Raw Registry Editor

Posted 16 May 2008 - 09:30 AM

Raw Registry Editor


This was a project that started some time ago and intended to understand how the registry hives worked.

Today I can say that this goal was achieved and the registry hive can be edited without using windows registry functions.



Download link: http://nunobrito.eu/...oad.php?view.10
Updated link: http://reboot.pro/fi...file/95-rawreg/


What is the advantage of not using Win32 API?

- No need to load a hive into the local registry
- Overcome any security restrictions imposed by Win32 API
- Works on every Windows platform (from Windows 9x all the way up to Vista)
- No UAC restrictions regarding hive load without administrator permissions
- More features can be added in the future.



--------------------------------


Things to expect from this Raw Registry Editor (RawReg for short name)


- Freeware
- Fast
- Gives a (huge) amount of details and information about any given hive


----------

What can it do?

- Browse the hive structure
- Edit the data on values
- Change the title of values
- Show a map with information of data inside each bin
- Show details about physical offset of any given key


Please note that unlike any other raw registry editors, this is the only program that can really add more data onto a given registry hive and manage the bin space properly. In the past, people were limited to only change data on keys that needed to have the exact same size, there are no such restrictions here and many things can be added - post your requests and I'll see if they can be included.



It is also the initial test version, more features will be added in the future.

Hope you like this tool.

• Back to top

Posted 16 May 2008 - 09:54 AM

GOOD!

I will test it as soon as I can and report.



jaclaz

• Back to top

Posted 16 May 2008 - 12:06 PM

• Back to top

Posted 16 May 2008 - 12:19 PM

Hmmm, as I see it not (yet ) ready for anything but debugging.

Problems/reprts (on win2k):
1) by default the "open hive on start" is checked, thus if there is a problem with a hive, the program won't run EVER again until you have deleted rawreg.ini
2) Open a "default" hive, size 164 Kb in size - result OK
3) Open a "SAM" hive, size 32 Kb in size - result OK
4) Open a "SECURITY" hive, size 32 Kb - problems:
a. when clicking on "Policy" ERROR - Access violation error at address 0047F530
b. when clicking on the small + sign near "Policy" it opens the subtree correctly, but clicking on any folder below "Policy" results in "cannot access file <path>\SECURITY file is in use by another process
c. file seems to remain "in use" even if you open another hive and then try reloading "SECURITY"
d. if you DO NOT click on "Policy" and open the sub-tree clicking on the + sign, keys are accessed allright
5) Open "software" hive size 11.460 Kb, CPU goes 98 %, memory usage goes beserk, stepping up in 4 kb steps, each step every two seconds roughly, app does not respond, terminated after 5 minutes running and at 54.368 Kb memory occupied
6) Open "system" hive size 5.368 Kb as 5) above
7) Same for "software" and "system" hives sized respectively 2.756 and 1.840 Kb memory usage grows MUCH faster, after two minutes running around 240.000 Kb still not respondong, then dropped down to aout 11.000 kb, still not responding, starting growing again, after another two minutes back to around 240.000 Kb - killed-



Do you need any form of logging?

jaclaz

• Back to top

Posted 16 May 2008 - 12:31 PM

• Back to top

Posted 16 May 2008 - 12:35 PM

More probs:
Opened a ntuser.dat 192 kb in size
1) changing details to "hive map" gives a "Richedit insertion line error"
2) hive time stamp reported as 01/01/1601, I do have this machine since a long time, but NOT such a long time

jaclaz

• Back to top

Posted 16 May 2008 - 03:54 PM

Interesting results, thank you for testing and posting the results.

My experiments up to this point have been done with setupreg.hiv and bcd files.

Will now pick on the other hives to see why they are different and improve the results.

Thank you!

• Back to top

Posted 16 May 2008 - 05:24 PM

Even though there are still a few initial problems.
For finishing this Baby!!!

Great work Nuno!

• Back to top

Posted 16 May 2008 - 09:01 PM

One detail:
If the program crashes while trying to load a hive (or non-hive) file - then the memory won't be properly disposed until the system is rebooted. Please forgive me as I'm still a bit unexperienced handling memory streams when things go wrong..

For those who know delphi - I'm using TFileStream to map the file into memory. Have to learn a bit more about them or use a better way to open files and properly dispose the memory they use when the program crashes.

-------------------------------


One request:

Please send me as email attachments the problematic hives so that I can test them at home.

Thank you for the feedback.

