21 replies to this topic

[VeeDub]

Hello

I am trying to edit a WinPE registry hive offline. At the moment regedit reports a permissions error. I have tried resetting the permissions via regedit but that does not succeed.

I did some research and it appears that subinacl might be the answer, specifically subinacl /subkeyreg

However the examples I can find either relate to the local computer or remote computer registry (e.g. subinacl /subkeyreg \\SERVER1\HKEY_LOCAL_MACHINE\SOFTWARE /display).

I can't figure out how to redirect subinacl to an offline hive.

Does anyone know if this is possible or if there are other tool?

Thanks

VW

[wendy]

You could load the registry to a different name, and edit it there, eg

reg load pesystem HKLM\pesystem

And then patch the registry there.

[Sha0]

Further to wendy's suggestion, sometimes you need to be running as the SYSTEM account in order to have permissions to modify certain areas. Use Microsoft's Sysinternals' PsExec:

psexec -s -i regedit

[joakim]

Sometimes those permissions are a real pain in the back. Especially if Windows 7 hives are modified under XP. Then not even the SYSTEM account will let you modify all keys (strange). In those cases it may help to boot into WinPE(3.0) where you will have SYSTEM account priviliges under Windows 7, and thus are able to modify any key (of course you do this in virtual machines to save yourself lots of time)..

[VeeDub]

Sometimes those permissions are a real pain in the back. Especially if Windows 7 hives are modified under XP. Then not even the SYSTEM account will let you modify all keys (strange). In those cases it may help to boot into WinPE(3.0) where you will have SYSTEM account priviliges under Windows 7, and thus are able to modify any key (of course you do this in virtual machines to save yourself lots of time)..

@joakim

Your approach seems to be working, as the hives are loading, however I'm not sure that I am reading the contents correctly.

The PE loads a non-standard shell which I am trying to understand more about.

However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe

Doesn't that mean that the shell would be a command prompt?

[joakim]

@joakim

Your approach seems to be working, as the hives are loading, however I'm not sure that I am reading the contents correctly.

The PE loads a non-standard shell which I am trying to understand more about.

However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe

Doesn't that mean that the shell would be a command prompt?

Should not matter or make any difference as all we want is an environment where we can modify any registry key. Just launch regedit.exe (or reg.exe) and work on the hive exactly as you would in offline mode. Remember to unload the hive before you power off the vm. If you want to browse the fs with explorer-like interface, them open notepad and press ctrl+o.

[RoyM]

However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe

Doesn't that mean that the shell would be a command prompt? == yes

[VeeDub]

However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe

Doesn't that mean that the shell would be a command prompt? == yes

Thanks for the confirmation.

There is something unusual going on then, because the shell is not a command prompt. In fact when I tried to open a command prompt I received some error message.

I'll have to do some more digging. Is there a document that outlines the PE3 boot.wim process in detail?, I think I will need to work through the start-up process step-by-step.

[Sha0]

Microsoft's Sysinternals' Process Monitor is very handy for observing a sequence of events at any post-kernel time. For example, I often use it to observe events from boot time and from logon time, or both.

If you use the Tools -> Process Tree... feature, you will observe which processes have come and gone and still exist. When you double-click each, it highlights the corresponding event. When you inspect the parent process' events higher in the list, you can often observe which Registry value referenced the process in question, or which .INI file (or equivalent) might have been read leading up to the execution of the process in question.

Or you can click on the very first event and then <CONTROL>-<F> to find someprocess.exe and where it first appears.

[joakim]

What is the content of HKLM\SYSTEM\Setup\CmdLine?

[MedEvil]

However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe

Doesn't that mean that the shell would be a command prompt? == yes

In a real Win7 == yes
In a PE == no

In a PE the Shell is started by HKLM\SYSTEM\Setup\CmdLine, like joakim pointed out.

Thanks joakim. It looked wrong, but i couldn't say why.

[VeeDub]

Microsoft's Sysinternals' Process Monitor is very handy for observing a sequence of events at any post-kernel time. For example, I often use it to observe events from boot time and from logon time, or both.

This sounds likes a very good idea. However I am not sure how to launch Process Monitor.

I am using a VM for testing. If I boot the PE environment in the VM, I can't see how I can start Process Monitor.

If I start Windows in the VM, then I can start Process Monitor, but how do I then boot the PE while still having Process Monitor running?

[RoyM]

Hi VeeDub
Sorry for the misinformation about the command prompt, out of curiosity, by chance
are you experimenting with the Norton Bootable (NBRT.iso) and/or are you at liberty
to divulge the PE.

[Sha0]

...how do I then boot the PE while still having Process Monitor running?

I guess that depends on what type of PE it is. For XP/2003, you'd have to inject the Process Monitor driver (a .SYS file, perhaps ProcMon20.sys) into the PE along with a TXTSETUP.SIF entry. For newer Windows versions, it might be sufficient to again, inject the driver, but also to add a HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\ entry:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\PROCMON20]

"Group"="FSFilter Activity Monitor"

"Start"=dword:00000000

"Type"=dword:00000001

"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\

  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,50,00,52,00,4f,00,43,00,4d,00,4f,\

  00,4e,00,32,00,30,00,2e,00,53,00,59,00,53,00,00,00



[HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\PROCMON20\Instances]

"DefaultInstance"="Process Monitor Instance"



[HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance]

"Altitude"="385001"

"Flags"=dword:00000000

When you then run ProcMon.exe in the PE, it will attach to the already-running driver and give you the option to stop logging and review the log.

[MedEvil]

If i remember right, the root of the bootdrive needs to be writable, for ProcessMon to do it's work, during boot-up.

[VeeDub]

What is the content of HKLM\SYSTEM\Setup\CmdLine?

When I load the System hive, the System key is not present(?)

I can see the following keys:
- ControlSet001
- RNG
- Select
- Setup

Could some keys be hidden?

[joakim]

When I load the System hive, the System key is not present(?)

I can see the following keys:
- ControlSet001
- RNG
- Select
- Setup

Could some keys be hidden?

That depends on what you chose as a mount point name. Now what is the actual value in HKLM\whatever\Setup\CmdLine?

[VeeDub]

That depends on what you chose as a mount point name. Now what is the actual value in HKLM\whatever\Setup\CmdLine?

Sorry joakim ...

I can see that with my last post I stuffed up. Too much haste, not enough thinking.

\Setup\CmdLine: winpeshl.exe

[joakim]

Sorry joakim ...

I can see that with my last post I stuffed up. Too much haste, not enough thinking.

\Setup\CmdLine: winpeshl.exe

Good, then next request would be for the content of your winpeshl.ini.

[VeeDub]

Good, then next request would be for the content of your winpeshl.ini.

[LaunchApp]

AppPath = %SYSTEMROOT%\app.exe

Which is the shell that is being loaded.

Interestingly if I change the AppPath to call my own "launcher" and have my launcher call app.exe, then my launcher starts OK. But seconds after the launcher starts app.exe, the ISO reboots.

However if I place an invalid path in winpeshl.ini, then I get a command prompt with an error message. From there I can start any application that I want.

[Sha0]

...then my app launches, but seconds after ShadowProtectPE.exe starts the ISO reboots.

Your application is probably exiting and the system will reboot after this "primary" process exits. Have your application hang around or choose a different application that keeps running.

[VeeDub]

Your application is probably exiting and the system will reboot after this "primary" process exits. Have your application hang around or choose a different application that keeps running.

You're correct.

Thanks!