Many years ago when I was still a novice in computers, I accidentally disabled userinit.exe from startup thinking that it was spyware using the SysInternals tool Autoruns. When I restarted the computer, I was unable to login to Windows. Whenever I select the user from the list, it logged in and automatic logged off. I had a really tough time trying to restore userinit.exe back to the Windows startup list as it wasn’t easy accessing and editing the registry when Windows is unbootable. Autoruns is much smarter now because when you uncheck userinit.exe from Logon, it will warn you that “disabling or deleting Userinit will prevent users from logging on”.
In the end I managed to fix the problem but couldn’t exactly remember how I did it because I tried many many ways and I got lucky. I eventually found a real solution on how to edit Windows registry key values without booting into Windows. This is also useful for editing malicious startup items such as rogueware and ransomware. If you have a similar situation as my previous case which requires you to edit the registry without Windows, then here is how to do it.
This first method uses a great free tool called PC Regedit which lets you create, delete and edit Windows registry key values without Windows.
2. Burn the downloaded PCRegedit.iso to a CD. Refer to this guide on how to burn ISO images on a CD.
3. Boot up the computer with the PC Regedit disc and it will load up ISOLINUX.
4. When everything is loaded, you will see a MyFileChooser Title window. By default you are at the Config folder. Scroll down a little, select SOFTWARE and click OK.
5. Navigate to Root -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon.
6. Look for the Userinit key and make sure that the value is set as:
C:\Windows\System32\Userinit.exe, (including the comma)
If the Userinit key is not there, you can add a new key by right clicking at the right pane and select Add Key.
You can use this method to load up other registry files and edit them. Here are the explanation of the 5 registry files for HKEY_LOCAL_MACHINE.
Registry Location: HKEY_LOCAL_MACHINE\SOFTWARE
Registry Location: HKEY_LOCAL_MACHINE\SECURITY
Registry Location: HKEY_LOCAL_MACHINE\SYSTEM
Registry Location: HKEY_LOCAL_MACHINE\SAM
Registry Location: HKEY_CURRENT_USER
Registry Location: HKEY_USERS\.DEFAULT
On Windows-NT based systems such as Windows NT, 2000, XP, Vista and 7, each user’s settings are stored in their own files called NTUSER.DAT and USRCLASS.DAT inside their own Documents and Settings subfolder (or their own Users subfolder in Windows Vista or 7).
This method involves using the popular Hiren’s Boot CD and its Mini Windows XP feature to edit the registry.
1. Download the Hiren’s Boot CD ISO.
2. Burn the downloaded Hirensbootcd.iso to a disc. Refer to this guide on how to burn ISO images on a CD.
3. Boot up the computer with the Hiren disc and and at the menu select “Mini Windows XP”.
4. When the Mini XP is loaded, click the Hiren menu icon in the tray -> Registry -> Registry Editor PE.
5. When asked to, set the remote Windows directory (usually C:\Windows) and press OK.
6. Click OK on each window to select the related registry hive. If you want to edit a registry value from HKEY_CURRENT_USER you will need to select Yes when asked if you want to load an NTUSER.DAT and locate the file in the user directory.
7. Expand HKEY_LOCAL_MACHINE and the hives will automatically load with the _REMOTE_ prefix. Navigate to _REMOTE_SOFTWARE -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon
8. Double-click Userinit and set it’s value to “C:\Windows\System32\Userinit.exe,”. Make sure you include the comma at the end after Userinit.exe, it is there by default.
8. Close the registry editor and the hives will be automatically unloaded.
The 3rd and 4th method can be found on page 2.