Uninstalling CFP 2.4 and Registry issues

Help Will this Help me.
My system already has “clicapi.dll” and “fwconfig.exe” in C:\Program Files\Comodo\Firewall
and I ASSUME that these are correctly used by Add & Remove programs to remove Comodo
That perfectly cleansed Comodo from all FILES - not a trace left.
BUT - BIG BUT the Registry still has the key
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall
and that still holds a “white list” of 800 items
and when Regedit exports this “remainder” it still takes up 500 KBytes.

Before I removed Comodo it had a check against “Protect own Registry Keys”.
Regedit could not change any part of the keys or values whilst that box was checked.
When unchecked then Regedit was able to change some keys / values, and the only thing it could not change were the inaccessible sub-keys \0 and \1 hanging off from
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\Apps\14
Since the August “Patch Tuesday” I have found other items I could not change, including the white list.
I assume that Comodo correctly “Protected own Registry Keys”, but then lost the key to the lock and neither it nor anything else can unlock this part of the registry. I have exported a set of Comodo keys/values from a earlier valid disc image (taken just before I allowed the “Patch Tuesday” rehash of previous Microsoft mistakes), but when Regedit imports this into my latest but defective system it cannot correct those locked keys.

I have un-installed Comodo, and whilst uninstalled I have used Regedit to purge these keys, both “normal” and also in “Safe Mode”. I have re-installed Comodo.
I just cannot get rid of these locked and incorrect keys / values (At the moment I am using a pre-patch Tuesday disc image - I dont want to let Micro-soft do it again until I know how to fix it, and other users on this P.C. have lost recent emails until I can recover back to yesterday’s disc image, and I don’t want to do that until their internet activities are protected by a working firewall).

Any advice would be appreciated.

Sounds like some of what you’re referring to are Legacy keys. This being the case, you will need to give yourself permission to remove them. Right-click the key, select Permissions, and grant yourself Full Control. Then you can delete those to your heart’s content.

Hope that helps,

LM

Thanks, yes it may help. Been there, done that, never worked for me.
Just done it again to accurately tell you how it does not work, and to seek further advice, but now discovered extra persistence is required :-
After Right-Click on the sub-key “\0” I CANNOT select permisions - instead I get the warning
“Cannot open 0: Error while opening key” and I have to click “OK” to make it go away - and at that point I gave up, BUT I now observe that whilst that sub-key is still selected I can now Right-Click it a SECOND time and this now offers “permisions…”, and that tells me I cannot VIEW the permissions, but I can make changes. I am stumbling in the dark, and so far the Advanced menu wont give me full control, but I have now got it to allow me to read.

Time for bed. I will be back tomorrow - oops I mean today !!!
I will look to see if there is any further advice on gaining adequate control to delete the key, or perhaps I may be able to report success.

Many thanks.

Try operating Regedit in SafeMode. Something’s blocking your access, but I really don’t think it’s CFP (I could be majorly wrong). At any rate, this is not behavior that I have experienced or witnessed in more than a year working with several different versions of Comodo Firewall. Only times I’ve seen anything like this, it has been discovered that another security application was in the way; sometimes the remains of the previous firewall.

Since SafeMode is designed to make sure that only core services are running, and no startup applications, that should be a good place to begin.

Enjoy your sleep; get some good rest!

LM

SafeMode got me no further. I do not seem to have permission to either see or change the permissions !!!
I have many years experience with Windows 95 and 98, but did little with RegEdit. I think I remember that after stipulating a change it gave me a “chicken out” option before writing the changes to disc upon closing - or maybe the lack of an opt out is why I rarely ventured there.
My experiments this morning have now made inaccessible a key I was “just looking at”

I am a user with normal Administrator privileges (I can install programs etc.) I have heard rumours of a higher class of Administrator - think I will try to be one of those. I also need to find out more about how to use RegEdit before I inflict further damage.

I am off trawling the Internet, looking for guides on how to be a super administrator, and how to use RegEdit. Any relevant links would be appreciated.

