Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-10 > #183961 > unrolled thread

No CMD

Back to article view | Back to alt.comp.os.windows-10

Contents

  No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 10:36 +0100
    Re: No CMD Paul <nospam@needed.invalid> - 2025-04-25 06:31 -0400
    Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 06:05 -0500
      Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 14:42 +0100
        Re: No CMD MikeS <MikeS@fred.com> - 2025-04-25 15:47 +0100
        Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 16:16 +0100
          Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 12:53 -0500
            Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 20:05 +0100
              Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 20:53 -0500
                Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-26 12:00 +0100
                  Re: No CMD Frank Slootweg <this@ddress.is.invalid> - 2025-04-26 15:01 +0000
                    Change of Subject (was: No CMD) VanguardLH <V@nguard.LH> - 2025-04-26 18:50 -0500
                      Re: Change of Subject Hank Rogers <Hank@nospam.invalid> - 2025-04-26 19:13 -0500
                        Re: Change of Subject VanguardLH <V@nguard.LH> - 2025-04-26 19:40 -0500
                      Re: Change of Subject Daniel70 <daniel47@eternal-september.org> - 2025-05-03 22:58 +1000
                        Re: Change of Subject VanguardLH <V@nguard.LH> - 2025-05-03 09:47 -0500
                  Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-26 15:48 -0700
      Re: No CMD "...winston" <winstonmvp@gmail.com> - 2025-04-25 11:12 -0400
        Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 17:19 +0100
    SOLVED Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 17:40 +0100
      Re: SOLVED Paul <nospam@needed.invalid> - 2025-04-25 16:19 -0400
      Re: SOLVED VanguardLH <V@nguard.LH> - 2025-04-25 22:19 -0500
      Re: SOLVED Ed Cryer <ed@somewhere.in.the.uk> - 2025-05-13 18:47 +0100
    Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-25 13:14 -0700
      Re: No CMD Char Jackson <none@none.invalid> - 2025-04-26 00:14 -0500
        Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-26 11:02 +0200
          Re: No CMD Char Jackson <none@none.invalid> - 2025-04-26 20:48 -0500
            Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-27 08:45 +0200
        Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-26 15:52 -0700
        Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-26 19:36 -0500
          Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-27 13:12 +0200
            Re: No CMD John <Man@the.keyboard> - 2025-04-28 20:11 +0100
              Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-28 23:15 +0200

Page 2 of 2 — ← Prev page 1 [2]

#184013 — Re: SOLVED

On Fri, 4/25/2025 12:40 PM, Ed Cryer wrote:
> Ed Cryer wrote:
> 
> I ran this on Powershell.
> 
> echo off
> reg delete "HKCU\Console" /f
> reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f
> reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f
> reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
> Execution Options\cmd.exe" /f
> echo done
> 
> Ed

The last key in the sequence, is used for exploits.
"Image File Execution Options" is used by malware, for persistence.
So the item listed in the key, gets run any time there is an
attempt to launch a shell. I could put "mallory.exe" in the key
in place of "cmd.exe".

Instead of executing the renewal of that line, you would want to look in
Regedit and see what was previously sandwiched in there.

Consider what the most recent "low reputation" installer or executable
file might have been.

I'm really surprised Windows Defender would let a random EXE near that.

   Paul

[toc] | [prev] | [next] | [standalone]

#184037 — Re: SOLVED

Ed Cryer <ed@somewhere.in.the.uk> wrote:

> reg delete "HKCU\Console" /f

You wiped the default command shells.  Under there, I have the following
subkeys:

[HKEY_CURRENT_USER\Console]
  several data items for config of command shells
[HKEY_CURRENT_USER\Console\%%Startup]
[HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe]
  data items to define config for cmd.exe
[HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe]
  data items to define config for PS
[HKEY_CURRENT_USER\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe]
  data items to define config for PS (alt location)

I did not see anything there that would prevent loading cmd.exe;
however, the key names themselves contain paths to the executable.
Since the Console key is now gone, no way to know if those subkeys were
named properly.

> reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f
> reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f

The Command Processor key is not defined in my Windows 10 setup.  From
what I found, it was used in the past in older versions of Windows.  It
was where the properties were stored for the command shell configs, but
are now under the Console key for Windows 10.  The Command Processor
keys are not needed in Windows 10, and no longer supported hence
ignored.  Are the Windows running on your computer fresh installs, or
are they upgrades?  This carry-over of pollution or no-longer-supported
registry entries along with all other orphaned entries in the registry,
like from dirty uninstalls, is why I always do fresh installs of the OS.

You said you ran DISM, but gave no details on just what arguments you
used.  Did you run:

dism /Online /Cleanup-Image /CheckHealth  (general checkup)
or
dism /Online /Cleanup-Image /ScanHealth   (more detailed checkup)

dism /Online /Cleanup-Image /RestoreHealth
  Connects to MS update servers to download and replace damaged files.  
  If it cannot replace damaged files, or you don't have an Internet 
  connection, you can specify a source image for reference.  You can use 
  an install.wim or install.esd file from another computer, install 
  media, or ISO file; however, the source must match the version, 
  edition, and language of the instance of Windows you are trying to 
  repair.  If you need to use a source other than the one included in   
  the current instance of Windows, use:
dism /Online /Cleanup-Image /RestoreHealth /Image:<offlineimagefile>
        I've seen /Source used instead ____|____|

Optionally you could follow-up with:

dism /Online /Cleanup-Image /AnalyzeComponentStore        
dism /Online /Cleanup-image /Startcomponentcleanup [/ResetBase]
  Can take 1 to 2 hours to complete.  The optional /ResetBase will 
  cleanout the C:\Windows\WinSxS folder by removing all superseded 
  versions of every component.

And lastly run:

sfc /scannow 

All of this is doing brain surgery on the OS, so first save an image
backup.  All this repairing could make things worse, so you may need to
restore from the image backup to, at least, get back to the prior state
of the OS even if it resumes whatever problem you are trying to resolve.

> reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /f

Since you deleted this subkey without looking at what data items were
defined under it, no way to tell if there was a cmd.exe named subkey,
and if it specified some untoward behavior -- but if it did then likely
you are infected.  I'll bow to Paul on what this key is used for.  I did
find:

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options

This key exists in my Windows 10 setup, and with 53 subkeys named for an
executable file.  However, I do not have subkeys named cmd.exe or
command.com under there.  Maybe you did.  *IF* there was a subkey named
cmd.exe then you deleted it.  If there was not, there was nothing to
delete, and the 'reg delete' command was worthless.

https://securityblueteam.medium.com/utilizing-image-file-execution-options-ifeo-for-stealthy-persistence-331bc972554e

That touches on what Paul mentioned regarding persistence of malware.
IFEO (Image File Executions Options) lets developers attach a debugger
to an application or process.  Allows running the debugger at the time
the application is running.  More info at:

https://hejelylab.github.io/blog/IRC/Persistence-IFEO

With Windows Defender not catching anything in a manual scan, I'd
suggest getting a 2nd-opinion AV scanner.  I've used Malwarebytes
Anti-Malware (MBAM) in the past.  You only want ONE on-access (realtime)
AV scanner running at a time, so after installing MBAM you configure it
to NOT use its on-access scanner.  You only want to use it as an
on-demand (manual) scanner to get a 2nd-opinion.  I believe MBAM will
look at IEFO entries in the registry since they mention IEFO at:

https://www.malwarebytes.com/blog/news/2015/12/an-introduction-to-image-file-execution-options

Since IEFO has legitimate use for debugging, the only way I can think
that MBAM would detect a bad subkey here is if it pointed to some
malware, but then MBAM should find that source in a scan.  The problem
in removing malware is that you chop the legs off of it, but remnants
left behind can cause problem.  A cmd.exe named subkey with a data item
pointing to an executable that no longer exists can cause problems
trying to run the program for which the subkey is named.

