1. [HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Windows \ System \ DisableCMD] Background: Has the command prompt been disabled by the System administrator? Many viruses disable CMD in this way. Usage: this is a key value of type REG_DWORD. If this value is not available, CMD can use it when the data is 1 or 2, when you enable CMD, the system prompts "the command prompt has been disabled by the system administrator". When the data is other numbers, CMD can also use www.2cto.com.
Solution: Find this item in the Registration Table editor (regedit.exe) and delete it. You can run the command: reg delete "HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Windows \ System"/v "DisableCMD"/f (of course, since your CMD has been hijacked by images, how can I open it? Enter this command in "run)
2. [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Command Processor \ AutoRun] [HKEY_CURRENT_USER \ Software \ Microsoft \ Command Processor \ AutoRun] Background: This is a self-starting item of CMD. When you open the CMD and batch processing scripts, CMD checks the data of these two key values first. If one or both exist, the data of these two key values will be executed first. Some viruses set this value as their own path so that the user can run the virus body before opening CMD. Www.2cto.com usage: this is a key value of Type REG_SZ, as long as the data is one or more valid commands, CMD will first check HKLM, then HKCU
Solution: Do not double-click or directly add CMD to the command line. Instead, add A/d parameter. cmd will not check the two key values in the Registration Table editor (regedit.exe, set its value to null. You can also delete it from the command line: reg delete "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Command Processor"/v "AutoRun"/f reg delete "HKEY_CURRENT_USER \ Software \ Microsoft \ Command Processor"/v "AutoRun"/f
3. [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ cmd.exe \ debugger] www.2cto.com Background: Image hijacking technology, I believe everyone has heard of it... that is the era of AV terminator. It enables users to open the virus body when they kill software. Since it can also be hijacked, what is the difficulty of a small CMD? Usage: this is a key value of the type REG_SZ. As long as the data is a string of any line (not a null character), the CMD cannot be opened. Instead, the CMD cannot be found. if the data is a valid file path, the file will be opened when CMD is opened.
Solution: Find this item in the Registration Table editor (regedit.exe) and delete it. You can run the command: reg delete "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ cmd.exe"/f author haige18.