Introduction
Did your PC get infected by NoEscape.exe, and you can't figure out how to remove it? This guide will help you remove that malware without any antivirus software or any help!
Do not download malware or execute unknown scripts on a real machine. All demonstrations on ArsenTech are performed inside isolated virtual machines. Readers should follow the tutorial carefully and fully understand the steps before removing malware.
If you prefer watching instead of reading, here's the full video guide: Watch the video on YouTube
Step 1 - Recovery Using Windows PE
Before removing NoEscape.exe, you must boot into a safe offline environment, such as Windows PE (Windows Preinstallation Environment). This ensures that the malware cannot run while you are repairing the system.
What You Need
- A clean computer
- A USB flash drive
- A Windows PE ISO (from trusted sources)
- A bootable USB tool (Rufus, Ventoy, etc.)
Steps
- Create a Windows PE bootable USB (see the Bootable USB blog post if you need help).
- Insert the USB into the infected PC.
- Boot the PC and enter the Boot Menu (usually F2, F8, F11, F12, or Esc depending on manufacturer).
- Select the USB and boot into Windows PE.
Once inside Windows PE, open Command Prompt and type regedit. This will allow you to manually repair the damaged registry entries injected by NoEscape.exe.
Windows PE is required because NoEscape.exe modifies registry entries while Windows is running. Editing them while the system is offline prevents the malware from interfering or reapplying its changes.
Step 2 - Registry Repair (Critical Step)
Only modify the registry keys shown below. Editing unrelated values may corrupt Windows and cause boot failure.
Inside the Registry Editor:
- Select HKEY_LOCAL_MACHINE
- Click File → Load Hive
You will now load the registry hives from the infected Windows installation:
Hives To Load
| Hive Name (You Choose) | Physical File Path | Represents |
|---|---|---|
| InfectedPCSoftware | C:\Windows\System32\config\SOFTWARE | HKLM\SOFTWARE of infected PC |
| InfectedPCSystem | C:\Windows\System32\config\SYSTEM | HKLM\SYSTEM of infected PC |
| InfectedPCUser | C:\Users\<username>\NTUSER.DAT | HKCU of infected PC's user |
This loads the infected system's registry into Windows PE.
Registry Change 1 - Fix EXE File Hijack
Navigate to:
InfectedPCSoftware/Classes/exefile/shell/open/command
Change the (Default) entry:
| Before | After |
|---|---|
C:\Windows\winnt32.exe "%1" %* | "%1" %* |
Repeat the same fix here:
InfectedPCSoftware/Classes/exefile/shell/runas/command
C:\Windows\winnt32.exe is a malicious executable planted by NoEscape.exe to hijack every .exe you open.
Registry Change 2 - Repair Winlogon Hijack
Navigate to:
InfectedPCSoftware/Microsoft/Windows NT/CurrentVersion/Winlogon
Update or Delete Values:
| Name | Before | After |
|---|---|---|
Userinit | C:\Windows\system32\userinit.exe,C:\Windows\winnt32.exe | C:\Windows\system32\userinit.exe |
DisableCAD | 1 | (Delete) |
AutoRestartShell | 1 | (Delete) |
AutoAdminLogon | 1 | (Delete) |
These entries are used by NoEscape.exe to retain control after login.
Registry Change 3 - Restore System Policies
Navigate to:
InfectedPCSoftware/Microsoft/Windows/CurrentVersion/Policies/System
Perform the following actions:
- Set
EnableLUAto1 - Delete
shutdownwithoutlogon
Registry Change 4 - Restore Windows Logon UI
Navigate to:
InfectedPCSoftware/Policies/Microsoft/Windows/System
And delete DisableLogonBackgroundImage
Registry Change 5 - Reset Keyboard Layout (Removes Key Remapping)
Navigate to:
InfectedPCSystem/CurrentControlSet/Control/Keyboard Layout/
If CurrentControlSet doesn't exist, use this instead:
InfectedPCSystem/ControlSet001/Control/Keyboard Layout
And delete Scancode Map. This restores correct keyboard input.
Registry Change 6 - Fix User Profile Modifications
Navigate to:
InfectedPCUser/Control Panel
Remove these modifications:
| Name | Before | After |
|---|---|---|
Mouse/SwapMouseButtons | 1 | (Delete) |
Desktop/AutoColorization | 1 | (Delete) |
Registry Change 7 - Re-enable Registry Editing (UAC Policies)
Navigate to:
InfectedPCUser/Software/Microsoft/Windows/CurrentVersion/Policies/System
And Delete DisableRegistryTools. This re-enables Regedit on the repaired system.