I could not find a search at https://forums.malwarebytes.com/ to see if
IEFO was discussed, and if MBAM covers looking at those subkeys.
Apparently you need a forum account to login to then do a search.  I did
an external search using:

https://www.google.com/search?q=image%20file%20execution%20options%20iefo%20site%3Aforums.malwarebytes.com&sei=SFAMaMPIE-TnwN4P2Y2L0AE

and IEFO is discussed there.  Perhaps MBAM looks at to where those IEFO
subkeys point, but more likely it detects the malware source to
eradicate which could then leave those IEFO subkeys pointing at
no-longer-existing [debugger] executables.  Disinfecting your computer
can leave behind scars.

[toc] | [prev] | [next] | [standalone]

#184429 — Re: SOLVED

Ed Cryer wrote:
> Ed Cryer wrote:
> 
> I ran this on Powershell.
> 
> echo off
> reg delete "HKCU\Console" /f
> reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f
> reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f
> reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
> Execution Options\cmd.exe" /f
> echo done
> 
> Ed

This solution had a side effect. Next boot of the system produced a 
black screen with a CMD box; and when I x'd off the box the screen 
stayed black.
I learned that entering "explorer.exe" in the box restored normality.
Subsequently I found the crucial Shell registry setting, which had 
changed from "explorer.exe" to CMD.

Ed

[toc] | [prev] | [next] | [standalone]

#184012

On Fri, 25 Apr 2025 10:36:11 +0100, Ed Cryer wrote:
> On two of my Win10 systems, I can swap between Powershell and command 
> prompt. But on the third there's a most peculiar problem.
> Settings/Personalisation/Taskbar has the option to switch between the 
> two. When I set it to CMD, CMD appears for a second in a tiny window and 
> then disappears. I can't get it to stay put.

You need to invoke it with the /k option, and the only way I know to 
do that is to put the command in a shortcut.

-- 
Stan Brown, Tehachapi, California, USA         https://BrownMath.com/
Shikata ga nai...

[toc] | [prev] | [next] | [standalone]

#184042

On Fri, 25 Apr 2025 13:14:45 -0700, Stan Brown
<the_stan_brown@fastmail.fm> wrote:

>On Fri, 25 Apr 2025 10:36:11 +0100, Ed Cryer wrote:
>> On two of my Win10 systems, I can swap between Powershell and command 
>> prompt. But on the third there's a most peculiar problem.
>> Settings/Personalisation/Taskbar has the option to switch between the 
>> two. When I set it to CMD, CMD appears for a second in a tiny window and 
>> then disappears. I can't get it to stay put.
>
>You need to invoke it with the /k option, and the only way I know to 
>do that is to put the command in a shortcut.

I can't imagine why you'd need /k on a cmd shortcut. When you launch cmd
from a shortcut, it already stays open without the /k option.

[toc] | [prev] | [next] | [standalone]

#184045

Char,

> I can't imagine why you'd need /k on a cmd shortcut.

What the OP describes happens when then an "execute this" part has been 
addded without the /k argument.

IOW, the OP /might/ not have told us everything.

Besides, adding it (just after the first, ending on \CMD.EXE, part) sounds 
like a good idea as a debugging step.  If the console window than stays open 
...


And for the record, I've got several cmd shortcuts using the /k argument and 
a batchfile which does some initializing for me.

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#184093

On Sat, 26 Apr 2025 11:02:17 +0200, "R.Wieser" <address@is.invalid>
wrote:

>Char,
>
>> I can't imagine why you'd need /k on a cmd shortcut.
>
>What the OP describes happens when then an "execute this" part has been 
>addded without the /k argument.

