> On 22/01/2014 1:40 AM, Francois Labreque wrote:
>> not quite, but...
>>
>> Ever since I tried to install the latest Blender, whenever I boot my PC,
>> I get the system32 folder that opens.  I suppose there's a registry
>> entry somewhere that got created improperly and instead of trying to
>> load "C:\Windows\System32\whatchamacallit.dll" or
>> "%SYSTEM_ROOT%\System32\foobar.exe" it simply loads
>> "C:\Windows\System32".
>>
>> How do I find out which one it is?  Regedit's search function is not
>> smart enough to let me search for ( "system32" except when it's
>> "system32\" )
>>
>>
>
> I've seen this before, have a look here:
>
> http://support.microsoft.com/kb/170086
>
> Cheers Dre

This KB article sent me on the proper path...

I paid a closer look at the syntax of the entries in 
HLCU\Software\Microsoft\Windows\CurrentVersion\Run, and bingo.

It was an invalid entry created by the Epson Printer software installer. 
  (Apologies to the Blender Foundation for wrongly acusing them!)

I also found a gazillion entries where rundll32.exe is not using the 
full path, which could lead to very easy trojan horse injections.

ex:
Good:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]
@="\"C:\\WINDOWS\\system32\\rundll32.exe\" 
\"C:\\WINDOWS\\system32\\mshtml.dll\",PrintHTML \"%1\""


Bad:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command]
@="rundll32.exe C:\\WINDOWS\\system32\\shimgvw.dll,ImageView_Fullscreen %1"

-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }

Post a reply to this message