Hello Gents,
Following this thread http://reboot.pro/to...egistry-library, I have decided to use MS WDK (http://msdn.microsof...7(v=VS.85).aspx) to write a command line tool that will allow one to read and write to an offline registry hive.
Version 0.9 here : http://reboot.pro/fi...313-offlinereg/
Command line usage :
OfflineReg a_hive_file a_key_path a_verb a_value_name [a_value]
example : OfflineReg "c:\temp\system" a_key getvalue a_value_name
example : OfflineReg "c:\temp\system" key\subkey getvalue a_value_name
example : OfflineReg "c:\temp\system" a_key setvalue a_string_value_name a_new_value
example : OfflineReg "c:\temp\system" a_key setvalue a_dword_key a_dword_value 4
example : OfflineReg "c:\temp\system" a_key setvalue a_qword_key a_qword_value 11
example : OfflineReg "c:\temp\system" a_key setvalue a_binary_key 0a,0b,0c,0d,0e,0f 3
example : OfflineReg "c:\temp\system" a_key_path setvalue a_multi_value_name "aa bb cc dd" 7
(setvalue will createvalue if value does not exist yet)
example : OfflineReg "c:\temp\system" a_key deletevalue a_value
example : OfflineReg "c:\temp\system" a_key deletekey a_subkey
example : OfflineReg "c:\temp\system" a_key createkey a_subkey
example : OfflineReg "c:\temp\system" a_key enumkeys
example : OfflineReg "c:\temp\system" a_key enumvalues
A real life example :
OfflineReg "D:\Windows\system32\config\system" ControlSet001\Control\ProductOptions getvalue "ProductType".
Should display :
"ProductType"=WinNT
Feedback, suggestions, etc welcome.
Regards,
Erwan.
Offline Registry
#1
Posted 06 May 2010 - 08:04 PM
#2
Posted 05 July 2010 - 06:06 PM
@Erwan
Maybe it could be of use to add a command line parsing mechanism to the app.
Something that "understands" that:
http://msdn.microsof...877(VS.85).aspx
CODE
HKEY_CURRENT_CONFIG -> System
HKEY_CURRENT_USER -> Ntuser.dat
HKEY_LOCAL_MACHINE\SAM -> Sam
HKEY_LOCAL_MACHINE\Security -> Security
HKEY_LOCAL_MACHINE\Software -> Software
HKEY_LOCAL_MACHINE\System -> System
HKEY_USERS\.DEFAULT -> Default
and same goes for HKLM, HKCU , etc. abbreviations.
So that if accessed filename in the example posted by bilou_gateux:
QUOTE
"D:\Windows\system32\config\system"
Is corresponding to the given path:
QUOTE
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions"
the path is automatically parsed as:
QUOTE
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions"
Since most of us have paths stored with the complete "online" path, this could be handy.
cheers.gif
Wonko
</quote>
offlinereg.exe c:\temp\system.sav HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions getvalue
or
offlinereg.exe c:\temp\system.sav ControlSet001\Control\ProductOptions getvalue
will now be the same (in version 0.6)
/erwan
#3
Posted 05 July 2010 - 06:38 PM
Wonko
#4
Posted 05 July 2010 - 08:42 PM
What about a CurrentControlSet?offlinereg.exe c:\temp\system.sav HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions getvalue
offlinereg.exe c:\temp\system.sav HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions getvalue
CurrentControlSet has to be calculated from offline registry.
A batch example
rem detect CurrentControlSet for /f "tokens=3" %%a in ('reg.exe query "HKLM\loaded_SYSTEM\Select" /v "Current"') do set /a ControlSet=%%a set ControlSet=00000%ControlSet% set ControlSet=ControlSet%ControlSet:~-3% echo. &echo ControlSet "%ControlSet%" used.
#5
Posted 28 August 2010 - 09:41 AM
What about a CurrentControlSet?
I'll implement that in version 0.7
/Erwan
#6
Posted 21 November 2010 - 02:20 PM
Example : offlinereg "C:\temp\system" currentcontrolset\Control\ProductOptions getvalue "ProductType" will actually read from controlset001 registry key.
Note that since previous version, HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Control\ProductOptions also works fine.
Regards,
Erwan.
#7
Posted 21 November 2010 - 03:02 PM
Does it "always" read from ControlSet001 OR it checks the value in HKEY_LOCAL_MACHINE\SYSTEM\Select ?Example : offlinereg "C:\temp\system" currentcontrolset\Control\ProductOptions getvalue "ProductType" will actually read from controlset001 registry key.
