41 replies to this topic

[erwan.l]

Thanks for this, so to use it I drop nativereg.exe and nativereg.fpr in system32 and add registry keys as such?

I would like to use this for injecting dosdiskdevice entries, An issue I have had for a long time is injecting dosdiskdevices in sysprep mode for windows XP after injecting winvblock from a wim file etc

 

native2.fpr is the sourcecode : ignore it unless you want to modify/recompile it.

 

(1) Drop nativereg.exe in system32, (2) modify the bootexecute registry key and (3) adapt the parameters to the registry keys you want to modify.

 

In your case I would not know what is the best way to achieve what you are looking for :

-offline registry modification once (have a look at offlinereg may be in my signature?)

-online registry modification at everyboot in the early stage of the booting process (but will it be early enough?)

-online registry modification once in the early stage of the booting process

[dencorso]

 Why is this tool useful for POSReady Trick ? Does the regtweak not work once the kernel is loaded ?

Yes, it works perfectly, and rarely, if ever, anyone has ever needed to revert it.
However, when someone does need to actually revert it, it's not easy, because Windows protects the added key from deletion.
There are ways of removing it from the unbooted Windows XP, by using a special linux registry tool. But that requires some expertise...  so it's not easy for everyone. An easier procedure might be welcome, IMO. That's why I said:

Your tool provides another, easier, way to revert the XP POSReady trick, if it ever turns out to be required.

What part of the above statement did you fail to understand?

[Wonko the Sane]

Oww, come on ...


You can boot in a PE instead of Linux, for that matter, and of course besides importing temporarily the hive in the PE you can then use the offline Registry editor (also by erwan.l).

Or you can use (say) ERUNT, backup the registry, modify the backup and then restore it.

Agni was not aware that the \WPA\ keys are protected, that was the part that you omitted explaining him.


Wonko

[erwan.l]

Or you can use (say) ERUNT, backup the registry, modify the backup and then restore it.
 

 

Or DumpReg

[dencorso]

All good options, of course. But NativeReg opens the possibility of doing it without needing any alternative OS (viz. Linux Live or Win PE), obviates having to recreate a full hive (like with ERUNT) and, hence, seems to me to be the simplest approach (or, at least, the least error prone). Of course, this is a matter of taste/opinion and, as such, YMMV.  After all, all I said was:
 

Your tool provides another, easier, way to revert the XP POSReady trick, if it ever turns out to be required.

[Wonko the Sane]

More or less the world is binary, there are 10 kinds of people, those that use Erunt (or similar) to make periodical backups of the registry and those that one day or the other will find that their XP is unbootable and won't be able to fix it.

 

And those that use Erunt (or similar) are usually the same people that know anything between 3 and 6 other different ways to modify a Registry entry, even if protected.

 

This NativeReg thingy might be very useful to automate the removal of protected Registry keys, but it is not IMHO "easier" or "more practical" then other possibile ways for the "once and seldom" removal.

 

The base issue being that if you don't have a Registry backup, you are doing it wrong.

 

Wonko

[erwan.l]

 

The base issue being that if you don't have a Registry backup, you are doing it wrong.

 

 

 

Which makes me think that I could (maybe) add a backup option to nativereg

So that one screws up, it could "easily" be fixed by booting with winpe and restore the backuped hive.

Provided that ntdll.dll has functions to perform this task...

[Wonko the Sane]

IMHO it would be more useful a separate tool (that could as well autoexecute on next boot).

 

Actually - to say it all - it would be very interesting to have a native shell capable of popping up at boot time with - say - a 5 seconds (configurable) timeout fromone could choose a few programs including the chkdsk and nativereg and the backup tool.

 

The given resource Native Shell:

http://hex.pp.ua/nt-...s-shell-eng.php

already can copy files, however, so, strictly speaking that can be already used to make a copy of the Registry hives.

 

Wonko
 

[agni]

Some more useful Native Projects

 

https://www.codeproj...Win-User-Land-t

 

Bootpgm(cpp) - compiles and build very well

https://github.com/jrudolph/bootpgm

[tinoy69]

i just have a question to this nativeregmod tool...

