Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
33 replies to this topic

#1 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 10 May 2013 - 01:34 PM

Posted Image

File Name: offlinereg
File Submitter: erwan.l
File Submitted: 10 May 2013
File Updated: 21 Nov 2015
File Category: Tools

Edit : an old thread but this tool was never posted to the downloads file on reboot.pro. Now catching up...

Based on MS WDK (http://msdn.microsof.../ee...7(v=VS.85).aspx), I wrote a command line tool that will allow one to read and write to an offline registry hive.

Command line usage :

OfflineReg a_hive_file a_key_path a_verb a_value_name [a_value]

example : OfflineReg "c:\temp\system" a_key getvalue a_value_name
example : OfflineReg "c:\temp\system" key\subkey getvalue a_value_name
example : OfflineReg "c:\temp\system" a_key setvalue a_string_value_name a_new_value
example : OfflineReg "c:\temp\system" a_key setvalue a_dword_value a_dword_value 4
example : OfflineReg "c:\temp\system" a_key setvalue a_qword_value a_qword_value 11
example : OfflineReg "c:\temp\system" a_key setvalue a_binary_value 0a,0b,0c,0d,0e,0f 3
example : OfflineReg "c:\temp\system" a_key_path setvalue a_multi_value_name "aa bb cc dd" 7
(setvalue will createvalue if value does not exist yet)
example : OfflineReg "c:\temp\system" a_key deletevalue a_value
example : OfflineReg "c:\temp\system" a_key deletekey a_subkey
example : OfflineReg "c:\temp\system" a_key deletekeys
example : OfflineReg "c:\temp\system" a_key createkey a_subkey
example : OfflineReg "c:\temp\system" a_key enumkeys
example : OfflineReg "c:\temp\system" a_key enumvalues
example : OfflineReg "c:\temp\system" a_reg_file import
Example : OfflineReg "c:\temp\system" a_key_path create

A real life example :
OfflineReg "D:\Windows\system32\config\system" ControlSet001\Control\ProductOptions getvalue "ProductType".

Should display :
"ProductType"=WinNT

Regards,
Erwan.

Click here to download this file
  • Biatu likes this

#2 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 10 May 2013 - 02:42 PM

I'm not sure whether I understand the description in full detail.

 

Let's assume that there is anywhere in my PC's or Network's file system a registry hive made by Billy the Door.

 

Does your solution:

  • Offer just a wrapper using Windows API functions replacing the use of the reg application
  • Use only native functions outside Windows API and can be used also in other environments, e.g. the ?x world

In the second case I'm rather interested to check it's usability for the new WinBuilder program.

 

Peter



#3 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 10 May 2013 - 02:48 PM

Hi pscEx,

 

It is a wrapper around a windows api distributed in MS WDK (http://msdn.microsof...7(v=vs.85).aspx) .

 

The idea is to make it easy to edit offline registry hives and eventually use it for automation (batches, etc) and therefore replace the use of the reg application.

 

Hivex is native and multi platform I believe.


Regards,

Erwan



#4 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 10 May 2013 - 03:10 PM

Thanks Erwan, for the clarification.

 

BTW: When reading your original post, I tried the msdn link w/o success.

It is corrupted, containing not the full URL.

 

The link in your answer is ok.

 

Peter



#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13690 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 May 2013 - 08:20 AM

Thanks Erwan, for the clarification.
 
BTW: When reading your original post, I tried the msdn link w/o success.
It is corrupted, containing not the full URL.
 
The link in your answer is ok.
 
Peter
JFYI, the board software does NOT parse correctly any URL containing brackets () AND last board software update "shortened" those URLS (containing brackets) that were originally working because they were input using the "Link" tool (the little icon looking like a chain link with a green ball attached to it).
 
While normally an incorrectly parsed URL is not clickable (i.e. brings to a "wrong" destination), the full text is retrievable (if you quote the post) the URL shortened/botched by the board software updates are corrupted beyond recovery.
 
:cheers:
Wonko

#6 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 11 May 2013 - 11:15 AM

The idea is to make it easy to edit offline registry hives and eventually use it for automation (batches, etc) and therefore replace the use of the reg application.
Erwan, what's the advantage of your program over reg.exe?

:cheers:

#7 paraglider

paraglider

    Gold Member

  • .script developer
  • 1716 posts
  • Location:NC,USA
  •  
    United States

Posted 11 May 2013 - 11:45 AM

Here is what MS says:

 

  • The offline registry functions can be used to modify a registry hive in any supported registry format. The standard registry functions can make changes only to an active registry hive and the changes must be compatible with the version of Windows running on the system.
  • The offline registry library requires only read access to open a registry hive file and write access to save the file. No other access checks are performed on objects in the hive, making it possible to modify the hive with standard user privileges. With the standard registry functions, loading a hive into the active registry is a privileged operation that requires administrative access.

