Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Unblocking a Windows session locked by ransomware variants

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan 11.0
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Services
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services 6.2
    • Worry-Free Business Security Services 6.3
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.6
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard/Advanced 10.0
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • Windows 2003 Enterprise
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows XP Professional

Some ransomware variants displays bogus police alerts, requests payment of a fine and will lock user out from his/her windows session. 

bogus claims


Follow these steps to unlock a windows session that may have been locked by ransomware variants especially ones using skype.dat as a malicious file name:

You need to know the infected username for the following steps to work.
  1. Start Windows in Safe Mode.


  2. Log on to Windows using either a local admin account or a non-infected user with admin privileges.

    Type "regedit.exe" in the command prompt, and then press ENTER to open the Registry Editor.


  3. Select HKEY_USERS on the left then click File > Load Hive.


  4. Go to the infected user's home folder and select the file called NTUSER.DAT then click Open

    NTUSER.DAT is a hidden file so depending on current system setting, you might not see it. In case hidden files are not shown, once you are in the correct folder, type the filename you want to open.


  5. Provide a Hive name to which the user registry will be loaded. Enter "Infected" on the text field and click OK.


  6. Go to the following registry key:

    HKEY_USERS\Infected\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


  7. Select Winlogon on the left then check if you see "Shell" on the right. If you do, double-click "Shell" to fully see its data. By default, the data value should be Explorer.exe. Anything after that is the full path to the possible malicious file.


    In this example, the suspected file is located in the c:\Documents and Settings\Tom\ folder and the file name is skype.dat

    Leave the Shell value intact.
  8. Take note of the path and filename and close the registry editor. On the command prompt, type the following command and press enter:

    ren Source_full_path New_filename

    Source_full_path -> the full path to the file including the file name.
    New_filename -> the new file name without any path.

    If the full path has spaces, enclose it with "".
  9. Reboot the system and log on to the infected user account.

If the login is a success, collect the renamed file and send it to Trend Micro Technical Support within a password protected archive.

Troubleshoot; Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.