• Back to top

Posted 17 May 2008 - 01:37 PM

• Back to top

Posted 17 May 2008 - 11:31 PM

That could be a worry indeed.

My mailbox has no size restrictions but you can also upload to your site and provide me with a direct download link if you wish.

For safety reasons, you can also encrypt the hive and remove once it is copied.

------------

Been testing on the hives produced by LiveXP (default, software) and noticed that rawreg would take some time to load the software hive because it was sized around 1Mb but nevertheless it was working as expected.

A 10Mb hive should take far longer - I need one of those for test and speed the hive interpretation code.

Don't know why the security hive (mentioned by Jaclaz) would crash - would also like a lot to test and try to find the reason for this behavior.

• Back to top

Posted 18 May 2008 - 04:26 PM

This question may be stupid, but what do you need other peoples hives for, at the moment?
The errors seem not to depend on a particular hive. It's a general problem. So you should be fine testing away with your own hives. Or not?

• Back to top

Posted 19 May 2008 - 08:57 AM

The hives where I tested at home worked out just fine so I'm looking for hives from other OS's/sources like Win2000 for example that were marked as problematic.

So far - I noticed that the program seems to be frozen on some cases because the interpretation code is not fast enough.

A 1.62Mb hive contained thousands of keys inside while most of my experiments were done with much smaller hives (~290 keys).

SAM hive also gave some fuzzy reading results (guess it should have some *special* rules).

Now I need to test and optimize the code until we get good results.

• Back to top

Posted 19 May 2008 - 09:22 AM

Please do allow me for once to go
[off-topic]
...and start RANTING!:

Right now there have been 93 (ninetythree) downloads of the posted tool and 2 (two) people actually posting some reports/trying to help debugging!

Notwithstanding Nuno's great helpfulness and availability, it will take forever to debug this thing if people does not try and participate a bit more.
[/off-topic]

Keep up the good work Nuno , even if you have a limited amount of feedback, sooner or later we'll get to the "real" thing.



jaclaz

• Back to top

Posted 19 May 2008 - 01:54 PM

Yeah, It works nice to open the setupreg.hiv from a pebuilder cd, but I try to open the software hive (3MB), it hangs. I left it running in the background fro a good 15 mins, still hung (not responding). Great start though

• Back to top

Posted 23 May 2008 - 10:18 AM

I'm now following the file system discovery method as mentioned on the raw registry hive discussion post, initial results are encouraging and it is now possible to load hives regardless of their file size (or number of keys) as they are only processed when the user effectively explores the folders rather than reading everything from scratch on the beginning.


There are however some errors that are outputted on some specific keys, these are keys that are somewhat different from the others that I've found so far and will try to learn more about them so that they can also be supported.

Will release a new version once I figure out these details.

• Back to top

Posted 23 May 2008 - 11:52 AM

Go Nuno go! Go Nuno go!

• Back to top

Posted 02 July 2008 - 02:39 PM

Version 1.1 was uploaded and is available on my personal site at: http://nunobrito.eu/...oad.php?view.10

This is still a bit on the beta level but should be much faster than the initial version and work with hives regardless of their size.


On version 1.0 - the hive would be read from top to bottom.

On version 1.1 - the hive is explored as the user expands the subkeys



This different approach solved the cases where we needed to quickly work with a 7Mb sized software hive but brought some new complications to this program.

Currently, I already know the answer to these issues but it might take a bit more to finish up everything.

In the meanwhile, those who are interested might download the 1.1 version and use the program to open NT hives.

Known Issues:

- Write support is working thought I haven't yet finished working on yet so bugs might appear
- Clicking on + (plus) to uncover a subfolder was disabled - need to click on folder to open and see subkeys
- Not all hive structure is completely supported - there are still some tricks on MS's sleeve that need to be further tested - if the program finds a key of this strange sort it will output a warning message.


Others

For some reason - the classes subfolder inside the software hive either appears complete in some hives while in other hives it appears cut in half for some reason.

Will need more time to fully evaluate why this happens.

-----------

Have fun.

• Back to top

Posted 02 July 2008 - 03:32 PM

Hi Nuno,

your program now works really fast!
The only problem that I had was that I got many times the error "An exception occured while exploring this key.!". The real problem is that after this error appears, the list of the values doesn't work even if I select a key that doesn't produce an error

EDIT: Another issue that I had is that it can't edit binary values

EDIT2: I have also two requests. The first is to make these error messages to describe what the problem is (I get this messege when I open registry hives created by reactos.Perhaps If this problem is corrected windows will be able to load them). The second is to make the treeview explorable with the kayboard arrows

• Back to top

Posted 03 July 2008 - 04:12 PM

Hi smiley!

