46 replies to this topic

[Brito]

I've just clicked my image on the start menu and selected the "Disable UAC" option and then rebooted.

Next time I've went trying to load hives with wb all worked perfectly fine on other test folders, except the one where I was originally testing with UAC enabled.

The link you've provided was most usefull to learn:

Vista includes a new notion of what were originally called "Mandatory Integrity Controls" but eventually became "Windows Integrity Controls." Under WIC, every object that have permission can also have a label that identifies its "integrity level." There are six integrity levels, from highest trustworthiness to lowest:

* Trusted Installer
* System (operating system processes)
* High (administrators)
* Medium (non-administrators)
* Low (temporary Internet files)
* Untrusted

Files and folders have integrity levels, as do users and processes. What good are these "trustworthiness levels?" Well, they act as a kind of second level of Windows permissions. When a lower-integrity user tries to modify a higher-integrity object, then Windows integrity controls blocks the modification attempt, and blocks it even if the object's permissions list contains a "full control" permission for that user. It is, thus, a sort of set of uber-permissions, albeit a simple one.

And a solution:

1. Open gpedit.msc
2. Navigate to Computer Configuration / Windows Settings / Local Policies / User Rights Assignment
3. In the right-hand pane, you'll see an entry "Modify an object label;" open it
4. By default, there are no user accounts listing with this privilege. Add your user account.
5. Close the Group Policy Editor
6. Log off, then back on to finish getting the new privilege on your logon token.

A very big THANKS for the help, I'm sure many others will get stuck on this part too..

[MedEvil]

It showns that overwriting the winhlp32.exe vista dummy file with one that comes from XP is more than enough to get the help system working again, but how do I overwrite it?

Having UAC disabled, being on an admin account - and still I have no permissions to modify the "\Windows" folder - according to the NTFS ownership, only "TrustedInstaller" can effectively modify the folder contents.

I sucessully change the ownership of the dummy file to my account, but no good since the folder itself won't further allow to rename this file..
TrustedInstaller is not a group in wich I can add my account, and I still can't take ownership of my own folders?

Also tried setting the file association of .hlp files to another copy placed on a different folder to no sucess..

I really have to get myself Vista, that sounds to be more fun than a barrel of monkeys!

[was_jaclaz]

I really have to get myself Vista, that sounds to be more fun than a barrel of monkeys!

You see how good is to have freedom?

As I see it, Vista appears to be more like a barrel of mad monkeys, and that is exactly the reason why I really NOT have to get it.

Nuno, since your problem is solved , you can go back to work , check the UWIN site.....

jaclaz

[was_jaclaz]

Some more info:
1) it appears like Monad Windows Powershell (winbuilder is not the only app that changes it's name ) has a "cmdlet" that accesses the Registry as Filesystem:
http://www.vista64.n...powershell.html
http://computerperfo...hell_cmdlet.htm
http://msdn2.microso...y/ms714417.aspx

2) This guy Harlan Carley has written a (read only) Windows Registry parser in Perl:
http://windowsir.blo...ry-parsing.html
http://www.forensicf...m...opic&p=3997


The app can be downloaded here:
http://sourceforge.n...group_id=164158

Offline Registry Parser

in the download there is also a compiled .exe.

3) there is also something else in Perl called "tieregistry", here:
http://search.cpan.o.../TieRegistry.pm

jaclaz

[paraglider]

Easiest way to disable UAC is to either run msconfig or from the control panel select 'User Accounts'. I disable UAC and have no problems loading hives. I have noticed that even if you manage to create an XP based PE on Vista it seems to effect hardware installation when PE loads. Every device fails to install. In the end I gave up building on Vista and build instead in a VMWare VM.

Another reason for not building on Vista is that the api function used by infcachebuild to generate the infcache.1 file does not exist. MS removed it.

You also appear to get around 6 log files created for each hive that is loaded and updated.

[Brito]

PowerShell is also restricted by the same rules as we are here, the difference is that they tell users to edit their registry - I wonder if they have tested their tweak example on vista?

1a) PowerShell Registry Adjustment

For security and by default, Microsoft prevent PowerShell executing cmdlet scripts, therefore we need to change a specific registry setting to allow your cmdlets to execute. If you don't make this amendment you may get this error message when you call for a cmdlet script. 'The execution of scripts is disabled on this system'.