I think I misunderstood. I thought we were talking about a shortcut that
only launches a Command Prompt that does nothing, waiting for me to type
a command, rather than a shortcut that launches a Command prompt that
immediately executes a command. I always do the former, never the
latter, but I think you're taking about the latter, right? 


>IOW, the OP /might/ not have told us everything.
>
>Besides, adding it (just after the first, ending on \CMD.EXE, part) sounds 
>like a good idea as a debugging step.  If the console window than stays open 
>...
>
>
>And for the record, I've got several cmd shortcuts using the /k argument and 
>a batchfile which does some initializing for me.

Cool, thanks.

[toc] | [prev] | [next] | [standalone]

#184095

Char,

>>> I can't imagine why you'd need /k on a cmd shortcut.
>>
>>What the OP describes happens when then an "execute this" part
>> has been addded without the /k argument.
>
> I think I misunderstood. I thought we were talking about a shortcut
> that only launches a Command Prompt that does nothing,

I assumed the same.

BUT :

1) The OP described something that matches behaviour of the presense of an 
"execute this" part.  So, I applied "occam's razor" : the simpelest 
explanation is also the most likely one. :-)

2) There was a suggestion to add the /k argument, and you could not imagine 
its use.  So I supplied one.

Two seperate things.

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#184086

On Sat, 26 Apr 2025 00:14:31 -0500, Char Jackson wrote:
> 
> On Fri, 25 Apr 2025 13:14:45 -0700, Stan Brown
> <the_stan_brown@fastmail.fm> wrote:
> 
> >On Fri, 25 Apr 2025 10:36:11 +0100, Ed Cryer wrote:
> >> On two of my Win10 systems, I can swap between Powershell and command 
> >> prompt. But on the third there's a most peculiar problem.
> >> Settings/Personalisation/Taskbar has the option to switch between the 
> >> two. When I set it to CMD, CMD appears for a second in a tiny window and 
> >> then disappears. I can't get it to stay put.
> >
> >You need to invoke it with the /k option, and the only way I know to 
> >do that is to put the command in a shortcut.
> 
> I can't imagine why you'd need /k on a cmd shortcut. When you launch cmd
> from a shortcut, it already stays open without the /k option.

You're right. I typically run cmd with a canned command in a 
shortcut, and I assumed (oops) that it behaved the same with other 
launch methods.

-- 
Stan Brown, Tehachapi, California, USA         https://BrownMath.com/
Shikata ga nai...

[toc] | [prev] | [next] | [standalone]

#184091

Char Jackson <none@none.invalid> wrote:

> Stan Brown <the_stan_brown@fastmail.fm> wrote:
> 
>> You need to invoke it with the /k option, and the only way I know to
>> do that is to put the command in a shortcut.
> 
> I can't imagine why you'd need /k on a cmd shortcut. When you launch cmd
> from a shortcut, it already stays open without the /k option.

We wouldn't know what was in the OP's shortcut if that's how he started
it.  Could be the shortcut [loads a cmd shell to] interpret a batch
file, and it is in the batch script that cmd.exe gets used.  That is, a
batch file is a wrapper to cmd.exe.  For example, create an example.bat
file containing:

echo List users ...
cmd.exe /c net users
echo
echo Check if Administrator is listed.

Then create a shortcut pointing to example.bat.  When you double-click
the shortcut, you see the console window appear for a second, and it
disappears.  I've used batch scripts to do setup before cmd.exe, check
status afterward, and perform other actions both before and after the
cmd.exe call.  If I want the 2nd shell to pause for whatever it called
to execute that doesn't itself halt to show output, I have to change /c
to /k in either the batch script's call of cmd.exe, or to the cmd.exe
that the shortcut runs (like, "cmd.exe /k <progOrbatchfile>").  

In the OP's case, he had corrupted registry entries regarding the
command shell.  Since he deleted those registry entries, we don't know
what they specified as to what really was to run as the command shell.
They could've effected the same as the above shortcut scenario: they ran
a different shell than cmd.exe, or some wrapper/debugger on cmd.exe.