The only problem that I had was that I got many times the error "An exception occured while exploring this key.!". The real problem is that after this error appears, the list of the values doesn't work even if I select a key that doesn't produce an error

This is usually a symptom that the editor not finding the adequate hive structure as expected.

Can you email me your problematic hives so that I can use them on my tests?

EDIT: Another issue that I had is that it can't edit binary values

That's some laziness on my side, these data can also easily be edited but I was in doubt in how to present this data to the user.

Which edit format do you prefer to appear on the edit box?

1 - 00 FA FC 01 29 A2
2 - 00,FA,FC,01,29,A2
3 - 00FAFC0129A2
4 - something else

EDIT2: I have also two requests.
The first is to make these error messages to describe what the problem is (I get this messege when I open registry hives created by reactos.Perhaps If this problem is corrected windows will be able to load them).

At this moment whenever an error is outputted it will be caused by unknown / invalid data structure. I could suppress all warnings but I use then to warn me where to look for new MS tricks.

If you look on the details tab - it will output the location of the problematic key and then it's a matter of manually interpreting the data to try figure why it is different from others. (easy on small keys, a good headache on the Classes subkey for example).

The second is to make the treeview explorable with the kayboard arrows

Request marked, will likely add in in more stable versions of the program if you don't mind.

• Back to top

Posted 03 July 2008 - 04:22 PM

The topic seems to enter a very interesting and usable stage .
No concerns of any reaction of Billy?

What about next SP gets a new 'security aspect' prohibiting low level access to any reg file?
Just painting black.

Peter

• Back to top

Posted 03 July 2008 - 06:00 PM

No concerns of any reaction of Billy?

Nahh, he is retired now.

jaclaz

• Back to top

Posted 03 July 2008 - 11:34 PM

No concerns of any reaction of Billy?

Just wait until I get my hands on NTFS and WIM file formats next..

What about next SP gets a new 'security aspect' prohibiting low level access to any reg file?
Just painting black.

Let 'em come.

• Back to top

Posted 06 July 2008 - 04:27 PM

Version 1.2

Improved - loading of big sized hives is substancially faster
Improved - detection of empty cells is much faster and reliable
Improved - If there isn't enough space inside the bins to write a key, a new bin is generated to make more room.
Improved - Menu bar display hive options in a more organized fashion
Added - MD5 checking to ensure lenghty tasks like free cell recognition are skipped when no changes are applied to hive file
Removed - Map of each bin hive was disabled for performance reasons
Fixed - Ensure that empty strings with no initial data are written correctly after adding data
Fixed - Unknown value structures are reported along with offset address


Download link:
http://nunobrito.eu/...oad.php?view.10

----------

Stability and performance have been seriously improved.

Paraglider wan the award for the most difficult hive to work with on version 1.1 but it seems to be working now.

His software hive was used as test and weighted around 8Mb with > 2100 bins to process.

Writing keys to this hive was initially a very slow process (took a few seconds on each write) but using MD5 and some inventive procedures it was possible to make things much faster right after the first write operation to the hive.

Also appears to have some damaged bins inside this hive - took me a while to figure this was the reason for the editor to hang while loading the hive on the first version. Added a few more checks to ensure that only valid bins are accepted as place to write keys.

For some reason - whenever I edit a key inside this hive - regedit will then complain about an error and saying that the loaded hive "was recovered using an alternative copy" but in either way it will load up well the hive and the modified key is still found inside.

This doesn't seem to occur with other hives so I'm guessing that something else is still left to be done here.

-------

Still some bugs left to iron out but it is already by far more stable and faster than the last release.

• Back to top

Posted 06 July 2008 - 06:00 PM

Nuno,
GOOD work, but the left scrollbar easily (on "long" subtrees) extends itself down beyond bottom of the window, even in maximized state.


Option->Header->Timestamp:
The date is still 1st January 1601.

Editing keys:
REG_SZ OK
REG_MULTI_SZ OK
REG_DWORD OK , but providing for Hex values too would be advised.
REG_BINARY NO GO

The edit "Value" window should be made wider for longish REG_SZ values such as:

\\?\USB#Vid_04b8&Pid_0005#0HS610111291642100#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}

or even:

{4D36E97D-E325-11CE-BFC1-08002BE10318}\0001

Adding a new key or value is not possible yet?



jaclaz

• Back to top