Wonko
#8
Posted 21 November 2010 - 03:11 PM
Does it "always" read from ControlSet001 OR it checks the value in HKEY_LOCAL_MACHINE\SYSTEM\Select ?
Wonko
It checks the HKEY_LOCAL_MACHINE\SYSTEM\Select key to dynamically link to the right system subkey.
Hardlinking to the 001 key would be too easy
Regards,
Erwan.
#9
Posted 21 November 2010 - 03:16 PM
Sure. Just wanted to make sure you did the "right "thing.It checks the HKEY_LOCAL_MACHINE\SYSTEM\Select key to dynamically link to the right system subkey.
Hardlinking to the 001 key would be too easy
Wonko
#10
Posted 04 December 2010 - 05:17 PM
Feedback, suggestions, etc welcome.
Regards,
Erwan.
As described in this forum post here
I do not have access to the domain controller but I'm trying to modify
the GPO or assign a logoff script to all clients on my network.
I attempted to do this through the registry (assign a logoff script)
but was roadblocked when I found out I couldn't enter a QWORD value.
Apparently the function SetQWORDValue is built into WMI but it doesn't
work unless you're using Vista. So my ugly GPO registry hack won't
work. I know it's an ugly hack, but that's okay =]
const HKEY_CURRENT_USER = &H80000001
Set StdOut = WScript.StdOut
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &
strComputer & "\root\default:StdRegProv")
strKeyPath =
"SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff\1\1"
objReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName = "ExecTime"
strValue = "hex(:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"
objReg.SetQWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue
A also can't modify the machines' GPO through WSH/WMI to my knowledge.
Does anyone have a direction to point me in?
OS: Windows XP Professional SP3.
REG.EXE 3.0 or REGINI.EXE don't accept Type REG_QWORD
tried wmic with no success
Batch files WMIC
SET KEY_QUERY_VALUE="&H1" SET KEY_SET_VALUE="&H2" SET KEY_CREATE_SUB_KEY="&H4" SET KEY_ENUMERATE_SUB_KEYS="&H8" SET KEY_NOTIFY="&H10" SET KEY_CREATE="&H20" SET DELETE="&H10000" SET READ_CONTROL="&H20000" SET WRITE_DAC="&H40000" SET WRITE_OWNER="&H80000" SET HKEY_CLASSES_ROOT="&H80000000" SET HKEY_CURRENT_USER="&H80000001" SET HKEY_LOCAL_MACHINE="&H80000002" SET HKEY_USERS="&H80000003" SET HKEY_CURRENT_CONFIG="&H80000005" Wmic /namespace:\\root\default class stdregprov call SetQWORDValue hDefKey="%HKEY_CURRENT_USER%" sSubKeyName="SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff\1\1" sValueName="ExecTime" uValue="00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"
Last chance is to add this feature to offlinereg tool.
En français pour Erwan :
lancer-une-application-juste-avant-la-fermeture-de-windows
[EDIT]
Found the right GUI tool
regalyzer
"RegAlyzer is a tool to browse and change the registry. I wrote it because of a few features I missed in the original regedit tool. A short list of the pros of RegAlyzer:
» Improved search function (results list)
» Hierarchical bookmark support
» Jump to key by command line parameter
» Jump to key by typing/copying it into dialog (instead of browsing)
» DWord editing with parallel hex/decimal/binary display
» Support of QWord (64 bit integer)
» Display of .reg file contents without importing it
» Support of version 5 files (Unicode) even with Windows 95/NT
» Low-level display of security settings with option to export it"
[/edit]
Edited by bilou_gateux, 04 December 2010 - 05:30 PM.
#11
Posted 04 December 2010 - 06:00 PM
As described in this forum post here
OS: Windows XP Professional SP3.
REG.EXE 3.0 or REGINI.EXE don't accept Type REG_QWORD
tried wmic with no success
Batch files WMICSET KEY_QUERY_VALUE="&H1" SET KEY_SET_VALUE="&H2" SET KEY_CREATE_SUB_KEY="&H4" SET KEY_ENUMERATE_SUB_KEYS="&H8" SET KEY_NOTIFY="&H10" SET KEY_CREATE="&H20" SET DELETE="&H10000" SET READ_CONTROL="&H20000" SET WRITE_DAC="&H40000" SET WRITE_OWNER="&H80000" SET HKEY_CLASSES_ROOT="&H80000000" SET HKEY_CURRENT_USER="&H80000001" SET HKEY_LOCAL_MACHINE="&H80000002" SET HKEY_USERS="&H80000003" SET HKEY_CURRENT_CONFIG="&H80000005" Wmic /namespace:\\root\default class stdregprov call SetQWORDValue hDefKey="%HKEY_CURRENT_USER%" sSubKeyName="SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff\1\1" sValueName="ExecTime" uValue="00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"
Last chance is to add this feature to offlinereg tool.