Alan.B

There are sometimes different Ownerships a given “Admin” will have; generally you will only find this in a corporate network type of environment. This is so that one “Admin” will not have authority to modify certain settings but another will, and so on.

As far as Regedit goes, from the Edit menu, or by right-clicking any Key (at any level) you can Export. Whenever you’re messing in the Registry, you should ALWAYS Export before deleting. In my opinion, making a regular backup of the Registry is a good idea in general anyway.

If you’re not very comfortable working in the Registry (and I fully understand that), I would suggest using a utility designed to do it for you, such as ccleaner or regseeker (both free). Both have an automated process; I know Regseeker has a “search” feature as well. Both provide an option to back up prior to deletion (this is a must!).

If you have a backup of the registry, you can restore it simply by double-clicking that registry file. Very handy…

It sounds to me, simply based on what you’re saying, that something is mucked up, aside from anything you’ve done. Simply Viewing a key should not change anything about it.

BTW, it seems to me like your situation calls for a topic of its own. Thus, I’m splitting our posts out into a new thread, where the registry-related issues can be further investigated and discussed.

LM

Thanks for your advice.

I have used Regseeker in the past to track down and remove keys left behind after uninstalling other software. I also found it very useful when I wanted to review changes to the Comodo Firewall *.ini file and could not find it; Regseeker quickly tracked down 96 Comodo entries in the registry - I really did not want to know that !!!

I will see if Regseeker can assist in removal of the bad keys, and post back with results.

Alan.B

Victory should now be within my grasp. This last week I have been shopping on the Internet for freeware registry tools, and now found what should do the trick - Registrar Lite.

Registrar Lite gives me a simple button to take ownership of a designated key, and THEN I can easily delete that key - neither RegEdit nor any of the others can do this. Additionally, in the left pane I can select a key and it immediately shows in the right pane all of the contents and sub-keys, but with a difference - each and every item is marked RED if it is inaccessible, where RegEdit and all the other tools I tried will not give me any clue about accessibility until I select that item.

Apart from these wonderful capabilities, this is like all other tools I have been trying out; they are the same as RegEdit in that my inaccessible key cannot be deleted by any of them. RegEdit has one advantage over all of them - when I try to delete the undeletable I get warned with a warning box - none of the others give any warning, though it is generally immediately apparent from the display that the key has not gone away (RegSeeker is another matter - it does not display the keys so you cannot observe its continued presence).
Years ago there was action against Microsoft for taking unfair competitive advantage with their Office Software and Applications by using undocumented features in the Operating System. The leopard does not change its spots and I guess that is why RegEdit is able to give a warning when no competing System Tool is able to.

I agree to exporting a key before changing it BUT my bitter experience is that this may fail you.
[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\Apps\14]
This contained information on my Anti-Virus application, and its permitted parent plus sub-key \0 which should have given destination and port ranges etc., but was not accessible.
RegEdit Permissions \ Advanced \ Permissions has a couple of check boxes to inherit permisions from the Parent or to Replace permissions of Children. Selecting …\AppCtrl\Apps\14\0 I tried to inherit from parent (i.e. …\AppCtrl\Apps\14). I may have also tried at …\AppCtrl\Apps\14 to revise permissions of the Children. Whatever I tried, RegEdit would not allow it - but it punished me. Although it could not change the …\AppCtrl\Apps\14\0 permissions to match …\AppCtrl\Apps\14, it DID equalize the other way, i.e. the parent became as the child, i.e. …\AppCtrl\Apps\14 became inaccessible as well. It could not be changed. Comodo could no longer see that my Anti-Virus application was permitted. I imported previous exports with no luck - could not over-write this key - stuck for ever. I eventually gave up using recent exports of the Comodo Keys, and used Sytem Restore to go back a couple of days, and that fixed the problem.