[toc] | [prev] | [next] | [standalone]

#184102

Vanguard,

> For example, create an example.bat
> file containing:
>
> echo List users ...
> cmd.exe /c net users
> echo
> echo Check if Administrator is listed.

Any reason you used "cmd.exe /c " there ?   You're already in a commandline 
environment when you execute it (remove it and be amazed).

> I've used batch scripts to do setup before cmd.exe, check
> status afterward, and perform other actions both before and
> after the cmd.exe call.

Funny, I've been doing the same for years now, but have never had a(ny) need 
for that "cmd.exe /c ".

> If I want the 2nd shell to pause for whatever it called
> to execute that doesn't itself halt to show output, I have to
> change /c to /k in either the batch script's call of cmd.exe,

That, an automatic cleanup after manually exiting a second commandline 
shell, would be one of the /very few/ reasons to open a second shell with 
the /k switch.

> or to the cmd.exe that the shortcut runs

... and that destroys the whole benefit of the above (the "automatic 
cleanup" would be executed before you got control).

> In the OP's case, he had corrupted registry entries regarding
> the command shell.  Since he deleted those registry entries,
> we don't know what they specified

Remarkable that you just know those lines where corrupted*, even though you 
have no idea what was in them.

* and not, for example, just altered due to having changed some settings in 
a dialog.

But I guess "corrupted" sounds way more important than "inadvertedly 
changed".

Regards,
Rudy Wieser

[toc] | [prev] | [next] | [standalone]

#184123

On Sun, 27 Apr 2025 13:12:25 +0200, "R.Wieser" <address@is.invalid>
wrote:

>Vanguard,
>
>> For example, create an example.bat

 <<snipped>> 

>> In the OP's case, he had corrupted registry entries regarding
>> the command shell.  Since he deleted those registry entries,
>> we don't know what they specified

 Uhm, don't Windows keep back-up copies of the Registry all over the
damned computer? Mine always has. 

 I thought that the only way of not doing so is to have extremely iffy
malware running about, stuff that deliberately mungs Windows to
prevent back-ups from forming so removing the malware is less easy. 

 Or are W-10 and W-11 different? 

>
>Remarkable that you just know those lines where corrupted*, even though you 
>have no idea what was in them.
>
>* and not, for example, just altered due to having changed some settings in 
>a dialog.
>
>But I guess "corrupted" sounds way more important than "inadvertedly 
>changed".

 Same thing, only more official and scary, yes? 

 Which, I suppose was your point. :) 

                                                 J. 

>
>Regards,
>Rudy Wieser
>

[toc] | [prev] | [next] | [standalone]

#184132

John,

>>> In the OP's case, he had corrupted registry entries regarding
>>> the command shell.  Since he deleted those registry entries,
>>> we don't know what they specified
>
> Uhm, don't Windows keep back-up copies of the Registry all over the
> damned computer? Mine always has.

Are you sure you are responding to the correct person ?   That "In the OP's 
case" was said by VanguardLH, not me (Rudy Wieser).

And no, mine never did.  Than again, I'm (still) not using Win10. :-)

>>But I guess "corrupted" sounds way more important than
>> "inadvertedly changed".
>
> Same thing, only more official and scary, yes?
>
> Which, I suppose was your point. :)

Not my point, no.   What was is that the intention behind both is rather 
different.

Vanguard had, by his own admission, nothing to base his "corrupted" claim 
on, yet he did.  Why ?   Bluntly said, he was lying for some reason.

"inadvertedly changed" (directly or indirectly by the user) was *way* more 
likely, but it just hasn't got any "definitive cause" sound to it.

Regards,
Rudy Wieser

[toc] | [prev] | [standalone]

Page 2 of 2 — ← Prev page 1 [2]

Back to top | Article view | alt.comp.os.windows-10

csiph-web