing the values will help determine where it's coming from.

To get a trace, download/extract/run procmon (from the above link) and accept the EULA if prompted. Then, from the menu, click Options, then Enable Boot Logging. This should prompt you that you have just told procmon to log the next boot process (and asks you to click the "OK" button - please do so). Now, clear the values in the registry of any data (so that they are blank), and then reboot. Once you've logged in, start procmon again and save the log to a .pml file when prompted. You can use WinRAR or 7zip to compress this file, and upload to a sharing site. Post a link to that file, and we'll download it and look at it for clues (or even answers, maybe).

Brink · 28 Dec 2011

Are you part of a domain? If so, that would be doing it, and only the domain administrator will be able to remove or change them on the domain's system.

If not, then in addition to what cluberti (Carl) posted above, also check those registry values at all of the different registry locations below that they are found at, and modify to clear their "Data" fields. One location may be rewriting the other.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System

Next, check all of the different startup program list locations in the tutorial below to see if one of them may be what is rewriting it if the above is not it.

Startup Programs - Change

winpigler · 28 Dec 2011

Brink: I checked in all of the locations you specified, and it is only located once, in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
I also did a Ctrl-F and searched for it, and it only found the one. (Gotta love Ctrl-F)

Cluberti: I will try what you suggested tomorrow. It's 11pm here, so I think it's time for bed. I'll reply to the thread when I get home tomorrow night.

Thank you both very much for the quick responses.