  • pscEx likes this

#8 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 11 May 2013 - 12:01 PM

Hi Medevil, As Paraglider mentions in previous post, "The offline registry functions can be used to modify a registry hive in any supported registry format" is a useful feature. Offlinereg supporting 64bits qword values on any O.S is a good example of MS Statement above. /Erwan

#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13690 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 May 2013 - 12:17 PM

Erwan, what's the advantage of your program over reg.exe?

The same as it was 3 years ago ;):
http://reboot.pro/in...showtopic=11212

Besides what has already been mentioned, a "traditional" editing of an offline registry is through:

  1. load/mount the offline hive into the online registry
  2. edit the contents on the (now online) hive
  3. unload/unmount the hive

compared to:

  1. edit the contents of the offline hive

Simpler. :)

 

:cheers:

Wonko



#10 rootMBX

rootMBX
  • Members
  • 6 posts
  •  
    United States

Posted 20 June 2013 - 11:51 AM

Erwin. This is an awesome utility! Works great! Is there any way that you could compile it to work with amd64 arch without a 32-bit subsystem?

 

I've tried booting into a 64-bit WindowsPE and it complains the subsystem for the image is not installed... Works great in 32-bit, but I have to use 64-bit to boot into an EFI environment.
 

I'd really appreciate it. Thanks!



#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13690 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 June 2013 - 03:56 PM

I've tried booting into a 64-bit WindowsPE and it complains the subsystem for the image is not installed... Works great in 32-bit, but I have to use 64-bit to boot into an EFI environment.

As a side note (and NOT what you asked) you could add the 32 bit subsystem to the 64 bit PE (as this would provide "compatibility" with a wider range of tools).

 

:cheers:

Wonko



#12 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 20 June 2013 - 05:06 PM

Erwin. This is an awesome utility! Works great! Is there any way that you could compile it to work with amd64 arch without a 32-bit subsystem?

 

I've tried booting into a 64-bit WindowsPE and it complains the subsystem for the image is not installed... Works great in 32-bit, but I have to use 64-bit to boot into an EFI environment.
 

I'd really appreciate it. Thanks!

 

Hi rootMBX,

I have compiled 64bits binaries in the past using freepascal.

I'll give it a try.

 

Regards,

Erwan



#13 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 22 June 2013 - 01:48 PM

Zip file now includes a native x64 binary of offlineg.reg.

This has been cross compiled thru fpc.

Cannot test it thus on my win32 windows thus : feedback appreciated.

 

Regards,

Erwan



#14 rootMBX

rootMBX
  • Members
  • 6 posts
  •  
    United States

Posted 23 June 2013 - 03:10 AM

Thanks for the favor, Erwan. Unfortunately, there was an unhandled exception error.

I appreciate the quick reply, though! Please let me know if you can work this out. It happened on a W8 x64 installation. It was also reproduced on the 64-bit only installation media.

Crush that SegFault Erwan!!!!

 

Failed%20Screen.png

Wonko the sane: If this doesn't pan out, that's what I'll probably do... or else use a user-passed parameter in the script to resolve windows version.


Edited by rootMBX, 23 June 2013 - 03:20 AM.


#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13690 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 23 June 2013 - 08:58 AM

@rootMBX
Are you sure-sure that you used a correct path in the test you made? :unsure:
 
On my 32 bit system ;), I have:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
And still in my 32 bit system, that is inside the file "software"
http://reboot.pro/to...ditex/?p=173870
 
 
The Registry until Vista :ph34r: is made of several files "assembled together", each hive has a corresponding "backing" file, a log file, a backup and in some cases an alternate file:
http://msdn.microsof...s724877(v=vs.85).aspx
 
HKEY_CURRENT_CONFIG -> System, System.alt, System.log, System.sav
HKEY_CURRENT_USER -> Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM -> Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security -> Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software -> Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System -> System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT -> Default, Default.log, Default.sav 
To the above, you need to add:
HKEY_LOCAL_MACHINE\BCD00000001 -> \boot\BCD
 
 
 
(still that should provide an error like "non existing path" and not a segfault)
 
:cheers:
Wonko

#16 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 10:50 AM

Thanks for the favor, Erwan. Unfortunately, there was an unhandled exception error.

I appreciate the quick reply, though! Please let me know if you can work this out. It happened on a W8 x64 installation. It was also reproduced on the 64-bit only installation media.

Crush that SegFault Erwan!!!!

