[Bug 26621] KidStarter Shell installer needs 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' registry key present

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Sep 5 12:35:27 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=26621

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
            Summary|KidStarter: Fails to        |KidStarter Shell installer
                   |install                     |needs
                   |                            |'HKLM\\SOFTWARE\\Microsoft\
                   |                            |\Windows
                   |                            |NT\\CurrentVersion\\Winlogo
                   |                            |n' registry key present

--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

likely abandonware (no download) but well.

Austin's log shows this:

--- snip ---
...
003a:trace:msi:ACTION_CustomAction Handling custom action
L"KidStarterInstallShell" (c01 L"KSCustomD" L"KidStarterInstallShell") 
...
003a:trace:msi:msi_get_property returning L"austin,C:\\Program Files\\Brilliant
Software\\KidStarter\\KidStarter.Shell.exe" for property
L"KidStarterInstallShell"
003a:trace:msi:msi_set_property 0x14ab38 L"CustomActionData"
L"austin,C:\\Program Files\\Brilliant
Software\\KidStarter\\KidStarter.Shell.exe" 
...
003a:trace:msi:HANDLE_CustomType1 Calling function L"KidStarterInstallShell"
from L"C:\\users\\austin\\Temp\\msiaa4e.tmp" 
...
0042:trace:msi:ACTION_CallDllFunction calling L"KidStarterInstallShell" 
...
0042:Call msi.MsiRecordSetStringW(00000003,00000000,0e0b0f88 L"Shell path is
C:\\Program Files\\Brilliant Software\\KidStarter\\KidStarter.Shell.exe")
ret=057b53ea 
...
0042:Call advapi32.RegOpenKeyExW(80000002,057cf130
L"SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon",00000000,0002001f,0553e628) ret=057b23e0
0042:Ret  advapi32.RegOpenKeyExW() retval=00000002 ret=057b23e0 
...
0042:Call msi.MsiRecordSetStringW(00000003,00000000,0e0b0f88 L"Failed to open
registry key SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon (2)")
ret=057b53ea 
...
0042:trace:msi:DllThread custom action (42) returned 1603 
...
003a:err:msi:ITERATE_Actions Execution halted, action L"KidStarterInstallShell"
returned 1603 
--- snip ---

Which suggests it wants to register a replacement shell.
Frequently used by simple minded malware/trojans.

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list