n.b. I tried starting with the F8 function key. It is called “Safe Mode” but really it is Suicide Mode.
I logged in as Administrator. I repeated my attempt to transfer parent permissions using my new super powers, but they were powers for evil and not for good. This time …\AppCtrl\Apps\14 remained accessible, BUT all its brothers (…\AppCtrl\Apps\0 to …\AppCtrl\Apps\13 etc.) were deleted, and all its Aunts and Uncles were deleted, i.e. \AppCtrl lost all its children other than \Apps. (e.g. …\AppCtrl\Components with over 800 component sub-keys went down the drain)

I then came across ERUNT. This is MUCH better than Restore Point.
The problem with Restore Point is that it permanently wastes 50 MBytes of hard disk for each and every R.P. Even if you only wanted a fall-back position for a couple of minutes whilst doing something “clever”, once it is there it is stuck there for ever. If you jump through a few hoops you can of course delete it, BUT it has become part of a CHAIN of inter-linked Restore Points, and System Restore is unlikely to allow you to ever again restore from an earlier R.P. - if you delete one R.P. you may as well delete the whole shooting match.

ERUNT does not attempt to capture changes to applications, but it does capture the whole registry (all that is accessible) AND it is NOT locked into a chain - any registry snapshot can be deleted without affecting usability of the rest. Another benefit is speed - it only takes 2 Seconds for ERUNT to take a 36 MByte snapshot, whilst some Registry Editors take 50 Seconds to create a 300 KByte export of the Comodo keys by themselves, and grind to a standstill on larger bunches of keys.

It will probably take me a few days before I complete this saga. I am working with an “old” system restored from a disc image at taken the beginning of August without the benefit of that “Patch Tuesday” and sundry useful installations. My intention is now to resurrect the “latest” image that has “Patch Tuesday” plus all I wanted, and to use my new tools and knowledge to mend the Firewall which was been dying by degrees. The difficult part is that the “latest” image knows nothing of more recent events or emails, so I have to be sure to suitably export every relevant file - and of course there are other users whose emails and documents I have no access to - these too need to be preserved. No major problem, but a lot of double checking to ensure nothing is forgotten.

Alan.b

Alan,

Something to keep in mind as you’re trying to use the powers of the forces of good on CFP registry keys, that CFP protects its own keys.

In order to affect change, you must disable this protection. You do so by going to Security/Advanced/Miscellaneous and uncheck the box, “Protect own registry settings.” After exporting or importing registry keys, you will need/want to reset that to default for security purposes. This should not matter when uninstalling, but it does while installed.

Your situation is very strange, and I’m wondering if you don’t have some gremlins poking around in your box. You should not be experiencing this sort of behavior - key values changing just by looking, keys being deleted by changing their Permissions, and so on. This is not normal. In years of messing around in the registry, I have never seen things behaving this way.

LM

L.M.

Thank you for the reminder about Comodo protecting its registry keys. I have a lot of things to do and I might have forgotten for a week or two that I have to re-check the box for protecting the registry.

I have run a Sophos rootkit detector, and it found nothing. My ESET NOD32 antivirus was fully up to date (until I discontinued updates last week so that existing problems would not get confused with new update “features” - especially from Patch Tuesday stuff.)

I have restored a disc image captured in May. At that time there were 20 applications listed, today it is only 16. At that time the resident of …\14 was Firefox, and today it is Eset Nod32. Things shift around , BUT even then it was …14\0 (and also …14\1) that was frozen solid and inaccessible, and even with the firewall removed and most of its registry keys automatically removed, this particular …\14\0 was still frozen and undeletable, even in Safe mode.

I did wonder if damage to the antivirus Eset Nod32 sub-key was evidence of an attack by something upon my Antivirus protection, so I now draw comfort from the fact that …\14\0 was damaged before it became related to Antivirus.

This PC is nearly 4 years old. It was owned by my daughter who had administrator rights, which she relinquished earlier this year to reduce the risk of accidentally permitting the covert download and installation of anything nasty. She remains a user with the same profile by which she did have admin rights. Both my sons have installed software for her in the past. I do not know if they had their own profiles with admin rights, or if they used her admin access. I believe reasons for being unable to eliminate this …\14\0 key may include :-

1. “Ownership” by one of my 3 administrator children, even though they are no longer active administrators;
2. Allocation of ownership to an illegal entity, or some other form of damage, possibly due to Windows shutting down without closing properly.

