I have obtained victory - I just hope it lasts !!!
Registrar Lite was able to do what RegEdit and others could not, it was able to delete two keys which were inaccessible, and which could not otherwise by deleted. I was experimenting on restored disc image of a fully functional system as at 16 August.
I had many extra applications on a “final” disc image captured on 4 Sept. This I needed to mend, but it had a totally busted Firewall - the only application rule was for ESET NOD32 Antivirus, and all the Network rules were absent, so this was totally out of bounds until I could fix it.
I restored this “final” disc image, and as expected Registrar Lite allowed me to take ownership of a key, and then to delete that key, but it had to be one key at a time. Two major aggravations :-
This “final” image had several dozen more frozen keys;
Having deleted a frozen key I could select its parent for deletion, but I was doomed to failure unless I first deleted all of any remaining children;
The Firewall was so busted, and the registry so thoroughly trashed (several dozen keys now inaccessible, and approaching 1000 other keys whose contents MIGHT have been distorted), my only option was to delete the entire Comodo chain of 1000 keys and then import a Comodo registry export from happier times.
I was happy to delete 1000 keys, but NOT one at a time!!
Registry Registrar Manager Lite is a bit more powerful - I was able to delete a key and it was eliminated, along with all its descendants - in one go, not 1000 goes.
I then imported the Comodo registry I previously exported from the 16 August system. This was all done in safe mode so the Firewall was not awake and suffering any pain from the surgery !!!
Back to normal, and everything looked o.k., excepting that …\Apps\14\0 (and …\Apps\14\1) were “always” inaccessible and were therefore not exported from 16 Sept, and could therefore not be imported. I had …\Apps\14 which contained the application details for ESET NOD32, but not the sub-key \0 which stipulates the permitted IP address range and port range - all this year that application was working on default limits. In Application Monitor I selected this ESET NOD32 and clicked REMOVE. I then activated the ESET NOD32 “Update Now” so it would use the Internet, and the Firewall asked permission and I checked “Remember” and clicked Allow, and it is now back at …\Apps\14 and has a sub-key \0 like all the other applications. I have also remembered to allow Comodo to “protect its own registry keys”.
Above is how I was able finally to erase the Comodo registry keys, and to replace them with an earlier functional set.
I am certain that I could then have un-installed and it would have cleanly removed every trace of Comodo, and then I could have performed a fresh installation. I chose not to because
a) I would have the aggravation of setting up all my custom Network Rules;
b) there may have been other customisations I might have forgotten;
c) Whilst getting to this functional state I lost count of the number of times my daughter wanted to send/receive emails and I promised I would be finished in another hour !!!
Very recent observations of the trashed registry are :-
HKEY_LOCAL_MACHINE\SYSTEM\Software was written 23/12/2006 22:04:33, and owned by me;
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo and below were written more recently, and were ALL owned by BUILTIN\Administrators, with the exception of the few dozen inaccessible keys, each of which was owned by my daughter. The system captured on 16 August had only two inaccesible keys which were owned by my daughter, and written to on 26/12/2006 11:37:44. The disaster captured on 4 Sept had many more keys owned by my daughter, and written to at either
30/08/2007 10:19:52 or 03/09/2007 20:13:21. I don’t know what did it, but I think I know when it happened.
This P.C. was originally my daughter’s, and she had administrator rights. My son has installed software for her, and more recently for me. He may have had his own account with administrator rights, BUT the probability is that he installed the Comodo Firewall last Christmas by either using her administrator rights, or he could have used the “Administrator” profile (he works in an I.T. dept. so he knows his way around.)
Some months ago my daughter was collecting more “tracking cookies” in one day than I was in a week, so we agreed that her exposure to nasty drive-by downloads was higher than mine, and we would be better protected against nasty installing itself if her administrator capability was removed.
She still has the same user profile but is no longer administrator. Could Windows XP get confused if she installed something, or if she clicked on “remember” and “Allow” whilst an administrator, and now the “owner” of a key is no longer an administrator - that might explain the first two bad keys, but not how she became owner of a few dozen more this last couple of weeks when she has not been administrator.
I notice all the Comodo keys hang off from
i.e. Is there a good reason for the Comodo installation commencing by appending
\Software\Comodo\etc. to HKEY_LOCAL_MACHINE\SYSTEM
\Comodo\etc. to HKEY_LOCAL_MACHINE\SOFTWARE which already existed, with many children.
Finally, in functional registries (very old, and very new) there are 5 named values within
In the totally trashed configuration there is an extra item
What is that, where did it come from, what does it do?
Is it a Comodo Buffer Overflow thing, or did Microsoft put a back-door into my Firewall on their Patch Tuesday, and plant this flag so when they want to do a drive-by download they know where the back-door is ? (Yes that is cynical, but I have just read that very recently they secretly downloaded some stuff WITHOUT notification - and claim that there was no need to notify those who allowed automatic update, AND ALSO claim no need to notify those who specifically chose to be notified before any update. I even have suspicions that a secret drive-by download could be what killed my firewall.)
What went wrong ? I don’t know. Will it happen again ? Maybe, which is why I am continuing to investigate, and will post again with anything interesting.