Joined: Mon Sep 06, 2010 1:56 pm
Location: Oshawa, Ontario, Canada
Combofix is user specific because of the way the windows registry works. As an example loading any profile, the HKLM hive of the windows registry is always accessible since it stores all the vital system information but the HKCU hive only loads per individual profile. Also the HKCU registry hive is not located in the C:\windows\system32\config folder but rather in each separate users file folder.
Actually this is not entirely true as the all User profile hives are actually loaded into the windows registry but not under HKCU. All user profiles that are active and non active are located within the HK_USERS extension which are uniquely named as S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX. The S-X-X-X numbers represent the profile type, security access, and restrictions.
Since each user profile is uniquely named this would make it a problem for combofix to isolate and chooses only to read the HKCU hive. However, this is merely a delema as there is indeed a way to bypass this problem. In windows XP you can always right click on combofix and choose "Run As" then enter the credentials of the user you wish to scan. This is also possible with windows 7 but you need to be running a non restricted admin account. you can access the default administrators account.
you can access the non restricted admin account by opening command prompt with administrator privileges then type in net user administrator /active:yes . however this account is disabled specifically to avoid infection so when your done be sure to repeat the process and type in net user administrator /active:no
Oshawa, Ontario, Canada