Here, have a small story of frustrations that will hopefully help out some poor soul when they come across it by the merits of searching the interwebs...
So, yesterday and today I spent around a full day trying to fix up the laptop of a couple that I do regular pc-checkups for. They'd gotten infected despite me setting them up with proper protections and all that; first one in a years time so I was surprised it took this long.
Getting rid of the nasties wasn't too hard; they merely prevented task manager and some other common PC-management and anti-virus apps from working while non-stop spamming the usual 'you got viruses, pay me!' dialog at me. Oh, and it also kept re-directing tons of websites to google, of all places. (Some irony, given that microsoft.com was one of those...)
But that's not the problem. Took me 30 minutes, and another 30 just to make sure the entire HD was clean. The problem was with the fact it totally utterly hosed all security-related services. Security Center, Windows Firewall, Windows Update, Windows Defender and Windows Security Essentials... all of it was borked good, and the normal interface options to turn them on/off all gave cryptic error messages. Further investigation showed they were either missing from the Services list completely, or going hard-core 'Access Denied', 'dependencies have failed' or something even more extravagant when trying to start them.
So I just Remote DesktoP in to my pc, open up regedit, and start extracting relevant entries under HKLM\SYSTEM\CurrentControlSet\services
; WinDefend, MpsSvc, SharedAccess and then some. (Thank you DoCo for that copy of BeyondCompare; it really helped out with this.
) I got the Security Center working, but everything else was still a trainwreck. This is taking too long, and I need to scour the internet in detail, so I go home to prepare for the next leg of troubleshooting. This is where the real pain starts.
At this point, I know I am missing services, so I start looking into it. In comes the rescue
: downloadable links with the proper registry entries and all the relevant services. Throw it side-by-side with the export I made of the offending laptop, and it takes me 30 minutes to prepare a bunch of registry files to restore the computer with. (I ended up using them all, just to be safe. Silly dependencies.) Next day, I go to install them, takes me a few minutes, and restart. Bzzzt, still no success, although stuff improved; at least I have the Background Intelligent Transfer Service again, which means Windows Update is finally runnable again. Windows Defender worked too, but Security Essentials didn't. My torture commences here.
Windows Firewall requires BFE, and both of them are a pain to start. Access Denied errors are aplenty. Fixes for these are all over the internet, but most didn't work for me. (I think the one comment I saw to 'give everyone permission to all services' might have worked, but I think that beats the point of fixing up the security part of it.) BFE was easy to fix, but MpsSvc (the 'Windows Firewall' service) kept giving me an error 5 ('Access Denied') no matter how high I set the permissions on the MpsSvc and BFE keys. Oh, and before someone mentions, I did try this FixIt
, but that too failed.
But I figured it out. Process Monitor is one thing that tipped me off to one of the locations in question, and then Google finally pointed me in the right direction. Wham! This place saved me
, and pointed out to me what exactly needed to be set where. For people with even worse security-destruction, the other pages might help too.
As for Security Essentials.. it has a tool to let you /RestoreDefaults... but that one errored out even at the end for me. So that is the only one I had to reinstall in order to fix it.
It's a kick in the shins, but the end result means it all works again.
So why am I posting here again? I don't need help anymore, obviously.
There is so much Windows Firewall trouble out there that the single correct helpful resource could not be found underneath all the Microsoft Connect garbage suggestions that were either flat-out wrong, incomplete, or plain idiotic ('Add 'Full Control' permissions for Everyone on the HKLM\SYSTEM\CurrentControlSet\services key and subkeys
'. And know the worst bit? All that stuff is marked as an Answer
by Microsoft! Ugh. Security? What's that?
Don't remind me of that FixIt thing. The concept is nice. But if your fixes are failing to fix stuff, it is plain frustrating and a kick in the shins. Your own employees have blogs with entries on how to fix this problem... a problem that is clearly common enough to warrant making a 5-part(!) series about. And it has screenshots and tons of helpful details not even Knowledge Base documents tend to have.
Isn't it ironic that all the 'security' things were harder to deal with and fix up than the actual rootkit that was blocking tons of programs?
To finish this post up... If you have Windows Firewall problems after you fixed up your virus/rootkit/etc trouble, check out the sites I linked above if you want to do it in a security-conscious manner. Together, they will very likely help you get your PC protected again without a backup/reinstall/re-store data cycle that is sure to annoy you for at least a week after the fact.