Jump to content











Photo
- - - - -

Application Compatibility Shim in WinPE / Win8.1SE for registry & file redirection?

shim winpe win81se act redirection virtualregistry

  • Please log in to reply
3 replies to this topic

#1 generalmx

generalmx

    Newbie

  • Members
  • 14 posts
  •  
    United States

Posted 02 April 2015 - 01:37 AM

I'm working on making a recovery environment complete with AV/Malware scanning automation, and one problem I run into is that they want to scan the active registry & Windows instead of an offline install --- especially free versions (and ones like Combofix). After some research I found one freeware file redirection driver of dubious capability, but then figured out one could use a "shim" from the Application Compatibility Toolkit (ACT) to use the VirtualRegistry and File Redirection Filter already built-in to the Windows Vista and up kernel for UAC. So this works on a full version of Windows, but both WinPE and Win8.1SE seemingly lack the support for ACT databases...

Anyone ever looked into this at all?

Anyway, for those who don't know what a "shim" is, it basically sits in-between applications and what they think they're accessing, so that in the case of the VirtualRegistry, the a configured application thinks it's reading/writing to HKLM\SOFTWARE\Foo (which a standard user can't write to) when it's really writing to HKCU\SomeVirtualRegistryPath\SOFTWARE\Foo (the user's registry). I can use this to load up an offline registry and then re-direct something like ComboFix to think it's looking at HKLM\Foo when it's really looking at HKLM\TempHive\Foo.

 



#2 generalmx

generalmx

    Newbie

  • Members
  • 14 posts
  •  
    United States

Posted 26 April 2015 - 06:38 PM

OK I've made some progress, but not too much. The Application Compatibility Layer does seem to provide what I need in the form of these Compatibility Fixes:

 

- VirtualRegistry

- CorrectFilePaths

 

But my concern is that if I redirect say X:\Windows (WinPE / Mini Windows) to C:\Windows (mounted drive) for a scanner app, then the scanner will no longer be able to load required DLLs from the boot environment. Same for redirecting say HKLM\SOFTWARE to HKLM\TempHive_SOFTWARE (loaded from C:\Windows\system32\config).

 

Any thoughts?

 

I think I'll have to only redirect certain targeted directories and registry paths.

 

(This is all assuming I can get ACT shims working under WinPE / Mini Windows)



#3 lemon

lemon
  • Members
  • 4 posts
  •  
    United States

Posted 27 April 2015 - 12:29 AM

With tools like combofix I would expect you'll run into issues with it using shell scripting.  Have you installed the compat toolkit into a PE environment yet?



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 27 April 2015 - 11:57 AM

But my concern is that if I redirect say X:\Windows (WinPE / Mini Windows) to C:\Windows (mounted drive) for a scanner app, then the scanner will no longer be able to load required DLLs from the boot environment. Same for redirecting say HKLM\SOFTWARE to HKLM\TempHive_SOFTWARE (loaded from C:\Windows\system32\config).

 

Any thoughts?

It doesn't sound to me that much of an issue (gererically) the usual behaviour of a Windows NT system (when it comes to .dll) is - set aside the 20 or so "known DLL's" - to look for the .dll in the same folder the program is, so, in the worst case and presuming that NTFS is used as underlying system one could make a symlink to the "right ones".

 

This said, more specifically tools like ComboFix may well use "non-conventional" ways to access files, directories and even Registry hives, so YMMGV. 

 

:duff:

Wonko







Also tagged with one or more of these keywords: shim, winpe, win81se, act, redirection, virtualregistry

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users