Jump to content











Photo
- - - - -

Offline Registry Library


  • Please log in to reply
20 replies to this topic

#1 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 April 2010 - 08:39 AM

It seems like the WDK has a .dll that allows offline Registry edit:
http://msdn.microsof...7(v=vs.85).aspx

Offline Registry Library
Purpose

The offline registry library (Offreg.dll) is used to modify a registry hive outside the active system registry. This library is intended for registry update scenarios such as servicing an operating system image. The library supports registry hive formats starting with Windows XP.
Developer Audience

This technology is for original equipment manufacturers (OEMs), antivirus and antimalware software vendors, and other application developers who must be able to parse registry hive files without loading them into the active registry.
Run-Time Requirements

The offline registry library is provided as a binary redistributable dynamic-link library (DLL). This library runs on the following versions of Windows:
Windows 7
Windows Server 2008 R2
Windows Server 2008
Windows Vista
Windows Server 2003
Windows XP

Applications should link to Offreg.dll using dynamic linking.

Offreg.dll is provided in the Microsoft Windows Driver Kit (WDK) for Windows 7 and earlier versions of the Windows operating system.


Since Nuno has stopped all development on RAWREG, and noone is interested in bettering refining what I think would be the "right" way to access an offline Registry:
http://www.boot-land...?...1&pid=64537

Maybe someone could provide a command line interface to the functions of Offreg.dll ....? :P

:mellow:
Wonko



#2 Galapo

Galapo

    Platinum Member

  • .script developer
  • 3841 posts
  •  
    Australia

Posted 25 April 2010 - 10:16 AM

I'm not necessarily volunteering, but this is indeed a very interesting library of functions. I'm particuarly interested in ORCreateHive.

Regards,
Galapo.

#3 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 25 April 2010 - 05:37 PM

Hello,
I could volunteer and provide a command line.
Question is : is that dll free for distribution?

Regards,
Erwan.

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 April 2010 - 06:01 PM

Question is : is that dll free for distribution?

NO.
Question is: WHY Wonko the Sane would have bothered to make bold italic a few words of the quote from MS site? :P

The offline registry library is provided as a binary redistributable dynamic-link library (DLL).


And answer is of course: Now you know why he is called the Sane. :P

:mellow:

:P
Wonko

#5 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 25 April 2010 - 06:13 PM

Hi Wonko,
Stupid me indeed.
Sorry, this is a sunny sunday and drinking "pastis" under the sun did not do me any good :mellow:

I'll play with that dll but basically I feel all it does (may be too reductive here) is mount a hive a temp registry key to manipulate it.
I feel I could provide the same without depending on a WDK.

Erwan.

PS : "pastis" is a french drink...

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 April 2010 - 06:18 PM

Sorry, this is a sunny sunday and drinking "pastis" under the sun did not do me any good :mellow:

:P SUN?

How come here it is raining? :P

:P

I'll play with that dll but basically I feel all it does (may be too reductive here) is mount a hive a temp registry key to manipulate it.
I feel I could provide the same without depending on a WDK.

I already tried to "lure" someone of the good programming guys in doing some work on the Registry.... :P

The approach I find "right" is this one:
http://www.boot-land...;showtopic=7681

You may also want to try writing to Nuno, if he is willing to give you the Source for Rawreg....

:P
Wonko

#7 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 25 April 2010 - 06:26 PM

I have seen your thread indeed on the filesystem approach.
I have seen you are on the pro side when nuno is not :mellow:

Being a developper at first, I feel unconfortable with simply forgetting about many specifics about the registry (the types for instances).

On the other side, the approach is very interesting and can be handy in some occasions.

Coming back to rawreg, it seems that nuno is a delphi programmer, like me, so I'll contact him to see if he wants to give an after life to rawreg.
Side note thus, he took the hard way I believe by accessing the file in direct byte mode where I was thinking of going the lazy way by loading a temp hive :P

Regards,
Erwan.

#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 April 2010 - 06:51 PM

Being a developper at first, I feel unconfortable with simply forgetting about many specifics about the registry (the types for instances).

