Regedit Script Question

CraigS26
2StarLounger
Posts: 155
Joined: 02 Nov 2016, 12:56

Regedit Script Question

Post by CraigS26 »

Privacy Paranoia category: In the AskWoody.com blog a now MIA post-er offered a way he had modified several computers to Inhibit MS from "Phoning Home" Heartbeat & Maps data when MSRT is run. No answer at AW for the following ............

Nothing Good or Bad happened following his instructions to create a Missing MRT Folder (Win7-64) / No MRT Folder found but the Reg Editor says a Mod Successfully occurred when I attempt to Open the desktop - MRT.reg - Folder he suggested ---but DID this Script Actually Require (ie) back spaces ( \ ) in the String he posted. Here's the instructions -- I keep enough Macrium Images to feed the world.
THANK you for any clarifications. Sorry for length ...
=======================================================
Open Notepad, than copy the following lines and paste it onto opened Notepad: (To create the missing MRT folder needed to stop Reports)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
“DontReportInfectionInformation”=dword:00000001
==============================================================
Save the file onto your Desktop like “MRT.reg” (without quotes). Double click on it to run it. Click “Yes/Yes” at the following messages. This is called merging the registry key to the Registry. Now if you look in the Registry at: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft
you will see MRT entry with corresponding values.
Reboot the machine.
Win 10 Pro 22H2 | ESET EIS Prem | Mbam Prem | Diskeeper Pro '15 | Macrium Pd v8

User avatar
HansV
Administrator
Posts: 78236
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: Regedit Script Question

Post by HansV »

My guess is that something went wrong when he (or she) posted that. It should have been

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT

I can't believe it would work without the backslashes.
Best wishes,
Hans

CraigS26
2StarLounger
Posts: 155
Joined: 02 Nov 2016, 12:56

Re: Regedit Script Question

Post by CraigS26 »

Thanks, Hans. I was a blind follower at first but think the same.
WHY someone would "expect" Everyone to know this if he omitted \'s for typing convenience is criminal.
Will try again and report back.
Win 10 Pro 22H2 | ESET EIS Prem | Mbam Prem | Diskeeper Pro '15 | Macrium Pd v8

CraigS26
2StarLounger
Posts: 155
Joined: 02 Nov 2016, 12:56

Re: Regedit Script Question

Post by CraigS26 »

Simply by Saving a new Folder ( MRT2.reg with \'s in Script ) to the desktop, and not even Clk'ing twice to Run it, I Now have an MRT Folder where it should have been.
Opening the New Folder with Registry Editor gave the usual warning & stated the Keys Edit had occurred (inexplicable) ... Problem is Nothing about the - “DontReportInfectionInformation”=dword:00000001 - instruction is there, so I'd better leave well enough alone.

On 2nd Thought .... MRT currently shows Type: REG_SZ and Data: value Not Set
Create a New DWORD is Only offered in DWORD 32bit / it's Win 7-64. Is THAT 32 bit only a Game Stopper.
Would the Name of the New DWORD be filled in as - DontReportInfectionInformation - and is the DWORD value 00000001 he gave a Decimal or Hexidecimal block entry ?

2 New Macrium Images this a.m. ... may give a try if you or someone can steer me on the New DWORD-32bit Creation, IF 32 Bit is Proper on Win 7-64.
Thanks again.
Win 10 Pro 22H2 | ESET EIS Prem | Mbam Prem | Diskeeper Pro '15 | Macrium Pd v8

Rick Corbett
NewLounger
Posts: 7
Joined: 26 Sep 2017, 00:29

Re: Regedit Script Question

Post by Rick Corbett »

HKEY_LOCAL_MACHINE (aka HKLM) is the system-wide 'machine' registry hive (as opposed to the 'current user' hive [HKCU] which only affects the logged-on user). As such, there are several (many) keys within HKLM which cannot be added/changed just by double-clicking on a .REG file. The Policies sub-key (and its child keys) within HKEY_LOCAL_MACHINE\SOFTWARE is a good example of where you may run into this restriction.

Instead you have to temporarily elevate your account privileges to that of the Administrator (as opposed to the logged on account just being a member of the Administrators group). You do that by opening the Registry Editor (REGEDIT) using the right-click option of Run as administrator then using Import... from the File menu*.

Unfortunately this won't work for what it is that you are trying to achieve, i.e. to stop the Malicious Software Reporting Tool (MSRT) from phoning home. This is because the MSRT is now a portable standalone (since 2015) and no longer keeps its settings in the registry. Instead you have to disallow (i.e. BLOCK) any outbound connection from the MSRT executable in the Windows Firewall (or whatever third-party firewall you use as an alternative).

* This is a bit of a pain so - if I know I'm going to be doing the same on a lot of devices - I usually just create a privilege-elevation script (using AutoHotkey - https://www.autohotkey.com/) that writes the required registry info.

Hope this helps...
Last edited by Rick Corbett on 22 Dec 2018, 21:32, edited 1 time in total.

CraigS26
2StarLounger
Posts: 155
Joined: 02 Nov 2016, 12:56

Re: Regedit Script Question

Post by CraigS26 »

Thanks, Rick. What you say makes sense although the AskWoody.com post-er swore he did this on 3 laptops, Ran MSRT, and found no Log evidence of Heartbeat or Maps phoning home.
It's easy to get Privacy Paranoia following Forums. Did it as much for a learning challenge as a wish for promised result. So Far.... No Harm No Foul ...
Haven't had one MSRT popup in 200 years (feeling good) so with all my Security Apps I may skip it awhile.
Thanks again for the Reply.
Win 10 Pro 22H2 | ESET EIS Prem | Mbam Prem | Diskeeper Pro '15 | Macrium Pd v8

Rick Corbett
NewLounger
Posts: 7
Joined: 26 Sep 2017, 00:29

Re: Regedit Script Question

Post by Rick Corbett »

I did a quick check by installing the latest MSRT (Windows-KB890830-x64-V5.67.exe) into a new clean Win 7 Pro x64 VM and running a full scan.

I did a search afterwards and could not find any registry entries nor any scheduled tasks related to MRT.exe.

However, the Microsoft Removal Tool log (C:\Windows\debug\mrt.log) showed that a Heatbeat Report had been submitted:
Image

So, blocking in the firewall seems to be the only way to go at the moment, unless MS change the rules again. :smile:

Hope this helps...

CraigS26
2StarLounger
Posts: 155
Joined: 02 Nov 2016, 12:56

Re: Regedit Script Question

Post by CraigS26 »

Thanks again, Rick. Somewhere between the NSA monitoring us and Google/ MS, etc., they probably watch me sleeping anyway and all this Privacy effort is mostly a waste.
Being of only average expertise I enjoy safe attempts at learning( (ie) w / Image backups at ready ) .......
All the Best! Craig
Win 10 Pro 22H2 | ESET EIS Prem | Mbam Prem | Diskeeper Pro '15 | Macrium Pd v8