En français pour Erwan :
lancer-une-application-juste-avant-la-fermeture-de-windows
[EDIT]
Found the right GUI tool
regalyzer
[/edit]
Bonjour Billou_Gateux,
Question is : could offline support qdword type?
I am going to have a look at it.
In the mean time, one could try
OfflineReg "c:\temp\system" my_key setvalue my_value 1,2,3,4,5,6,7,8 3
3 is normally for binary key but many piece of code actually dont care about the type and only focus on the datas...
Regards,
Erwan.
ps : is any one knows the const value of reg_qdword, it would help
os2: got it, had to look for REG_QWORD (=11) not REG_QDWORD ....
#12
Posted 04 December 2010 - 06:37 PM
Based on Billou_Gateux's feedback (see previous post), offlinereg v0.8 now support 64bits qword values.
Example :
OfflineReg "c:\temp\system" a_key_path setvalue a_qword_value_name a_qword_value 11
Tested fine from my windows7 on an offline xp hive.
Regards,
Erwan.
#13
Posted 05 December 2010 - 10:14 AM
Yep.Tested fine from my windows7 on an offline xp hive.
The (good?) question - and I'm sure Bilou will answer this - should be:
Would this work from an "older" environment (like PE 1.x/XP) on a "newer" "target" (like Vista or 7)?
I presume yes, since the "function" should be inside the MS .dll, right?
Wonko
#14
Posted 05 December 2010 - 12:09 PM
**erwan.l, thank you for your post, yes it works from a Win7 on both offline Win Vista & XP hives, also a good chance to thank you for your beautiful 100 in 1 tool [ IP Sniffer ], that's a great work.
***Wonko the Sane, it didn't work with me from vise versa environment, maybe any ready solution? Am trying to figure that out, but no luck yet.
#15
Posted 05 December 2010 - 12:15 PM
***Wonko the Sane, it didn't work with me from vise versa environment, maybe any ready solution? Am trying to figure that out, but no luck yet.
If bilou_gateux confirms this, we are back to square #1.
Original problem seems to me about the impossibility to write a qword from XP (or simialr) with the "normal" tools.
If this is also not possible with the nice offline library, it means that we have no means to do that from command line, and till now only Regalyzer seems like being able to do it.
So, if GUI is ok for you try Regalyzer, otherwise it seems like we are missing that tool from command line.
Wonko
#16
Posted 05 December 2010 - 03:26 PM
Yep.
The (good?) question - and I'm sure Bilou will answer this - should be:
Would this work from an "older" environment (like PE 1.x/XP) on a "newer" "target" (like Vista or 7)?
I presume yes, since the "function" should be inside the MS .dll, right?
Wonko
to me, it should work either way : i have already edited win7 hives from xp in the past.
what i have not tested yet (but will as soon as i get it of this "thinkpoint" trojan i just got...) is handling qword values from xp.
/erwan
#17
Posted 05 December 2010 - 06:07 PM
If bilou_gateux confirms this, we are back to square #1.
Original problem seems to me about the impossibility to write a qword from XP (or simialr) with the "normal" tools.
If this is also not possible with the nice offline library, it means that we have no means to do that from command line, and till now only Regalyzer seems like being able to do it.
So, if GUI is ok for you try Regalyzer, otherwise it seems like we are missing that tool from command line.
Wonko
Tested fine with offlinereg from xp on a xp hive : i could add a qword entry without issue.
Side note, the windows (xp) microsoft api do support qword.
So we do have a command line to handle qword in windows xp and up.
Cheers,
Erwan.
#18
Posted 05 December 2010 - 07:55 PM
Then it should also work from XP to a Windows 7 Hive.Tested fine with offlinereg from xp on a xp hive : i could add a qword entry without issue.
jamal just posted it didn't work for him.
Wonko
#19
Posted 09 December 2010 - 09:32 AM
Hi everyone,
Based on Billou_Gateux's feedback (see previous post), offlinereg v0.8 now support 64bits qword values.
Example :
OfflineReg "c:\temp\system" a_key_path setvalue a_qword_value_name a_qword_value 11
Tested fine from my windows7 on an offline xp hive.
Regards,
Erwan.