Our task is to open the registry and amend the value of the REG_SZ ExecutionPolicy, specifically change Restricted to RemoteSigned. There are two further settings called Unrestricted and AllSigned. However, RemoteSigned is best because it allows you to run scripts locally, while preventing people from hacking you from other machines e.g. the internet. To check the setting launch regedit and navigate to:

HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell

(In some versions of Powershell / Monad the path maybe slightly different.
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.Management.Automation.ps1)

Change this registry key:
REG_SZ ExecutionPolicy RemoteSigned.

Still doesn't bypass UAC.


The perl script you've mentioned really sounds the best option!!

It's small, well commented and I can take to read and understand in depth how to port it to delphi like apps for later allowing to re-write hives back in XP/2003/2000 format..

It's a promissing start, thanks!!

[was_jaclaz]

The perl script you've mentioned really sounds the best option!!

It's small, well commented and I can take to read and understand in depth how to port it to delphi like apps for later allowing to re-write hives back in XP/2003/2000 format..

It's a promissing start, thanks!!

Yes, I had a look at it, and though I know almost nothing about Perl, it appears rather clear, and since it uses many info from Nordahl's work (that does have write access in the Offline NT Password & Registry Editor), it should be possible to "get the hang of it" and fill the gaps.

Good luck for your (not really easy) chore!



jaclaz

[Brito]

I've already completed the Hive reading code part, but writing it back to a new hive is proving a difficult task - mostly because of the serious lack of documentation on this part.

All my attempts to write back a fresh hive fail - still unsure on what needs to be done bypass these safety checks..


Here's my work so far, it will read an c:\temp\setupreg.hiv on startup and work just like regedit - just skipped the part to edit data to save time on finding how the hive gets written.



 LoadHive.7z   210.74KB   425 downloads

I guess that now it's a matter of debugging and testing until I can fully understand how an hive is generated as valid for the local registry system.

Any ideas on where to find this sort of informations?

[was_jaclaz]

See if in the tarball here:
http://www.bindview....treg_readme.cfm
http://www.bindview....es/ntreg.tar.gz

Acknowledgements

I figured out some of the registry file format myself, but lots of details were provided by Petter Nordahl-Hagen. Also, there's a document of unknown authorship which describes details of the various registry types. It is included in the tarball.

The code for implementing the filesystem in linux is based upon the ntfs driver, written by Martin von Loewis, et al.

there is anything that might be of value.

Also, probably not really useful, here are some details on how the API32DLL should be invoked:
http://www.windowsde...istry_Keys.html

Have a look at these also, "between their lines" there should be enough material:
http://search.cpan.o...in32Registry.pm
http://search.cpan.o...le-1.10/File.pm
http://search.cpan.o.../TieRegistry.pm
http://search.cpan.o....28/Registry.pm

more:
http://search.cpan.o...gistry&mode=all

Finally, I have found "traces" of Windows Registry functions/reference inside this project:
http://sourceforge.n...ojects/xharbour
(search the cvs for "winreg"):
http://xharbour.cvs....amp;view=markup
http://xharbour.cvs....rbour/xharbour/

jaclaz

[Brito]

Still no good, but I appreciate the effort..

Will start a new topic since the first goal was trying to load hives and that has already been achieved.

Now, off to learn how to write them back to disk..

[was_jaclaz]

ow, come on, you cannot possibly have read all that in 40 minutes!


Back to the UAC/Virtualization thingy, this might be of interest:
http://windowsconnec...5/12/19/86.aspx

as well as this:
http://www.heysoft.d..._faq_reg_en.htm
http://www.heysoft.d.../f_sw_rt_en.htm
(about "general" security settings)

jaclaz

[Brito]

Didn't took as much as 40 minutes today since I've actually spent the whole weekend (since friday's lunch to late night sunday) trying to learn as much as I possibly could about the NT registry format - more specifically on setupreg.hiv and default hives - funny enough that I've also mentioned it here:
http://www.boot-land...like-t1826.html

Also another fun remark with hives - those hives used on XP install cd's are likely coming straight from windows 2000 since XP will use a checksum on the key lists while win2000 will use the first 4 letters of the keyname to confirm the identity of the key value.

So XP/2003 setup routines are using Windows 2000 hives??

Check this for yourself comparing to the documentation found inside the first link on the new post that was created this afternoon..


When I looked at your links I recognized all the data that I've already learnt how to handle - what I'm looking now is a way to sucessfully write back the hives, and I have made some more sucessfull steps today!

Now I can completely replace the security permission and root key with my own values but I still haven't managed to create a single file from scratch.

The header of hives contain an XOR checksum of the first 508 bytes - on this header the length of the last hbin is specified, so it's still a bit rough to manipulate all of this sucessfully in an efficient manner.

It's taking a lot of time to get done, but it's progressing...