Registry Change 8 - Re-enable Command Prompt
Navigate to:
InfectedPCUser/Software/Policies/Microsoft/Windows/System
And delete DisableCMD. This restores access to CMD on the infected user account.
Final Step - Unload Hives Properly
Before shutting down Windows PE:
- Select each loaded hive (InfectedPCSoftware, InfectedPCSystem, InfectedPCUser)
- Go to
File → Unload Hive - Confirm
This ensures the registry is saved correctly.
Now restart the computer normally. If the registry was repaired correctly, Windows should boot without NoEscape.exe reactivating.
Step 3 - Deleting Files planted by NoEscape.exe
After restarting the repaired system and logging into Windows, the next step is to remove the malicious files that NoEscape.exe created.
1. Show Hidden & Protected System Files
Open File Explorer and go to:
C:\Windows
By default, winnt32.exe is hidden. To reveal it:
- Open Folder Options → View
- Temporarily disable:
- Hide protected operating system files (Recommended)
- Hide empty drives
- Under Hidden files and folders, select:
- Show hidden files, folders, and drives
Click Apply.
2. Delete winnt32.exe
Now that hidden system files are visible, locate and delete winnt32.exe
This file is responsible for the EXE hijack.
Make sure you ONLY delete the file located directly inside C:\Windows. Do NOT delete any legitimate system files.
3. Remove Malicious Desktop Files
NoEscape.exe creates random files on the desktop to clutter the desktop with these files.
To delete all of them at once, press:
Ctrl+Ato select all desktop items. Then permanently delete them with:
Shift+DelEmpty your Recycle Bin afterward.
4. Restore File Explorer Settings
When done, revert the folder settings:
- Enable “Hide protected operating system files”
- Enable “Hide empty drives”
- Set “Hidden files and folders” to Don't show hidden files, folders, or drives
This protects your system from accidental file deletion later.
Step 4 - Restore Your Theme & Desktop Background
NoEscape.exe replaces your wallpaper and UI theme to make your system look corrupted or hacked.
To restore your theme:
- Open Settings
- Go to Personalization → Themes
- Choose your preferred theme
- Reapply your desktop background
Your system should now visually return to normal.
Step 5 - Deleting More files planted by NoEscape.exe
1. Remove LocalAppData Image
Open the Run dialog:
⊞+RType %localappdata%. Find and delete noescape.png. This is the custom wallpaper the malware forces onto the system.
- Remove Modified User Account Pictures
Navigate to:
%programdata%\Microsoft\User Account Pictures
Delete the modified profile icons created by NoEscape.exe.
If you have your original user icon backed up, replace it here.
Step 6 - Removing Fake Users Created by NoEscape.exe
NoEscape.exe creates extra fake users to weaken system security and confuse the victim.
- Open Settings
- Go to Accounts → Other Users
- Manually delete any suspicious accounts (DO NOT delete your real account).
Step 7 - Restore Your Account
Restore your account name
Open the Run dialog:
⊞+RType control. Go to:
User Accounts → User Accounts
Change your account name back to the preferred name.
Restore your profile picture
Go to:
Settings → Accounts → Your info
Set a new profile picture or upload your old one.
Fix Your Account Password (Optional)
If you want to reset your password to something simple or blank:
Open Command Prompt as Administrator and run:
net user <username> <password>To set a blank password:
net user <username> ""Restart your PC afterward.
Finally, re-add your normal desktop shortcuts if needed.
Step 8 - Repair Windows System Files (SFC & DISM)
NoEscape.exe corrupts several Windows components, including:
- System policies
- Login settings
- User profiles
- Explorer visuals
- Registry permissions
- Windows shell stability
To ensure your system is fully functional, run the built-in Windows repair tools.
1. System File Checker (SFC)
Open Command Prompt as Administrator and run:
sfc /scannowThis will scan and repair:
- Modified Windows files
- Missing DLLs
- Corrupted components
- System shell inconsistencies
If SFC says that it found corrupt files and repaired them — this is normal after malware removal.
2. Deployment Image Servicing and Management (DISM)
If SFC shows errors it cannot fix, run DISM:
DISM /Online /Cleanup-Image /RestoreHealthDISM repairs deeper Windows components such as:
- WinSxS store
- System image corruption
- Recovery files
- Windows update components
DISM requires an active internet connection unless you're using an offline image.
3. Run SFC Again
After DISM completes, run:
sfc /scannowThis ensures all corrupt or modified files from NoEscape.exe are fully repaired.
Optional (Strongly Recommended): Windows Update Refresh
Go to Settings → Update & Security → Windows Update, and run Check for Updates.
Windows will reapply critical system files and drivers to guarantee system integrity.
