First kbox induced virus (almost)
Kbox hosed my pc for awhile this morning, but it's at least somewhat fixed now. Here's the skinny:
Yesterday, I backrevved to the last 5.1 agent to fix some MI problems I had with 5.3. No problem installing the 5.1 agent, but I didn't remove the 5.3 agent first because I wanted to see if that would happen automatically. It didn't, so I uninstalled using the msiexec uninstall string. No reboot required and kbox seemed to be working.
This morning, when I logged in as either myself or local admin, it would almost load the desktop, but then log out. Long story short, after 3 hours of troubleshooting with my hard drive slaved to another pc, I discovered that kbox had changed the userinit.exe under winlogon in the registry to kuserinit.exe. I was able to change it back, so now I'm rolling again.
However, I need to backrev our other PCs until we get a working 5.3 agent. Any tips on how to handle for other PCs? Did it happen because I installed the older agent before I removed the newer one? Also, what is kuserinit supposed to do? That seems like a pretty egregious reg change.
Thanks.
Edit: Oh, and meant to point out that a search of kuserinit on the message board brought up 2 old posts, but not a lot of info on kuserinit.
Tim
Yesterday, I backrevved to the last 5.1 agent to fix some MI problems I had with 5.3. No problem installing the 5.1 agent, but I didn't remove the 5.3 agent first because I wanted to see if that would happen automatically. It didn't, so I uninstalled using the msiexec uninstall string. No reboot required and kbox seemed to be working.
This morning, when I logged in as either myself or local admin, it would almost load the desktop, but then log out. Long story short, after 3 hours of troubleshooting with my hard drive slaved to another pc, I discovered that kbox had changed the userinit.exe under winlogon in the registry to kuserinit.exe. I was able to change it back, so now I'm rolling again.
However, I need to backrev our other PCs until we get a working 5.3 agent. Any tips on how to handle for other PCs? Did it happen because I installed the older agent before I removed the newer one? Also, what is kuserinit supposed to do? That seems like a pretty egregious reg change.
Thanks.
Edit: Oh, and meant to point out that a search of kuserinit on the message board brought up 2 old posts, but not a lot of info on kuserinit.
Tim
0 Comments
[ + ] Show comments
Answers (6)
Please log in to answer
Posted by:
airwolf
12 years ago
Virus? This has absolutely nothing to do with a virus.
KUserInit.exe is put in place by the Dell KACE agent to make sure the agent starts properly. I'm not sure if they got rid of it in 5.3 or not.
KUserInit.exe is put in place by the Dell KACE agent to make sure the agent starts properly. I'm not sure if they got rid of it in 5.3 or not.
Posted by:
tpr
12 years ago
Nope, not a virus, really just a bug under the circumstances. The kusrinit.exe setting is also on the 5.3 agent.
I just found this:
http://www.kace.com/support/kb/index.php?action=artikel&cat=2&id=662&artlang=en
"Please note that the KuserInit.exe is needed because it allows the K1000 client to hook into the Windows Login sequence to fire Login kbots scripts or Mananged Installations."
OK, I think I'm figuring this out. My logins failed because there's no kusrinit.exe file in the system32 folder, so the reg value didn't have anything to point to. The kusrinit file probably disappeared because I removed the newer agent after installing the old agent, so it wiped out that file (and probably others). So when I backrev the others, as long as I uninstall 5.3 first and then install 5.1, that will probably not cause any problems.
All that being said, I don't really understand why the userinit has to change for kbox. I've worked with two other desktop mgmt systems that can set things to run at user login without changing the userinit function.
I just found this:
http://www.kace.com/support/kb/index.php?action=artikel&cat=2&id=662&artlang=en
"Please note that the KuserInit.exe is needed because it allows the K1000 client to hook into the Windows Login sequence to fire Login kbots scripts or Mananged Installations."
