[7SP1HomePre x64] Weird Chinese symbols in registry

[BrianDrab]

Let's make sure things are auditing as expected. Please open up regedit again, select HKEY_CURRENT_USER and then add a key in here named Sysnative. Then close the registry and do the following.

Retrieve Security Event Log
1. Right-click on the Start button and select Event Viewer
2. Click the arrow next to Windows Logs and then click on the Security log.
3. Right-click on the Security Log and choose Save All Events As...
4. Select your desktop as the location to save and type Security for the File name and click Save.
5. If you are using a language on your machine other than English then on the next screen please ensure to select Display information for English and click OK. Otherwise you can simply click OK.
6. There will be a file on your desktop named Security.evtx. Right-click on this file and choose Send To..Compressed (zipped folder) which will create a file named Security.zip.
7. Please upload this file to SendSpace and provide the link in your next post.

[carl a]

I feel like a computer tech doing this high tech stuff.Download security.evtx from Sendspace.com - send big files the easy way

[BrianDrab]

You did a good job. Everything is set up correctly. You can re-install your AV now if you like and use the computer like normal. If the weird characters ever come back we can look in the Security Event log and it will let us what process created the keys. For example we can see what created the Sysnative key.

Code:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/17/2017 11:31:08 PM
Event ID:      4657
Task Category: Registry
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      carl-PC
Description:
A registry value was modified.
Subject:
 Security ID:  S-1-5-21-3047833663-3766033810-2322992743-1002
 Account Name:  carl
 Account Domain:  carl-PC
 Logon ID:  0x1960F
Object:
 Object Name:  \REGISTRY\USER\S-1-5-21-3047833663-3766033810-2322992743-1002\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
 Object Value Name: LastKey
 Handle ID:  0xf8
 Operation Type:  Existing registry value modified
Process Information:
 Process ID:  0xad4
 Process Name:  C:\Windows\regedit.exe
Change Information:
 Old Value Type:  REG_SZ
 Old Value:  Computer
 New Value Type:  REG_SZ
 New Value:  Computer\HKEY_CURRENT_USER\sysnative

[carl a]

Great ! do I still keep the sysnative key in the registry or delete it? Thanks for your time and expertise . I am always learning from the tech team of the forum kudos, kudos , kudos long live the forum.

[BrianDrab]

do I still keep the sysnative key in the registry or delete it?

You can delete it. It was just a test.

[carl a]

Good Morning Sysnative forum you can label this thread solved by Brian and Corrine because after I followed their directions I have not seen any weird keys or characters in my registry. How Brian and Corrine teamed up and came up with the unseen solution was terrific. Thanks a million, I love working with you guys and especially Brian because I have had the privilege of working with him the most and I love his work ethics.

[Corrine]

You're certainly right about Brian! He is amazing.

[carl a]

Corrine you are humble and fabulous at the same time .

[Corrine]

Thank you, Carl.