The event viewer includes the “Warning” :-
"Windows saved user ACER-311VPBCEH0\Alan registry while an application or service was still using the registry during log off. The memory used by the user’s registry has not been freed. The registry will be unloaded when it is no longer in use.
I have also seen a red “ERROR” and a message indicating a failure to flush data to the hard drive during shut-down. I think this might be on my “latest” image which I have not yet reverted to. One of the degradations to that “latest” system was that when closing down the desk top would clear as normal, but then for about half a second a small window appeared and stated that ctfmon was failing to close, and a progress bar rapidly moved from one side to the other, but I had no chance to see if the progress was an orderly controlled closure that just needed another 500 mSec to gracefully complete, or if in fact the nightclub bouncers had kicked ctfmon out onto the street and did not care if they broke its neck!!!
Perhaps I am wrong, but I assume that this is all part of the fun of using Windows XP !!!
I do not know if ctfmon was failing to close down because it had 880 components in the white list, and that needs a bit more time than the 835 components in the functioning white list I am currently using, or if it was a side effect of Patch Tuesday or one of the useful applications I installed after Patch Tuesday.

In the “Good Old Days”, every other morning Windows would wake up and tell me I failed to shut it down properly the previous night. Every other evening Windows would commence shut-down upon command, but then hang, and after a few minutes the caretaker was locking up and I had to switch of the supply. Every other morning …
What I really miss is that some mornings it would automatically tell me if there was a disk problem, and I could use chkdsk to do something about it.
What I really need is a warning in the morning that something went wrong during the shut-down process, and that data may be lost or corrupted. I need this warning at the earliest possible opportunity so I can do something about it, or minimise my exposure to consequential damage by a corrupted system. It really is stupid of Microsoft to simply bury disasters in the event log so I know nothing of them until a few months later when I view events looking for clues because something is wrong (like a frozen solid registry key). Disasters were announced the following morning by Windows 9x. Why is XP so secretive - is it stupid, or just a clever way of cutting down all the phone calls to their support centre should customers know every time it went wrong ???

Although I originally said I broke the parent key I was “just looking at”, I feel like a child explaining “I didn’t break it mummy, I was just looking at it (with my fingers)” !!! I may have done something I shouldnt, but I think RegEdit just could not do a thing with this frozen key, and neither it nor the Operating System knew what they were doing, so ■■■■ there goes another one !!!

Alan.B

Ah, Alan, I had Win 98 flashbacks reading through your “Good Old Days” section…Gotta love those memory leaks! ;D XP will give you a message on reboot if something actually did fail critically during shut-down, and offer to run chkdsk. Which IMO is useless; it never finds any problems (in my experience).

The extended shut-down issues, and applications not responding at shut-down, may be resolvable by using the UPHC (User Profile Hive Cleanup) Service. That does not, however, address your apparent registry issues.

I’m going to have some of the “resident genius” types review this thread and see what they think may be at the heart of the matter… and what may help resolve it.

LM

Hi Alan,
I think you have already tried everything to delete the key and it still doesn’t work.
As you have also made sure that there is no registry protector s/w working in the background and you are also not able to apply parent permission level to all children, all i can say is that there is an internal bug in Microsoft implementation, in no situation (unless some external application resisting) administrator should be denied to delete that key.

Sorry, can’t help there.

Thanks
-umesh

Hi

I have obtained victory - I just hope it lasts !!!

Registrar Lite was able to do what RegEdit and others could not, it was able to delete two keys which were inaccessible, and which could not otherwise by deleted. I was experimenting on restored disc image of a fully functional system as at 16 August.

I had many extra applications on a “final” disc image captured on 4 Sept. This I needed to mend, but it had a totally busted Firewall - the only application rule was for ESET NOD32 Antivirus, and all the Network rules were absent, so this was totally out of bounds until I could fix it.