 

Failed%20Screen.png

Wonko the sane: If this doesn't pan out, that's what I'll probably do... or else use a user-passed parameter in the script to resolve windows version.

 

"could not loadlibrary" : i should handle that better rather than letting a segfault happen.

try putting offreg.dll in C:\Windows\SysWOW64\ if your system in a 64bit one.

also be careful you have one space too much (right after the double quote) in your second parameter.



#17 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 11:13 AM

new zip file contains the offregx64.dll.

you need to rename it to offreg.dll on 64bits systems.

next version will handle x32/x64 automatically.

 

rootMBX : give it a try.

 

ignore the syswow64 comment above for now.

 

/erwan



#18 rootMBX

rootMBX
  • Members
  • 6 posts
  •  
    United States

Posted 23 June 2013 - 03:44 PM

@rootMBX
Are you sure-sure that you used a correct path in the test you made? :unsure:
 
On my 32 bit system ;), I have:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
And still in my 32 bit system, that is inside the file "software"
http://reboot.pro/to...ditex/?p=173870
  
 
(still that should provide an error like "non existing path" and not a segfault)
 
:cheers:
Wonko

Realized that I have typos... a space as Erwan said before "Microsoft" as well as looking SYSTEM and not SOFTWARE as I should be... I tried it again with the correct path and got the same error... Will test new .dll soon.

 

UPDATE: No go, Erwan. Similar error with the new executable and renamed dll.


Edited by rootMBX, 23 June 2013 - 03:49 PM.


#19 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 03:56 PM

Realized that I have typos... a space as Erwan said before "Microsoft" as well as looking SYSTEM and not SOFTWARE as I should be... I tried it again with the correct path and got the same error... Will test new .dll soon.

 

UPDATE: No go, Erwan. Similar error with the new executable and renamed dll.

 

ok so sum up:

-the 64 bit exe runs which is a good start (even if it crashes later on while loading library) : means cross compiling to 64bit platform works

-you need to use the offreg64.dll renamed to offreg.dll to C:\Windows\SysWOW64\.

Indeed you need to use the proper dll for each platform (32 bits vs 64 bits).

 

now, next step, copy this offreg64.dll renamed to offreg.dll to 



#20 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 04:08 PM

version 0.9.1

offlinereg.exe (32bits) will load offreg.dll

offlinereg64.exe (64bits) will load offreg64.dll (no need to rename files anymore).

if the library can not be loaded, an error message will be given (use net helpmsg number to retrieve textual info)



#21 rootMBX

rootMBX
  • Members
  • 6 posts
  •  
    United States

Posted 23 June 2013 - 05:05 PM

Still no good... I did try copying the offreg64.dll into SysWOW64, but did not rename it. UPDATE: Just tried to rename it... same result (Makes sense since I didn't get the loading library error with the "64" exe) It also seemed to find the dll in the same directory as the executable since I had the same results.

 

BTW you had two 64 bit executables in the zip. "offlineregx64.exe" and "offlinereg64.exe"... the "x64" one must've been the old one that couldn't find the library, but the "64" one is a step forward.

 

Now, I'm getting an "OS 6.2" string for all executables instead of cannot load library. Keep it up!

 

Failed%20Screen%202.png


Edited by rootMBX, 23 June 2013 - 05:11 PM.


#22 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 05:56 PM

oki believe the issue is no longer with loading the dll.

this part looks fine.

 

i have added an exception handler in each function now.

get the zip file (again, sorry...).

 

this time, we shall know in which function it crashes which will help me debug it for x64.

 

offlineregx64 is gone indeed.

now you have offlinereg for x32 and offlinereg64 for x64.

this is one unique sourcecode (cross)compiled for either x32 or x64.

 

/erwan



#23 rootMBX

rootMBX
  • Members
  • 6 posts
  •  
    United States

Posted 23 June 2013 - 06:06 PM

OK. Got a hit. "main error:Access violation".

 

No apologies dude. Not a stranger to debugging.



#24 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1936 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 06:29 PM

OK. Got a hit. "main error:Access violation".

 

No apologies dude. Not a stranger to debugging.

 

ok, getting closer.

so loading the library is indeed fine.

i have increased the exception handling in the main routine.

zip file re uploaded.

give it another try?



#25 rootMBX

rootMBX
  • Members
  • 6 posts
  •  
    United States

Posted 23 June 2013 - 06:53 PM

This time: "main error:OROpenHive failed"


It seems like the prog/library your basing this on runs on 32 bits and won't allow you to open the hive in 64 bits?

 

Until the next revision...

 

BTW: Unless otherwise stated, I run the same exact command with 32 bits offlinereg.exe and its successful.


Edited by rootMBX, 23 June 2013 - 06:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users