I have not had a chance to check yet.
link not updated with v0.8
http://erwan.l.free..../offlinereg.zip <> v0.6
link on post #1 is for beta
I must be blind, i don't find the link for v0.8 download
#20
Posted 10 December 2010 - 11:56 PM
I have not had a chance to check yet.
link not updated with v0.8
http://erwan.l.free..../offlinereg.zip <> v0.6
link on post #1 is for beta
I must be blind, i don't find the link for v0.8 download
First post corrected :
Version 0.8 here : http://erwan.l.free..../offlinereg.zip .
Thanks,
Erwan
#21
Posted 11 December 2010 - 12:41 PM
All commands run as System account
offlinereg "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0 setvalue ExecTime 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 11I get a "Program Error" popup Windows
offlinereg.exe has generated errors and will be closed by Windows.
You will need to restart the program.
An error log is being created.
<OK>
there's no subkeys in backup SOFTWARE hive "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows\System key
offlinereg "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows enumkeys
DriverSearching
Installer
IPSec
NetCache
Safer
System
WiredL2
offlinereg "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows\System enumkeys
OREnumKey failed:259
Q: Create Key feature is not yet implemented in offlinereg tool?
Q: what am I doing wrong?
#22
Posted 11 December 2010 - 05:01 PM
From partition(1)\Windows (XP Professional SP3) trying to make some changes to a registry backup copy of the same OS
All commands run as System accountofflinereg "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0 setvalue ExecTime 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 11I get a "Program Error" popup Windows
there's no subkeys in backup SOFTWARE hive "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows\System keyofflinereg "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows enumkeysofflinereg "R:\winbak\system32\config\SOFTWARE" Policies\Microsoft\Windows\System enumkeys
Q: Create Key feature is not yet implemented in offlinereg tool?
Q: what am I doing wrong?
You did nothing wrong
I have updated the first post with a missing syntax :
OfflineReg "c:\temp\system" a_key_path createkey a_key
enumkey with error 259 means "no datas available", indeed since the key does not exist.
So you have to first create your key, then set your value.
Regards,
Erwan
#23
Posted 22 December 2010 - 07:56 PM
While experimenting with it found that it does not seem to handle keys with spaces; e.g. when trying to use 'getvalue' on WinXP SP2 system, the key
"Microsoft\Windows NT\CurrentVersion"
produces a 'OROpenHive failed:3' error, but a similar command using the key
"Microsoft\Windows\CurrentVersion"
does not. Using same software hive in both cases and without any intervening ops which might interfere.
Tried various combinations of quotes on keys with spaces in them, but in general keys with spaces seem to cause
the above error whilst those without spaces do not.
Am I missing something ?
For those who come across the following error
OROpenHive failed:32
it was caused by having the relevant hive open in another app (Mitec's WRR tool in my case).
#24
Posted 03 January 2011 - 06:48 PM
First off many thanks Erwan for your offline reg tool, just what I was looking for.
While experimenting with it found that it does not seem to handle keys with spaces; e.g. when trying to use 'getvalue' on WinXP SP2 system, the key
"Microsoft\Windows NT\CurrentVersion"
produces a 'OROpenHive failed:3' error, but a similar command using the key
"Microsoft\Windows\CurrentVersion"
does not. Using same software hive in both cases and without any intervening ops which might interfere.
Tried various combinations of quotes on keys with spaces in them, but in general keys with spaces seem to cause
the above error whilst those without spaces do not.
Am I missing something ?
For those who come across the following error
OROpenHive failed:32
it was caused by having the relevant hive open in another app (Mitec's WRR tool in my case).
Hi Clascov,
Thanks for the feedback.
I'll dive into this "space" issue asap.
About error code, a tip you may know of :
net helpmsg error_code on a command line.
32 indeed reports that the file is already in used.
3 reports path cannot be found.
Regards,
Erwan.
edit : i have tested the following command line with success
offlinereg.exe "C:\temp\software" "Microsoft\Windows NT\CurrentVersion" getvalue productname
which gives the following output
"productname"=Microsoft Windows XP
are you sure you ran offlinereg my_hive my_path getvalue my_value ?
you need to use quote around args which contains space as this is a windows command line constraint.
#25
Posted 05 January 2011 - 09:01 PM
After your response did some experimenting and found that the problem was down to the AutoIt script I was running the command from. Although the script works perfectly for registry keys without spaces, it obviously doesn't if the key has a space in it. If I run the exact same command from a batch file it works fine. If I run the batch file from the script it works fine. Since I use AutoIt to avoid the drawbacks of batch files this is a little ironic.
I run many console apps via AutoIt and find it a great programming tool, so I know this is not a general problem and don't want to put anybody off trying it. It must be down to some restriction in the AutoIt console interface that I've missed so far. Time to RTFM once more.
Again, many thanks
Clascov
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users