Jump to content











Photo
- - - - -

Boot installed os with no startup and minimal services


  • Please log in to reply
18 replies to this topic

#1 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 23 August 2016 - 04:38 PM

For the sake of discussion, let's say I have a windows 7 computer that is severely damanged. An 5-year old installation, many programs, and is booting extremely slow, and runs very ver slow. The OS is damaged.

 

I'm looking for a way to minimally boot windows but not in safe mode. Boot to login screen, login to a user account and that's it. Force it to load only necesesary services, without executing startup entries. I need to do it this way because I have some data to recover that is only available on the user's profile.

Is there any way of accomplishing this?

 

Thank you



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 August 2016 - 05:33 PM

For the sake of discussion, let us assume that the OS is damaged and that the actual disk drive (or filesystem on it) is also damaged AND - not anymore an assumption, a plain statement -  that the normal procedure in these cases is - first thing - image the disk and then - once verified the disk is OK, repair the install (or if the disk is not OK, restore to a new disk and repair the install).

 

Then, still for the sake of discussion, you will need to provide a real world example of data that can only be recovered by booting that specific OS install AND log into a specific user account (but not in safe mode and without loading startup entries).

 

I will gladly translate the above to "I am unaware of any kind of data that is recoverable only by booting that specific OS install AND log into a specific user account (but not in safe mode and without loading startup entries) that has any real value" (what you described is - more or less - non-reusable data, and as such, no data at all).

 

This said, you can use *any* PE to disable *any* Startup entry and/or *any* unneeded service in the (offline) Registry (of course not before having made a backup of ALL the involved Registry backing files). 

 

:duff:

Wonko



#3 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 23 August 2016 - 05:42 PM

I'm talking about recovery of user credentials from Windows Vault. AFAIK these cannot be recovered outside of the user account that created them, so it must be on their profile.

 

This said, you can use *any* PE to disable *any* Startup entry and/or *any* unneeded service in the (offline) Registry (of course not before having made a backup of ALL the involved Registry backing files).

 

Yes, but there are at least 6 keys that handle startups, Run, RunEx, Runonce, then the windows policies Run keys. Am I supposed to delete these keys one by one?

This idea is to allow me to boot as minimal as possible. Don't exactly care what happens to the OS afterwards because I'll be reinstalling Windows anyway.



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 August 2016 - 07:39 PM

I'm talking about recovery of user credentials from Windows Vault. AFAIK these cannot be recovered outside of the user account that created them, so it must be on their profile.

 

Yes, but there are at least 6 keys that handle startups, Run, RunEx, Runonce, then the windows policies Run keys. Am I supposed to delete these keys one by one?

This idea is to allow me to boot as minimal as possible. Don't exactly care what happens to the OS afterwards because I'll be reinstalling Windows anyway.

Sure, it's a handful of keys/locations to check, and of course you want to boot keeping the Shift key pressed to disable items in Startup folders.

But really, is that *needed*?

I mean - unless you have a BSOD (or similar) when you try to boot and login to that user, what does it matter if the system is slow/unresponsive?

At the most it will take some little patience waiting, but before or later it should work (and you can always run Task Manager and/or the Services MSC to stop/kill processes and services).

As a side note, I wonder what you will be able to see with the nice Nirsoft tool (which I believe from version 1.50 can access offline installs just fine):
http://www.nirsoft.n...d_recovery.html

 

:duff:

Wonko



#5 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 24 August 2016 - 01:05 PM

NTPass doesn't read my Vault. Probably because the computer is joined to a domain but I don't know for sure.



#6 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 24 August 2016 - 06:15 PM

I would like to ask though, if the filesystem is actually corrupted what would be a good utility to scan and repair it?

Would chkdsk perform well?



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 August 2016 - 06:58 PM

I would like to ask though, if the filesystem is actually corrupted what would be a good utility to scan and repair it?

Would chkdsk perform well?

Name a few proposed alternatives. :whistling:

 

One thing is to recover (extract/copy/backup) valid data from a (partially) corrupted filesystem, and another thing is to (hopefully) repair the filesystem, for the latter you have really NO alternative whatever.

 

Though it usually performs exceptionally well :), you should however NEVER trust CHKDSK:

1) Image the disk

2) recover the data

3) attempt a CHKDSK (although noone says that :w00t: CHKDSK should IMNSHO always be run in three rounds, first without parameters, then with /F and finally with /R)

4) if all the data is still there you lost a few hours in steps 1) and 2) and you have the data twice, if the data is NOT there anymore, you will be very happy of having "wasted" a few hours in steps 1) and 2).

