Spybot 1.6.0 completely ignores some user accounts

[jjjdavidson]

I have four Windows XP systems recently updated to Spybot 1.6.0, and I have a frustrating problem with two of them. I posted about part of the problem last week, but I've done more research and that post's out of date.

On the two problem systems, when Spybot 1.6.0 is run normally under the administrator account, it ignores all other user accounts. Only the admin account is immunized. Only the admin account's registry settings are scanned.

To perform a full scan of these systems, I have to run Spybot as an administrator--then I have to individually run a full Spybot scan and immunize on each user account! Yes, 1.6.0 runs a lot faster than 1.5.2, but I still don't want to run it four or five times to do one full scan.

What I've found: Normally, when Spybot starts up (even before the "Loading" progress bar appears), it opens the registry hives for all user accounts on the system. If the account is logged on, Spybot uses the existing key under HKEY_USERS; otherwise it creates a new key for each account named PE_C_ACCOUNTNAME under HKEY_USERS. Spybot keeps these hives open until it shuts down (and leaves them if it gets killed), leading to problems like MrGreg's thread or this thread from March.

But on the two problem systems, Spybot never opens the additional PE_C_ keys, not when it's scanning, not when it's immunizing. So it never sees any user account except the administrator account.

Any idea why Spybot behaves differently on these two machines? Is there some setting I've zorched that says, "Only scan the logged-on account"?

And, perhaps, could the next version of Spybot lock registry hives only on an as-needed basis, so that the other side effects don't arise?

Thanks!

[jjjdavidson]

Okay, after three weeks I have a possible explanation, and a crude workaround. But I'd still like to know what's happening and how to fix it properly.

Possible cause: On MrGreg's thread about locked user hives, PepiMK mentions a command-line parameter, /nouserhives, apparently documented only in the OpenSBI wiki. PepiMK also mentions, "On machines with Terminal Services, this is even the default." The behavior /nouserhives is supposed to cause is exactly the behavior I'm complaining about.

Is it possible for /nouserhives to unintentionally become the default on a standard Windows XP machine? If so, is there a way to defeat it? BTW, I've tried the /allhives parameter, and Spybot still doesn't detect or load the user account hives.

Crude workaraound: Before I run Spybot 1.6 from an admin account, I run a batch file with the following single command. This manually loads all the user hives under keys named zzz-username:

Code:

for /f "usebackq tokens=1-4 delims=\" %%i in (`dir/s/a-d/b "c:\documents and settings\ntuser.dat"`) do reg load "hku\zzz-%%k" "%%i\%%j\%%k\%%l"

After I'm done with Spybot, I unload all the user hives by running another batch file with the command:

Code:

for /f "usebackq tokens=3 delims=\" %%i in (`dir/s/a-d/b "c:\documents and settings\ntuser.dat"`) do reg unload "HKU\ZZZ-%%i"

Once again, can anybody tell me why Spybot 1.6 is ignoring all of the user hives on some of my XP machines, and what else I can do about it?

Thanks!
Jay