Well, that's missing in the current implementation, that is nothing much more than a "proof of concept", I am pretty sure that one can make all the specifics he wants.


Side note thus, he took the hard way I believe by accessing the file in direct byte mode where I was thinking of going the lazy way by loading a temp hive :P

Well, if you are going to mount a hive in an existing Registry, thank you very much, but we already know how to do it :mellow:, the whole point of the exercise is doing it WITHOUT loading the temp hive.

The filesystem driver approach is the most correct since, as I am almost too tired to write again, the Registry WAS DESIGNED as a filesystem.
Ever wondered why you can defragment it?
And why you can have "junctions" in it?
And inheritable permissions/ownership?

Doesn't it sound a lot like NTFS? :P

Obviously, just like Winimage does for disk images one can write a tool (the Built-in Registry tools and Rawreg) to access it as if it was a .ini file.

:P
Wonko

#9 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 25 April 2010 - 08:31 PM

I seem to miss a point.
Why would we want to create an executable to access this dll?
Wouldn't it make more sense, if WB would use this dll directly, that's after all, why it's delivered as a dll and not as an exe?

:mellow:

#10 paraglider

paraglider

    Gold Member

  • .script developer
  • 1743 posts
  • Location:NC,USA
  •  
    United States

Posted 25 April 2010 - 10:30 PM

Yes.The dll can be redistributed. Its explicitly listed in redist.txt from the windows ddk. From the the license:

2. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Distributable Code. The software contains code that you are permitted to distribute in programs you develop if you comply with the terms below.
i. Right to Use and Distribute. The code and text files listed below are “Distributable Code.”
• REDIST.TXT Files. You may copy and distribute the object code form of code listed in REDIST.TXT files.
• Third Party Distribution. You may permit distributors of your programs to copy and distribute the Distributable Code as part of those programs.

#11 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 01 May 2010 - 08:46 PM

Hi Gents,

A command line tool could be used by any third party software, not just only WB.

On my side, I started to play with the dll and was able to use the following functions in a matter of mns (in delphi) : OROpenHive, ORCloseHive, OROpenKey, ORCloseKey, ORGetValue.

I should be able to come with a beta version pretty soon.

Regards,
Erwan.

#12 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 02 May 2010 - 11:07 AM

a quick beta version here with limited features : http://erwan.l.free..../offlinereg.zip .

version 0.1
getvalue ok : reg_sz and reg_dword only
setvalue ok : bug, last char for value is lost / reg_sz only

edit

v0.2
added : getvalue , reg_binary and reg_multi_sz supported
added : getvalue will display "valuename"=value
fixed : setvalue will no longer truncate last char, still reg_sz only

edit

v0.3
added : deletevalue
added : deletekey

edit

v0.4
added : createkey
added : setvalue will also work work for reg_dword, reg_multi_sz and reg_binary

some examples:
example : OfflineReg "c:\temp\system" a_key getvalue a_value_name
example : OfflineReg "c:\temp\system" key\subkey getvalue a_value_name
example : OfflineReg "c:\temp\system" a_key setvalue a_value_name a_new_value
example : OfflineReg "c:\temp\system" a_key setvalue a_dword_key a_dword_value 4
example : OfflineReg "c:\temp\system" a_key setvalue a_binary_key 0a,0b,0c,0d,0e,0f 3
example : OfflineReg "c:\temp\system" a_key deletevalue a_value
example : OfflineReg "c:\temp\system" a_key deletekey a_subkey


/Erwan

#13 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 02 May 2010 - 05:46 PM

Last version for now, pretty much can be achieved on an offline registry.

v0.5
added : enumkeys
added : enumvalues
added : getvalue, reg_expand_sz supported
added : setvalue, reg_expand_sz supported