 

Since the longest part will probably be 2), you don't really have to perform the data recovery before attempting the CHKDSK repair, as long as you have a proper disk image you can do it only if needed afterwards, working on the image.

 

:duff:

Wonko



#8 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 25 August 2016 - 08:49 AM

Why not just image the disk, retrieve any important data, then ditch it (and reinstall if desired)? You already said the OS is severely damaged, so it's not worth keeping.

 

Or you could mount the partitions in read-only mode in Linux then proceed to retrieve data.

 

This is fairly straightforward and common sense, not really a "problem/issue", I really don't see why OP bothered to post this topic.



#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 August 2016 - 10:15 AM

Why not just image the disk, retrieve any important data, then ditch it (and reinstall if desired)? You already said the OS is severely damaged, so it's not worth keeping.

 

Or you could mount the partitions in read-only mode in Linux then proceed to retrieve data.

 

This is fairly straightforward and common sense, not really a "problem/issue", I really don't see why OP bothered to post this topic.

Because he is trying to recover some data (Credentials/Vault) that *need* to be logged in as the "right" user to be decrypted/accessible, as the suggested tool (that normally does work for those data) seemingly doesn't work in the particular setup.

 

The OP was already asked this question, and explained the reason why.

 

It is perfectly possible that the suggested tool would work fine and that the data is simply not there or corrupted, however, seeing that the tool doesn't work in the specific "joined to a domain" setup of that machine, personally first thing I would do would be to try the tool on another similar machine joined to the same domain and see if it works there or not.

 

:duff:

Wonko



#10 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 25 August 2016 - 02:14 PM

@Wonko: The OP is asking how to boot Windows with minimal running programs/services. This is what Safe Mode is for, so if he doesn't want to do that, then I really can't think of any other way to accomplish this. Of course, what he wants to do is only a means to an end (recovering data).

 

Another way to reduce the amount of stuff that's running would be to delete the files/folders of any software that is nonessential (like some stuff in Program Files). It would be best to do this offline, so there are no conflicts with trying to delete stuff while it is running. Hopefully Windows would boot and run fast enough after this pruning so that data recovery can be accomplished. Deleting stuff can do more damage than good if not done carefully, so as Wonko advises, make an image first.

 

I still don't see why you can't mount your Windows volume offline in Linux (or something else) in read-only mode, what are you doing that would only make some files available when a user is logged in, but somehow can't be accessed offline/outside of Windows? It makes sense to me that any files stored in your volume that are accessible within Windows, should also be accessible from the outside by any tool capable of reading the volume. Are you employing some kind of encryption (like BitLocker) or other technique that obfuscates files?



#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 August 2016 - 02:45 PM

Well, you will need to read attentively what has been already posted, it is all written above.

 

The Credentials Manager (or Windows Vault), which is what the OP is after, IS encrypted and is automatically made accessible/readable/etc. when you login as a given user with the corresponding password.

 

Normally it can be unencrypted also externally with the given Nirsoft program, which basically creates "on the fly" the login user/password authentication to the process reading the vault:

http://www.nirsoft.n...d_recovery.html

 

when you try opening an external (i.e. not belonging to the booted OS) Vault, you are prompted for:

  • the user folder (\Users\MyUserName\)
  • the login password of that user
  • the "protect" folder for the encryption keys (\Users\MyUserName\AppData\Roaming\Microsoft\Protect\)
  • the "credentials" folder for the Vault (\Users\MyUserName\AppData\Roaming\Microsoft\Credentials\)

 

For *whatever* reasons (unknown) this method did not work for the OP.

 

:duff:

Wonko



#12 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 25 August 2016 - 04:14 PM

Basically, it retrieved some passwords but not all of them.

 

For instance, take the following image:

http://i.stack.imgur.com/aYQZm.png

 

In my case, it only reads the generic credentials. All my NAS partitions within the Windows Credentials group are not listed in Network Password Recovery.

 

If it wasn't for these credentials, I would of easily wiped the entire HDD and be done with it. But, at the moment I cannot get them without being inside the user account that created them.



#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 August 2016 - 05:20 PM

Well, there is already enough confusion, maybe you can take the five extra minutes it takes to post something more "accurate". :unsure:

 

You just reported that the tool didn't read the vault, while now you are reporting that it reads the vault but lists only *some* credentials? :dubbio:

 

Where were (or should be) the missing credentials?