I restored this “final” disc image, and as expected Registrar Lite allowed me to take ownership of a key, and then to delete that key, but it had to be one key at a time. Two major aggravations :-
This “final” image had several dozen more frozen keys;
Having deleted a frozen key I could select its parent for deletion, but I was doomed to failure unless I first deleted all of any remaining children;
The Firewall was so busted, and the registry so thoroughly trashed (several dozen keys now inaccessible, and approaching 1000 other keys whose contents MIGHT have been distorted), my only option was to delete the entire Comodo chain of 1000 keys and then import a Comodo registry export from happier times.

I was happy to delete 1000 keys, but NOT one at a time!!
Registry Registrar Manager Lite is a bit more powerful - I was able to delete a key and it was eliminated, along with all its descendants - in one go, not 1000 goes.
I then imported the Comodo registry I previously exported from the 16 August system. This was all done in safe mode so the Firewall was not awake and suffering any pain from the surgery !!!

Back to normal, and everything looked o.k., excepting that …\Apps\14\0 (and …\Apps\14\1) were “always” inaccessible and were therefore not exported from 16 Sept, and could therefore not be imported. I had …\Apps\14 which contained the application details for ESET NOD32, but not the sub-key \0 which stipulates the permitted IP address range and port range - all this year that application was working on default limits. In Application Monitor I selected this ESET NOD32 and clicked REMOVE. I then activated the ESET NOD32 “Update Now” so it would use the Internet, and the Firewall asked permission and I checked “Remember” and clicked Allow, and it is now back at …\Apps\14 and has a sub-key \0 like all the other applications. I have also remembered to allow Comodo to “protect its own registry keys”.

Above is how I was able finally to erase the Comodo registry keys, and to replace them with an earlier functional set.
I am certain that I could then have un-installed and it would have cleanly removed every trace of Comodo, and then I could have performed a fresh installation. I chose not to because
a) I would have the aggravation of setting up all my custom Network Rules;
b) there may have been other customisations I might have forgotten;
c) Whilst getting to this functional state I lost count of the number of times my daughter wanted to send/receive emails and I promised I would be finished in another hour !!!

Very recent observations of the trashed registry are :-
HKEY_LOCAL_MACHINE\SYSTEM\Software was written 23/12/2006 22:04:33, and owned by me;
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo and below were written more recently, and were ALL owned by BUILTIN\Administrators, with the exception of the few dozen inaccessible keys, each of which was owned by my daughter. The system captured on 16 August had only two inaccesible keys which were owned by my daughter, and written to on 26/12/2006 11:37:44. The disaster captured on 4 Sept had many more keys owned by my daughter, and written to at either
30/08/2007 10:19:52 or 03/09/2007 20:13:21. I don’t know what did it, but I think I know when it happened.
This P.C. was originally my daughter’s, and she had administrator rights. My son has installed software for her, and more recently for me. He may have had his own account with administrator rights, BUT the probability is that he installed the Comodo Firewall last Christmas by either using her administrator rights, or he could have used the “Administrator” profile (he works in an I.T. dept. so he knows his way around.)
Some months ago my daughter was collecting more “tracking cookies” in one day than I was in a week, so we agreed that her exposure to nasty drive-by downloads was higher than mine, and we would be better protected against nasty installing itself if her administrator capability was removed.
She still has the same user profile but is no longer administrator. Could Windows XP get confused if she installed something, or if she clicked on “remember” and “Allow” whilst an administrator, and now the “owner” of a key is no longer an administrator - that might explain the first two bad keys, but not how she became owner of a few dozen more this last couple of weeks when she has not been administrator.

I notice all the Comodo keys hang off from
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall
Why not
HKEY_LOCAL_MACHINE\SOFTWARE\Comodo\Personal Firewall
i.e. Is there a good reason for the Comodo installation commencing by appending
\Software\Comodo\etc. to HKEY_LOCAL_MACHINE\SYSTEM
instead of
\Comodo\etc. to HKEY_LOCAL_MACHINE\SOFTWARE which already existed, with many children.