One other thing: hives are split in hbin entries, each containing hex $1000 (4096 bytes) except for the last in most cases, however I've noticed that only the first hbin is used as reference and then all others can be completely ignored.

I know ms is using them to be avoid rewriting the hive as a single block, but I will try to follow this idea to see if it eases the sucessfull validation of the hive using reg.exe.


Thanks for the new links, I already know how to work over security permissions inside reg keys, check the little app I've posted - it will display the offset to the security profile of each key wich can also be easily modified if required.

The virtualization links only give more reasons to get away from the control of vista - thank you once again they are really a good reading to know as much as possible about LUA and UAC, my bookmark section for UAC is getting rather huge....

[pscEx]

ow, come on, you cannot possibly have read all that in 40 minutes!

Must be 39 minutes, 1 minute he needs for the reply
Peter

[MedEvil]

@Nuno
If you have problems creating working hives, maybe you should ask Hives parents, they must have some clue!

[Brito]

Well, I hope they don't even bother to come with that story about bees and flowers..

But on the other hand it might also not be needed at all - I'm already creating new hives sucessfully. Last afternoon I went to start up from scratch and have learnt a few more details that needed to be taken into account like the overall filesize checksum and where the security descriptors are expected to be found.

As a result reg.exe will sucessfully load a newly generated hive - wich should be more than fine to also be used under PE boot up, also worth mentioning that most documentation I found regarding this subject came from rootkit discussion topics - at least now I understand a lot more about root kits as well.

Rewritting hives has also the advantage to remove any hidden rootkit alike data inside the registry files since hidden keys (keys that aren't linked to the registry tree) won't certainly be written back.

Later today will start enumerating all keys and values to see how it goes, should probably take a while to get everything into place, but it's going well so far and I'm still having lots of fun with these testings..

[was_jaclaz]

I'm already creating new hives sucessfully. Last afternoon I went to start up from scratch and have learnt a few more details.....

VERY good news!



jaclaz

P.S.: Another random idea:
Why don't you try to contact Lars Hederer, I guess that for being able to write Erunt/Registry Optimizer he must have a rather detailed knowledge of the internal organization of the Registry, from what he writes he seems like a nice guy, and though he released his apps as Freeware (NOT Open Source), he night be wanting to share some info.....

http://www.larsheder...nline.de/erunt/

Slightly off-topic, also have a look at this:
http://www.tenox.tc/out/#regln
(Virtual links in the Registry)

This site, finally, appears to have some really interesting information, together with a lot of already known ones:
http://www.beginningtoseethelight.org/

[was_jaclaz]

Somethng interesting by Mark Russinovich:
http://www.microsoft...ult.aspx?loc=en



Some more links:
http://www.utdallas....21000/rback.cpp
(not really related, but it has some interesting info)

http://www.mirkes.de...es/dumphive.php
(with delphi source code)

http://www.windowsne...ctionSteps.html
(another one not really related, but interesting for booting sequence/Registry order of access)

jaclaz

[was_jaclaz]

There is also this (linux) tool that is however defined as "platform independent on the home page:
http://sourceforge.n...?group_id=96788

Some more interesting liks:
http://samba.org/~jelmer/kregedit/
http://samba.org/ftp...ools/gregedit.c
http://lists.samba.o...ber/025918.html
http://www.richardsh...ff.html#Editing registry files under UNIX

I guess one should have a closer look inside Samba...


jaclaz

[paraglider]

I think when UAC is enabled registry access is also redirected ( Registry Virtualization is enabled ) so you are no longer at the root level in the registry. As you can only loads hives at the root level then that may be the reason why the load fails not because of a priviledge error.

[Alexei]

I think when UAC is enabled registry access is also redirected ( Registry Virtualization is enabled ) so you are no longer at the root level in the registry. As you can only loads hives at the root level then that may be the reason why the load fails not because of a priviledge error.

There are two different issues about reg load.
1. Running PE adds entries to complete its initialization.
2. WinBuilder under Vista adds reg info preparing the Hive.
Both issues has to be resolved
I believe, the build can completely control how UAC behaves and when it's activated during PE startup.
I think WB can use "unprotected" registry sub-tree to build the hives.

Alexei

[was_jaclaz]

Alexei,
you might want to double check the "spring" below the "Add Reply" button, it appears to be stuck on your PC



jaclaz

[Alexei]

Alexei,
you might want to double check the "spring" below the "Add Reply" button, it appears to be stuck on your PC



jaclaz

The "button" hanged up (possibly server problems), so I tried till it went through

Alexei

PS
Duplacates deleted