 

I mean in the built-in tool (as per your screenshot) there are three "categories":

  1. Windows Credentials
  2. Certificate Credentials
  3. Generic Credentials

Have you tried the Nirsoft tool on a similarly configured machine?

Is ti possible that those data is not stored in the vault file (but in some other file)?

 

I mean, from what I understand the vault is not much different from a password protected .zip or .rar archive, it is queer that the Network Password Recovery can open it but lists only partially its contents (though they are separate files).

 

:duff:

Wonko



#14 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 25 August 2016 - 06:23 PM

Post 12 reveals what happens:the program does not export the items listed in Windows Credentials. All windows network drive credentials are stored in Windows Credentials, which I why I said it doesn't read the Vault.

 

Have you tried the Nirsoft tool on a similarly configured machine?

 

Yes, same problem.

 

 

Is ti possible that those data is not stored in the vault file (but in some other file)?

 

I was going to ask you the same thing. You seem to know a lot about the windows OS.

Well, Credential Manager allows you to export the credentials to an encrypted file, with the .crd extension. That's about all I know.



#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 August 2016 - 07:25 PM

Post 12 says nothing.

There is an evident communication problem.

 

Of course it is very possible that I am a little bit tough, but surely you are not putting a minimum amount of diligence in attempting to detail what you tried, what you obtained as result, etc..

 

It is extremely difficult (and tiring :() to have to guess things:

 

Yes, same problem.

since the problem (in the sense of what I am trying to understand from your one-liners) is WHAT the actual problem is, this doesn't help much.

 

For all I know the particular machine (or version of OS or its settings/environment, *whatever*) may behave very differently from any other one.

 

From what I know (very little, rest assured) about that mechanism:

1) Network credentials are stored in the vault as "Windows credentials"

2) the Nirsoft tool normally can access Network credentials from an offline vault.

 

You could try other tools, but I am unaware of other free ones, passcape has a tool:

http://www.passcape...._vault_explorer

but cannot say if the trial/demo is enough to check that.

 

As a side-side note - and if I may - in a domain/professional environment/whatever it is unusual that you do not have a copy of those credentials (hardcopy on paper) :unsure:.

 

Anyway, since the offline method isn't working, did you manage to (slowly) boot the affected system ?

 

 

:duff:

Wonko



#16 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 29 August 2016 - 11:42 AM

Maybe this should be a task for forensics by taking an image and trying to unencrypt the storage location for passwords.

Here: https://www.hotforse...-text-3914.htmlit says that passwords are AES encrypted and it gives one *possible* location:

%SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.

Will try to search more. I am certain there should exist some forensics tools to do this, if you know the login details of the user or have access to the system.Or maybe exporting as certificate and decrypting / importing in another machine ?

#17 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 29 August 2016 - 12:12 PM

Sure, passcape has one, but I doubt that OP will like the price.

The Nirsoft tool (if you know the Windows user credentials) should be able to read the Vault contents "offline", the forensic software such as the passcape com should be able to do the same even without this info.

 

:duff:

Wonko



#18 Uneitohr

Uneitohr

    Frequent Member

  • Advanced user
  • 219 posts

Posted 02 September 2016 - 05:25 PM

I just would like to thank you guys for your valued suggestions.

I proposed the Passcape Windows Password Recovery to my company and we actually got the advanced licence. It is a massise time saver and is able to recover the passwords from inside windows and outside. It managed to get all passwords from the windows vault and windows itself. Well, all except domain accounts that is.

 

As a side-side note - and if I may - in a domain/professional environment/whatever it is unusual that you do not have a copy of those credentials (hardcopy on paper) :unsure:.

 

The company policy was not always as it is today. 10 years this company started with a mere 50 employees. Back them nobody actually cared about passwords (windows/samba/etc). As it grew, to what is today about 800 employees, company policies are similar to the requirements of 10 years ago with the exception of the corporate infrastructure and servers which have been rethought. The little stuff like network passwords have been left behind. Not all things are perfect but we try to make it right.



#19 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 02 September 2016 - 06:03 PM

Good that everything went well :).

 

About where to keep passwords/credentials, in my experience in the good ol'times IT people (and even more than that non-IT people), particularly in small firms, would have NEVER trusted anything "on disk only" and would have prepared a hard copy on paper (usually on a book, kept into a safe[1]), it is actually the new IT guys that tend to actually trust hardware (and/or software) to store passwords/ access data.

Maybe the paper hard copy were lost when moving or similar...

 

:duff:

Wonko

 

[1] Being old (besides grumpy and cheap) this is something that should IMHO be done nowadays as well, you never know.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users