Posted by: Ed Tittel
PsExec lets you overpower Windows permissions to delete anything you want; PsExec provides ability to run programs at System-level permissions
OK, so it may be too much of a stretch to compare rooting out a stubborn Registry key to Lady Macbeth’s lamentations, but it’s my blog and I can steal a line from Shakespeare with the best of them. In this case, I’m inspired by Scott Hanselman’s Computer Zen blog post entitled “How to REALLY hurt yourself with PSEXEC – Deleting the Undeletable Registry Key and More.” In a nutshell. this post explains how he got stuck with some Registry keys related to no less than SEVEN virtual network interfaces inside a VM and found himself unable to remove the registry keys responsible for their continued existence — and maddening consumption of system resources — despite running regedit.exe from an administrator account.
This whole story hinges on the wonderful Sysinternals utility called PsExec, which lets administrative users launch programs with arbitrary user rights. Hanselman couldn’t get regedit to delete the registry keys for the bogus virtual network adapters he wanted to remove from his system. Even in an account belonging to the Administrators group he was getting “Access Denied” errors when he tried to remove those registry keys.
PsExec let him load the regedit program and run it interactively at a System level of permissions (where anything is possible, and where “severe tire damage” far too likely for those who don’t proceed carefully, and don’t know in great detail what they are doing). The command syntax looks like this:
psexec -s -i regedit.exe
In this context, it’s also worth repeating Hanselman’s warnings about taking this approach to overpowering built-in Windows restrictions on deleting key registry keys, files, and other objects:
If there was one tool that really “takes the safety off the gun,” it’s PsExec. You can hurt yourself and your system with PsExec in ways where you’ll not realize until it’s too late. There aren’t enough words with big enough fonts and scary enough evocative stock photography to fully express how dangerous this tool is.
Wow! Nothing gets me as excited as the ability to do myself infinite harm, so I dove right into my Sysinternals tool directory and fired up a couple of programs using this very approach to see what I could get away with. Indeed, regedit performed as described and I was able to go in and delete anything I wanted to (which I immediately restored so as not to do any damage). The same trick also works for launching cmd.exe, and then you can use the command line to delete any Windows file you might want to get rid of without restrictions (the remorse could come later if you really shot yourself in the foot).
I think this is a great technique for Windows systems admins to add to their bag of tricks, but it really is one of those approaches that should be treated with extreme care and caution. Unless you know exactly what you’re doing and restrict your actions to repairing mistakes that Windows and other software can inflict on your system, you might be in for a world of hurt with this technique. My advice is to use it only for extremely limited purposes, and only when other tools or techniques just won’t or can’t fix your problems.