Check or Attack Name: OS/2 Subsystem Enabled

The OS/2 subsystem is enabled. Enabling the OS/2 subsystem can allow a process to persist across logins.

Change the registry to remove access to the OS/2 subsystem and remove the file that controls the OS/2 subsystem.

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To remove the OS/2 subsystem from Windows NT, follow these steps:

1. Open the Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems key.
3. Locate the Os2 value.
4. Write down the file name that is referenced by the value's data.
5. Delete the registry value.

To remove the files associated with the OS/2 subsystem, follow these steps:

1. Open Windows NT Explorer or My Computer.
2. Using the path and file name you noted in step 4 above, delete the file that used to be referenced by the registry.

Microsoft Knowledge Base Article Q105992, Windows NT Subsystems and Associated Files, http://support.microsoft.com/support/kb/articles/q105/9/92.asp