OfflineReg hivepath key verb arg(s)
example : OfflineReg "c:\temp\system" a_key_path getvalue a_value_name
example : OfflineReg "c:\temp\system" a_key_path setvalue a_value_name a_new_value
example : OfflineReg "c:\temp\system" a_key_path setvalue a_dword_key_name a_dword_value 4
example : OfflineReg "c:\temp\system" a_key_path setvalue a_binary_key_name 0a,0b,0c,0d,0e,0f 3
example : OfflineReg "c:\temp\system" a_key_path setvalue a_multi_value_name "aa bb cc dd" 7
example : OfflineReg "c:\temp\system" a_key_path deletevalue a_value
example : OfflineReg "c:\temp\system" a_key_path deletekey a_key
example : OfflineReg "c:\temp\system" a_key_path createkey a_key
example : OfflineReg "c:\temp\system" a_key_path enumkeys
example : OfflineReg "c:\temp\system" a_key_path enumvalues

question : should this be moved to the project forge section now?

/Erwan

#14 bilou_gateux

bilou_gateux

    Frequent Member

  • Expert
  • 230 posts
  •  
    France

Posted 05 May 2010 - 03:44 PM

I have tried 3 times without success to use command line tool:

running OS Windows XP Professional SP3 SystemDrive=C:
trying to get some values from Windows parallel install on D:

1st try
OfflineReg "D:\Windows\system32\config\system" "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions" getvalue "ProductSuite"

Output
OROpenKey failed:2


#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 May 2010 - 09:47 PM

A command line tool could be used by any third party software, not just only WB.

Yep. :cheers:

question : should this be moved to the project forge section now?

I wouldn't move anything.

Start a new thread in ProjectForge with latest version (and a link to this thread for the nosy peeps that want to see what happened before :cheers:).

:P

Wonko

#16 paraglider

paraglider

    Gold Member

  • .script developer
  • 1743 posts
  • Location:NC,USA
  •  
    United States

Posted 06 May 2010 - 12:11 AM

I would say:

OfflineReg "D:\Windows\system32\config\system" ControlSet001\Control\ProductOptions getvalue "ProductSuite"

is more likely to work as you are opening the system hive.

#17 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 06 May 2010 - 07:48 PM

Billou_gateux : as Paraglider mentionned, indeed it should be : offlinereg "D:\Windows\system32\config\system" "ControlSet001\Control\ProductOptions" getvalue "ProductSuite"

I should make a clearer error output and clearer examples.

Wonko : I'll opened a new thread.

Regards,
Erwan

I have tried 3 times without success to use command line tool:

running OS Windows XP Professional SP3 SystemDrive=C:
trying to get some values from Windows parallel install on D:

1st try

OfflineReg "D:\Windows\system32\config\system" "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions" getvalue "ProductSuite"

Output
OROpenKey failed:2



#18 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 06 May 2010 - 08:10 PM

New thread here (in project forge) : http://www.boot-land...showtopic=11312 .

/Erwan

#19 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 May 2010 - 10:57 AM

@Erwan
Maybe it could be of use to add a command line parsing mechanism to the app.

Something that "understands" that:
http://msdn.microsof...877(VS.85).aspx
HKEY_CURRENT_CONFIG ->			System

HKEY_CURRENT_USER ->				Ntuser.dat

HKEY_LOCAL_MACHINE\SAM ->			Sam

HKEY_LOCAL_MACHINE\Security ->		Security

HKEY_LOCAL_MACHINE\Software ->		Software

HKEY_LOCAL_MACHINE\System ->			System

HKEY_USERS\.DEFAULT ->				Default

and same goes for HKLM, HKCU , etc. abbreviations.

So that if accessed filename in the example posted by bilou_gateux:

"D:\Windows\system32\config\system"

Is corresponding to the given path:

"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions"

the path is automatically parsed as:

"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions"


Since most of us have paths stored with the complete "online" path, this could be handy.

:cheers:
Wonko

#20 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 05 July 2010 - 06:09 PM

Hi Wonko,

I have taken the discussion here : http://www.boot-land...showtopic=11312 .

Regards,
Erwan.

#21 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 July 2010 - 06:36 PM

Thanks :cheers:

:cheers:
Wonko




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users