Question : Script to modify ntuser.dat

I need a script to modify keys and values in user profile registry hives (ntuser.dat). I need the script to modify the hive directly from the profile. I can not use a login script that modifies HKCU because the keys I need to get rid of are virus / malware components and if the users log in they will re-infect the computers.

Answer : Script to modify ntuser.dat

Try it with this script. It uses reg.exe, which comes by default in XP, and is included in the Support Tools for W2k.
Adjust the path to the root of your roaming profile folders at the beginning (can be a UNC path as well), and set the registry key and value to delete.
The test is currently in test mode, it will only display the delete command that would be executed otherwise.
The script loads the ntuser.dat in the top-level subfolders of the profile root into the local registry, checks for the value in the given key, and if ii finds it, deletes it. The hive is then unloaded.
For testing, you can of course work with copies of the ntuser.dat files in a separate directory.

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp

As usual: No warranties included, use it at your own risk, test it before you apply it in earnest.

====8<----[RemoveVirus.cmd]----
@echo off
setlocal
set ProfileRoot=D:\Profiles
set VirusKey=Software\Microsoft\Windows\CurrentVersion\Run
set VirusValue=VirusStart

for /d %%a in ("%ProfileRoot%\*") do call :process "%%a"
goto leave

:process
set RegFile=%~1\ntuser.dat
echo Processing %RegFile% ...
set Infected=TRUE
reg load HKU\TempHive "%RegFile%" >NUL 2>&1

reg query "HKU\TempHive\%VirusKey%" /v "%VirusValue%" >NUL 2>&1
if errorlevel 1 set Infected=FALSE
echo ... Infected: %Infected%
if /i %Infected%==FALSE goto :Return

:: *** Test mode: Remove the "ECHO" in front of the following line to arm the script:
echo Deleting virus key ...
ECHO reg delete "HKU\TempHive\%VirusKey%" /v "%VirusValue%"
echo ... done.

:Return
reg unload HKU\TempHive >NUL 2>&1
goto :eof

:leave
====8<----[RemoveVirus.cmd]----

Random Solutions

Setup.exe and autorun.inf in Shared Folder

Benq Wireless AWL500 router cannot be accessed

Two NIC's in a windows 2003 server, (two seperate networks?)

Recommendation needed - access point with time-based ip restriction

Illegal redirection for VoIP traffic on Checkpoint NG firewall

Linksys Router setup with a different gateway

Windows Server 2003 Active Directory DCPromo ends with NtFrs Event ID 13565 Error

DHCP Not Working on new Windows 2008 Server

Call Manager Express: Add Second number on my CIPC