Edit PE registry offline
#1
Posted 16 April 2011 - 05:15 AM
I am trying to edit a WinPE registry hive offline. At the moment regedit reports a permissions error. I have tried resetting the permissions via regedit but that does not succeed.
I did some research and it appears that subinacl might be the answer, specifically subinacl /subkeyreg
However the examples I can find either relate to the local computer or remote computer registry (e.g. subinacl /subkeyreg \\SERVER1\HKEY_LOCAL_MACHINE\SOFTWARE /display).
I can't figure out how to redirect subinacl to an offline hive.
Does anyone know if this is possible or if there are other tool?
Thanks
VW
#2
Posted 16 April 2011 - 07:16 AM
reg load pesystem HKLM\pesystem
And then patch the registry there.
#3
Posted 16 April 2011 - 04:32 PM
psexec -s -i regedit
#4
Posted 16 April 2011 - 10:28 PM
#5
Posted 16 April 2011 - 11:12 PM
@joakimSometimes those permissions are a real pain in the back. Especially if Windows 7 hives are modified under XP. Then not even the SYSTEM account will let you modify all keys (strange). In those cases it may help to boot into WinPE(3.0) where you will have SYSTEM account priviliges under Windows 7, and thus are able to modify any key (of course you do this in virtual machines to save yourself lots of time)..
Your approach seems to be working, as the hives are loading, however I'm not sure that I am reading the contents correctly.
The PE loads a non-standard shell which I am trying to understand more about.
However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe
Doesn't that mean that the shell would be a command prompt?
#6
Posted 17 April 2011 - 05:13 AM
Should not matter or make any difference as all we want is an environment where we can modify any registry key. Just launch regedit.exe (or reg.exe) and work on the hive exactly as you would in offline mode. Remember to unload the hive before you power off the vm. If you want to browse the fs with explorer-like interface, them open notepad and press ctrl+o.@joakim
Your approach seems to be working, as the hives are loading, however I'm not sure that I am reading the contents correctly.
The PE loads a non-standard shell which I am trying to understand more about.
However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe
Doesn't that mean that the shell would be a command prompt?
#7
Posted 17 April 2011 - 10:17 AM
contents are: cmd.exe /k start cmd.exe
Doesn't that mean that the shell would be a command prompt? == yes
#8
Posted 17 April 2011 - 10:34 AM
Thanks for the confirmation.However the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe
Doesn't that mean that the shell would be a command prompt? == yes
There is something unusual going on then, because the shell is not a command prompt. In fact when I tried to open a command prompt I received some error message.
I'll have to do some more digging. Is there a document that outlines the PE3 boot.wim process in detail?, I think I will need to work through the start-up process step-by-step.
#9
Posted 17 April 2011 - 02:46 PM
If you use the Tools -> Process Tree... feature, you will observe which processes have come and gone and still exist. When you double-click each, it highlights the corresponding event. When you inspect the parent process' events higher in the list, you can often observe which Registry value referenced the process in question, or which .INI file (or equivalent) might have been read leading up to the execution of the process in question.
Or you can click on the very first event and then <CONTROL>-<F> to find someprocess.exe and where it first appears.
#10
Posted 17 April 2011 - 06:22 PM
#11
Posted 17 April 2011 - 10:36 PM
In a real Win7 == yesHowever the shell entry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
contents are: cmd.exe /k start cmd.exe
Doesn't that mean that the shell would be a command prompt? == yes
In a PE == no
In a PE the Shell is started by HKLM\SYSTEM\Setup\CmdLine, like joakim pointed out.
Thanks joakim. It looked wrong, but i couldn't say why.
#12
Posted 17 April 2011 - 11:38 PM
Microsoft's Sysinternals' Process Monitor is very handy for observing a sequence of events at any post-kernel time. For example, I often use it to observe events from boot time and from logon time, or both.
This sounds likes a very good idea. However I am not sure how to launch Process Monitor.
I am using a VM for testing. If I boot the PE environment in the VM, I can't see how I can start Process Monitor.
If I start Windows in the VM, then I can start Process Monitor, but how do I then boot the PE while still having Process Monitor running?
#13
Posted 18 April 2011 - 12:16 AM
Sorry for the misinformation about the command prompt, out of curiosity, by chance
are you experimenting with the Norton Bootable (NBRT.iso) and/or are you at liberty
to divulge the PE.
#14
Posted 18 April 2011 - 02:18 AM
I guess that depends on what type of PE it is. For XP/2003, you'd have to inject the Process Monitor driver (a .SYS file, perhaps ProcMon20.sys) into the PE along with a TXTSETUP.SIF entry. For newer Windows versions, it might be sufficient to again, inject the driver, but also to add a HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\ entry:...how do I then boot the PE while still having Process Monitor running?
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\PROCMON20] "Group"="FSFilter Activity Monitor" "Start"=dword:00000000 "Type"=dword:00000001 "ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,50,00,52,00,4f,00,43,00,4d,00,4f,\ 00,4e,00,32,00,30,00,2e,00,53,00,59,00,53,00,00,00 [HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\PROCMON20\Instances] "DefaultInstance"="Process Monitor Instance" [HKEY_LOCAL_MACHINE\PE_SYSTEM_HIVE\CurrentControlSet\Services\PROCMON20\Instances\Process Monitor Instance] "Altitude"="385001" "Flags"=dword:00000000When you then run ProcMon.exe in the PE, it will attach to the already-running driver and give you the option to stop logging and review the log.
#15
Posted 18 April 2011 - 09:30 AM
#16
Posted 18 April 2011 - 10:26 AM
When I load the System hive, the System key is not present(?)What is the content of HKLM\SYSTEM\Setup\CmdLine?
I can see the following keys:
- ControlSet001
- RNG
- Select
- Setup
Could some keys be hidden?
#17
Posted 18 April 2011 - 10:46 AM
That depends on what you chose as a mount point name. Now what is the actual value in HKLM\whatever\Setup\CmdLine?When I load the System hive, the System key is not present(?)
I can see the following keys:
- ControlSet001
- RNG
- Select
- Setup
Could some keys be hidden?
#18
Posted 18 April 2011 - 11:43 AM
Sorry joakim ...That depends on what you chose as a mount point name. Now what is the actual value in HKLM\whatever\Setup\CmdLine?
I can see that with my last post I stuffed up. Too much haste, not enough thinking.
\Setup\CmdLine: winpeshl.exe
#19
Posted 18 April 2011 - 12:12 PM
Good, then next request would be for the content of your winpeshl.ini.Sorry joakim ...
I can see that with my last post I stuffed up. Too much haste, not enough thinking.
\Setup\CmdLine: winpeshl.exe
#20
Posted 19 April 2011 - 11:57 AM
Good, then next request would be for the content of your winpeshl.ini.
[LaunchApp] AppPath = %SYSTEMROOT%\app.exeWhich is the shell that is being loaded.
Interestingly if I change the AppPath to call my own "launcher" and have my launcher call app.exe, then my launcher starts OK. But seconds after the launcher starts app.exe, the ISO reboots.
However if I place an invalid path in winpeshl.ini, then I get a command prompt with an error message. From there I can start any application that I want.
#21
Posted 19 April 2011 - 07:16 PM
Your application is probably exiting and the system will reboot after this "primary" process exits. Have your application hang around or choose a different application that keeps running....then my app launches, but seconds after ShadowProtectPE.exe starts the ISO reboots.
#22
Posted 19 April 2011 - 08:34 PM
You're correct.Your application is probably exiting and the system will reboot after this "primary" process exits. Have your application hang around or choose a different application that keeps running.
Thanks!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users