OK, I think I'm figuring this out. My logins failed because there's no kusrinit.exe file in the system32 folder, so the reg value didn't have anything to point to. The kusrinit file probably disappeared because I removed the newer agent after installing the old agent, so it wiped out that file (and probably others). So when I backrev the others, as long as I uninstall 5.3 first and then install 5.1, that will probably not cause any problems.
All that being said, I don't really understand why the userinit has to change for kbox. I've worked with two other desktop mgmt systems that can set things to run at user login without changing the userinit function.
Posted by:
jrscribner
12 years ago
Couldn't you run a script to just reset the UserInit registry after uninstalling the 5.3 agent?
Posted by:
tpr
12 years ago
Sure, if there's still a desktop mgmt tool on the pc that allows something to run as administrator or system. However, I think the real problem was the order that I installed and uninstalled the two agents. I suspect that if I uninstall one agent first, the uninstaller will flip the reg key back to the userinit.exe value like it should.
Posted by:
afzal
12 years ago
May be this will help you.
Immediate logoff after logging on after uninstalling Kbox Client
What happens is, it looks like Kace has its own version of userinit.exe, called kuserinit.exe. Userinit is what loads your profile when you login, so without this the PC doesn't know what to do and logs you back out. Kace installer repaths the registry entry to point to its version of userinit, rather then the ms one. I believe that when you remove the Kbox agant from the computer this registry entry doesn't get fixed. So what you can do is remote registry the computer, go to hklm\software\Miscrosoft\Windows NT\CurrentVersion\Winlogon and change the entry to userinit, insted of Kuserinit.
From another computer on the same network: Run Regedit.exe (with a user with admin rights on the other PC) Point your cursor to HKEY_LOCAL_MACHINE Select File > Connect Remote Registry Type broken computer name Navigate to the following location in registry of broken computer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Change Userinit to equal C:\WINDOWS\system32\userinit.exe, Exit from Registry Restart broken computer
Please rate my post if it helps
Regards,
Immediate logoff after logging on after uninstalling Kbox Client
What happens is, it looks like Kace has its own version of userinit.exe, called kuserinit.exe. Userinit is what loads your profile when you login, so without this the PC doesn't know what to do and logs you back out. Kace installer repaths the registry entry to point to its version of userinit, rather then the ms one. I believe that when you remove the Kbox agant from the computer this registry entry doesn't get fixed. So what you can do is remote registry the computer, go to hklm\software\Miscrosoft\Windows NT\CurrentVersion\Winlogon and change the entry to userinit, insted of Kuserinit.
From another computer on the same network: Run Regedit.exe (with a user with admin rights on the other PC) Point your cursor to HKEY_LOCAL_MACHINE Select File > Connect Remote Registry Type broken computer name Navigate to the following location in registry of broken computer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Change Userinit to equal C:\WINDOWS\system32\userinit.exe, Exit from Registry Restart broken computer
Please rate my post if it helps
Regards,
Posted by:
tpr
12 years ago
Afzal,
Yup, that's basically the process I used 2 days ago to fix the problem. Additionally, I found out the hard way that I had to copy kusrinit.exe, plus a couple of other kbox files from system32 on a working pc over to my pc. The userinit reference in the registry gets changed back to kusrinit automatically (probably during the agent sync), so the kusrinit file has to be in system32.
As I said in earlier posts, I think I caused my problem with my particular install/uninstall order. If you are correct that the registry entry is not flipped back to userinit after properly uninstalling the agent, that is really crappy.
Yup, that's basically the process I used 2 days ago to fix the problem. Additionally, I found out the hard way that I had to copy kusrinit.exe, plus a couple of other kbox files from system32 on a working pc over to my pc. The userinit reference in the registry gets changed back to kusrinit automatically (probably during the agent sync), so the kusrinit file has to be in system32.
As I said in earlier posts, I think I caused my problem with my particular install/uninstall order. If you are correct that the registry entry is not flipped back to userinit after properly uninstalling the agent, that is really crappy.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.