 

is it possible to get ip address from this native program?

 

and from that ip address modify additional registry info based on that ip address parameter?

 

i was thinking of modifying the machines workstation name? based on the ip address i get from

maybe a native function (something like that)...

 

will the new machine name persist? (modifying the machine name registry on the native app, will be

the machine name after the native app ends? or will just revert back to the old machine name?)

 

[erwan.l]

i just have a question to this nativeregmod tool...

 

is it possible to get ip address from this native program?

 

and from that ip address modify additional registry info based on that ip address parameter?

 

i was thinking of modifying the machines workstation name? based on the ip address i get from

maybe a native function (something like that)...

 

will the new machine name persist? (modifying the machine name registry on the native app, will be

the machine name after the native app ends? or will just revert back to the old machine name?)

 

Modifying the IP is definitely something you could do although I cannot find a scenario where this would be useful.

Modifying the computername might be possible although I kind of remember it may implies several registry keys.

[tinoy69]

thank you for replying

 

i don't want to modify the ip address, rather the ip address will be used as a parameter to change the machine name accordingly via registry...

 

lets say you dish out a specific ip address via machine lan address through dhcp...

 

the program can read the ip and change the workstation name (192.168.0.203 i.e. pc203)

 

this can be usefull in diskless booting, where in you boot a single image which has a default workstation name

[erwan.l]

thank you for replying

 

i don't want to modify the ip address, rather the ip address will be used as a parameter to change the machine name accordingly via registry...

 

lets say you dish out a specific ip address via machine lan address through dhcp...

 

the program can read the ip and change the workstation name (192.168.0.203 i.e. pc203)

 

this can be usefull in diskless booting, where in you boot a single image which has a default workstation name

 

beware that if you are in a windows domain, the computername is not your main concern : the computer SID is.

[tinoy69]

well the idea is booting multiple machines using a single image the first boot machine has the workstation name, but after booting the next machine, the error "the computer name already exists on the network" comes up, i'm just finding a solution to this problem...

 

im not joining a domain...

 

all i want to know if this is possible...

 

1) how to get the ip address from this native mode (early in the boot process)

 

2) if i somehow change the workstation name from native mode (via registry), will that be the workstation name after finished booting?

[erwan.l]

well the idea is booting multiple machines using a single image the first boot machine has the workstation name, but after booting the next machine, the error "the computer name already exists on the network" comes up, i'm just finding a solution to this problem...

 

im not joining a domain...

 

all i want to know if this is possible...

 

1) how to get the ip address from this native mode (early in the boot process)

 

2) if i somehow change the workstation name from native mode (via registry), will that be the workstation name after finished booting?

 

Look here for computername (to be safe I would change all 3 of them) : 

-SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName

-SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

-SYSTEM\CurrentControlSet\Services\TcpipParameters\hostname

 

Look here for the IP:

-SYSTEM\CurrentControlSet\Services\{Adapter}\Parameters\Tcpip\IPAddress

 

About the IP, i would recommend leaving this to your DHCP server.

Either full dynamic or based on static reservations (based on mac address).

 

Note that NativeReg does not handle any logic for you : it will simply read or write a registry value.

If you need a IFTTT logic (if this then that...), then you would need to modify my code.

 

Thus I could add a keyword random as a parameter which would generate a random value (string or integer) which may support your scenario (unique computername).

I guess in the case of booting a unique image for multiple workstations (diskless machines, etc ...) it might be handy.

[tinoy69]

yes this is the scenario i'm looking for, the machine gets static ip via mac address from dhcp server...

 

then based off that ip address, change the workstation name...

 

the random value might come handy in some situations

 

(you really dont care about the ip, just generate random workstation name using valid chars, for the machine to boot

without the "the computername already exists on the network" error, but still, the possibility of collisions is still there...

just very, very, very small)

[erwan.l]

Version 0.4 is out.

Here.

 

new type added : REG_RND_SZ.

The string value (8 in the example below) is then the length of the random string to generate.

nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test0 8 REG_RND_SZ

In some scenario, such as booting the same windows image from multiple hosts, it can be used to generate a random computername.