Finally, in functional registries (very old, and very new) there are 5 named values within
HKEY_LOCAL_MACHINE\SOFTWARE\Comodo\Personal Firewall
In the totally trashed configuration there is an extra item
“BODefenseLevel”=dword:00000002
What is that, where did it come from, what does it do?
Is it a Comodo Buffer Overflow thing, or did Microsoft put a back-door into my Firewall on their Patch Tuesday, and plant this flag so when they want to do a drive-by download they know where the back-door is ? (Yes that is cynical, but I have just read that very recently they secretly downloaded some stuff WITHOUT notification - and claim that there was no need to notify those who allowed automatic update, AND ALSO claim no need to notify those who specifically chose to be notified before any update. I even have suspicions that a secret drive-by download could be what killed my firewall.)

What went wrong ? I don’t know. Will it happen again ? Maybe, which is why I am continuing to investigate, and will post again with anything interesting.

Alan.B

I’m glad you’ve finally gotten everything back to “normal” Alan. I must say, I just love this comment…

I am certain that I could then have un-installed and it would have cleanly removed every trace of Comodo, and then I could have performed a fresh installation. I chose not to because a) I would have the aggravation of setting up all my custom Network Rules;

Which is worse? What you went through, or simply rebuilding custom network rules?

You may already have realized this, but if you want to just save the Network rules, you can simply Export that aspect of the HKLM/System/Software/Comodo/Firewall key.

LM

L.M.

Sorry, I had to modify my last post. For countless years the Tab key has indented paragraphs etc., and I sometimes relapse and ■■■■ the web-site rules take it as me logging off !

Yes, I could have imported just the Network Rules, but I could not remember if there was any other customisation, and it all takes time, especially because I refuse to double check something if I can quadruple check it, and I did not want to yet again promise “I will be finished in an hour” !!!

Regards
Alan.B

No problem at all, Alan. I know you’ve gone thru quite a mess to get this all straight.

I’m not sure what that BODefense Level=dword:00000002 is.

Are you using Comodo BOClean, or Comodo Memory Guardian?

LM

Hi

The only Comodo product that I know of that has been installed is the Firewall.

I have very recently seen on the Comodo website references to Buffer Overflow defence product(s) and thought this might be related for BODefense.

I also tried out Microsoft Windows Defender (and decided not to continue with it). It is possible that might have planted “BODefense” in the registry, but I probably restored from a Disc image made just before that experiment, in which case that should have neutralised it, BUT
a) I cannot remember for sure, though my trust level is such I am certain I would have ensured elimination;
b) Assuming I did restore from the Disc Partition image, that would probably not remove every trace - there is always CMOS RAM which on old systems used to hold date and time, and all sorts of other stuff like how many sectors per track and how many tracks per surface etc on the hard disc - I once saw a PC that suffered a nearby lightening strike - some spots appeared on the screen because the video RAM had a bit of damage, and some data was lost from the Hard Drive. A colleague brought Norton Tools to the rescue, and after the event realised that Norton adjusted the drive to the randomised quantities of sectors per track etc. in the corrupted CMOS RAM, and then converted the rest of the Hard drive into pure gibberish. What else can CMOS RAM retain even after restoring a Disc Partition image ? I guess it could retain the binary values of a virus - I don’t suppose a virus could be executed from there, but I am sure Windows has the capability to copy or utilise this data and place that virus into memory from where it can be executed.

I am quite good at paranoia, I put in a lot of practice !!!

Alan.B

AFAIK, that entry is not something related to Comodo FW; CMG is the first buffer overflow application they’ve developed, and it’s still in Beta phase. I think they are planning to implement protection into CFP v3, but it’s not there yet.

I’ve not seen that reg entry before, either, and it does not exist in my registry. I did an internet search on it, and came up with nothing (except the posts here).

I’m hoping umesh will jump back in with some more info.

LM

Hi LM,
Sometime back in CPF we tried to implement Buffer Overflow Protection and later took that out.
Registry entries could be there but they are ineffective.
Hope that clears the confusion.

Thanks
-umesh

Tnx, umesh! I think that helps clear up the confusion quite nicely.

LM