Step 9 - Removing the Most Dangerous Variant: September 18
The September 18 variant of NoEscape.exe is the most destructive version. It does not just modify registry keys — it corrupts the bootloader and breaks the partition structure, making Windows completely unbootable.
Signs of the September 18 Variant
- Opening any
.exefile launches Notepad and types: → THERE'S NO ESCAPE... - Typing either Yes or No triggers bootloader corruption
- The system becomes unbootable on next restart
- Windows recovery tools fail to detect the OS
- Disk Manager may show the system partition but cannot boot
This variant cannot be removed using registry fixes alone. It rewrites the MBR / GPT bootloader and damages the NTFS boot sector, requiring disk repair.
Restoring the Bootloader (Windows PE + TestDisk)
Only proceed if you fully understand TestDisk. Incorrect actions may cause permanent data loss. Always back up important files first.
- Boot into Windows PE - Use your Windows PE USB created earlier.
- Back up your files - Before repairing the bootloader, copy files to an external drive if possible.
3. Download TestDisk on a Clean PC
Download TestDisk Portable from a healthy PC: https://www.cgsecurity.org/Download_and_donate.php/testdisk-7.2-WIP.win.zip
Extract the ZIP and place the TestDisk folder onto a separate USB. Move the TestDisk folder to the Windows PE environment or run it directly from your secondary USB.
4. Start TestDisk
- Launch testdisk_win.exe
- Select No Log
- Select the drive containing your Windows installation
- Choose:
EFI GPT → Analyze → Quick Search
5. Identify the Correct Partition
TestDisk will show all partitions. Select the one that contains:
- Your Windows files
- Correct NTFS structure
- Smaller Total Capacity (the malware often creates a fake oversized partition)
Press → (Right Arrow Key), then press P to preview files.
If your real files appear → this is the correct partition.
6. Repair the Bootloader Using bootrec
Open Command Prompt in Windows PE and run:
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd/fixboot might return Access Denied on some systems.
TestDisk will still repair the NTFS boot sector.
7. Write the Correct Partition
Back in TestDisk:
- Press Enter
- Select Write
- Type Y to confirm
This restores the proper partition table.
8. Repair the NTFS Boot Sector (Critical Step)
Navigate to:
Advanced → Select MS Data Partition → Boot
Then choose:
- Repair MFT
- Confirm **OK
- Then choose Rebuild BS (Boot Sector)
If successful, TestDisk will say:
Boot sector OK
Backup boot sector OK
9. Run bootrec Commands Again
To ensure the repaired boot sector is recognized:
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd10. Check Disk Manager
Open Disk Management (diskmgmt.msc) and click Refresh.
If the C: partition is visible and labeled correctly:
- The boot sector is restored
- The OS should boot normally on restart
If “Rebuild BS” Fails
If TestDisk cannot rebuild the boot sector, you have two options:
- Restore from a full system backup, or
- Reinstall Windows completely
This is the only guaranteed solution for:
- Partition table corruption
- NTFS boot sector corruption
- Unrepairable MBR/GPT changes
NoEscape.exe Removal Checklist
Windows PE Setup
- Boot from Windows PE
- Load SYSTEM, SOFTWARE, and NTUSER.DAT hives
- Open Regedit in offline mode
Registry Fixes
- Remove exe hijack
- Fix Winlogon
- Restore Policies
- Delete Scancode Map
- Re-enable Registry Tools
- Re-enable CMD
- Fix user profile registry entries
File Removal
- Delete C:\Windows\winnt32.exe
- Delete malicious Desktop files
- Delete %localappdata%\noescape.png
- Delete modified user icons
- Clean up ProgramData files
Restore Windows Settings
- Restore theme & wallpaper
- Remove fake users
- Fix account name & picture
- Reset password (optional)
System Repair
- Run sfc /scannow
- Run DISM /Online /Cleanup-Image /RestoreHealth
- Run SFC again
- Reboot
Final Checks
- Verify no startup entries remain
- Ensure no fake users remain
- Verify EXE files launch normally
- Check Explorer, CMD, Task Manager
- Perform Windows Updates
Conclusion
And that's it! NoEscape.exe has been completely removed from your system. This malware modifies registry entries, themes, user accounts, wallpapers, and core Windows settings, so restoring everything manually is critical.
To prevent future infections:
- Delete suspicious
.exefiles immediately - Never run unknown programs
- Use a stronger antivirus
- Keep real-time protection enabled
- Always use a virtual machine for malware testing
- Follow safe browsing habits & avoid unknown downloads
Thanks for reading! If you want more malware removal guides and educational malware tests, check out my YouTube channel!
GitHub @ArsenTech · YouTube @ArsenTech · Patreon ArsenTech · ArsenTech's Website