Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
200 replies to this topic

#26 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 23 June 2013 - 07:07 PM

Offreg.dll comes from MS WDK.

i have included in the zip file both the 32bits version (offreg.dll) and 64bits version (offreg64.dll).

 

The 32bits should be fine in most systems (including 64bits ones) except on system where the 32bits subsystem is missing.

On a "64bits only" system offreg64.exe will load offreg64.dll and then use MS API's in that library.

 

So now either I am passing the wrong parameters in 64bits mode or the function names are different.

 

I am back to work tomorrow and there I'll have tons of 64 bits system to test on.

 

/Erwan



#27 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 04 May 2014 - 04:10 PM

Updated to version 0.9.6.

 

Changelog since latest version.

 

added : exception handler
added : human error messages, next to int codes
added : nobackup parameter (last) to save to original file
added : deletekeys (and all its subkeys)
added : deletekeys will delete the top (empty) key
added : import function (from a reg file)
 
Import will parse a regedit reg file and create or modifies values found in the reg file.
 
This is based on a idea/suggestion from Wonko here.
 
/Erwan


#28 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14093 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 May 2014 - 05:33 PM

 

Import will parse a regedit reg file and create or modifies values found in the reg file.

 
This is based on a idea/suggestion from Wonko here.

 

Well, to be fair :unsure:, I would say that the whole thingy:

http://reboot.pro/to...gistry-library/

http://reboot.pro/to...fline-registry/

derives from a successful implementation of the "Bait'nWait" technique by Wonko.  ;) and from your very graciously :thumbsup: falling for it :w00t:.

 

:lol:

 

:duff:

Wono



#29 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 04 May 2014 - 06:33 PM

Well as long as an idea is good, I'll always consider the bait :)



#30 Biatu

Biatu

    Member

  • Members
  • 62 posts
  •  
    United Kingdom

Posted 11 May 2014 - 10:02 AM

Can we make a version of this that redirects registry from child processes? Like runscanner...but better, and x64?

Thanks, and good job.



#31 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 11 May 2014 - 10:07 AM

Can we make a version of this that redirects registry from child processes? Like runscanner...but better, and x64?
Thanks, and good job.


You mean hooking api registry?
If so, it would be another project i guess.

#32 Biatu

Biatu

    Member

  • Members
  • 62 posts
  •  
    United Kingdom

Posted 08 November 2014 - 12:56 AM

You mean hooking api registry?
If so, it would be another project i guess.

yes, exactly. It would be very useful in WinPE as well.



#33 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 01 February 2015 - 08:49 PM

A quick update to Offlinereg.

Next to the command line version, there is now a graphical front end which uses the same piece of code (delphi library) as the command line.

 

It has basic and limited functions for now but could evolve in the future.

it is is very lightweight so it should work on winpe as well.

 

WaZGnJ2.png



#34 Biatu

Biatu

    Member

  • Members
  • 62 posts
  •  
    United Kingdom

Posted 25 November 2015 - 11:06 PM

Can you implement a method of executing cmd, and/or child processes with redirection to the offline hive? like RunScanner? Another interesting feature would be to use the offline hive as a mirror or fallback, whereas if the entry does not exist in the live hive offlinereg would defer to the offline hive but all writes/updates goto the live hive.

WOuld be useful in WinPE when it comes to implementing specific functionality.

 

Edit:

Lol my fault, just realised I asked you before a long time ago :P


Edited by Biatu, 25 November 2015 - 11:06 PM.


#35 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 21 January 2018 - 10:11 PM

@Erwan.l
Great tool. Used to bypass ACL restrictions in a WinPE registry after attempting to edit the key using regedit failed.

Only complaint is the lack of examples - including supported commands/switches.

Having read through the posts on reboot I noticed a nobackup command for example, however it's not mentioned in the brief instructions.

And also when using the setvalue command, command syntax is -

OfflineReg "c:\temp\system" a_key setvalue a_string_value_name a_new_value


Having read through the posts on reboot.pro, I now know that to create a (default) entry, an empty set of quotation marks can be used for a_string_value_name. E.g. -
offlinereg.exe PATH\SOFTWARE "Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32" setvalue " " X:\Windows\System32\actxprxy.dll
Are there any other useful commands that I'm missing?

:cheers:

Misty

P.s. It really is a fantastic tool :worship:

#36 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 427 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 21 January 2018 - 10:57 PM

Hi erwan.l

 

Excellent tool - very useful, wouldn't have known about it if misty hadn't of mentioned it on another post

 

One point though - on http://reboot.pro/fi...313-offlinereg/ it says value of 7 for reg_expand_sz - but it is actually 2 as shown when you just run offlinereg.exe

 

Great work :)



#37 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 427 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 21 January 2018 - 11:52 PM

question - any way of getting it so it writes back to original file e.g. software rather than creating software_new?



#38 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 07:02 AM

question - any way of getting it so it writes back to original file e.g. software rather than creating software_new?

 

add nobackup as last parameter



#39 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 07:22 AM

add nobackup as last parameter

 

Example below (which I use as part of QuickPE).

Use wimlib to extract/update, use OfflineReg to modify the system hive.

@echo off
rem SANPolicy 3 is used with WinPE 2.*/3.* 
rem SANPolicy 4 is only supported in WinPE 4.0/5.0.
rem see more here http://reboot.pro/topic/19687-winfe-sanpolicy-and-noautomount-combinations/?hl=sanpolicy
echo Extracting %1
call pe_tools\wimlib\wimextract.cmd %1 1 \windows\system32\config\system --dest-dir=temp
echo Modifying offline registry
OfflineReg temp\system currentcontrolset\Services\MountMgr setvalue NoAutoMount 1 4 nobackup
OfflineReg temp\system currentcontrolset\Services\partmgr\Parameters setvalue SanPolicy 4 4 nobackup
echo Updating %1
call pe_tools\wimlib\wimupdate.cmd %1 1 --command="add temp\system \windows\system32\config\system"


#40 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 07:30 AM

@Erwan.l
Great tool. Used to bypass ACL restrictions in a WinPE registry after attempting to edit the key using regedit failed.

Only complaint is the lack of examples - including supported commands/switches.

Having read through the posts on reboot I noticed a nobackup command for example, however it's not mentioned in the brief instructions.

And also when using the setvalue command, command syntax is -

Having read through the posts on reboot.pro, I now know that to create a (default) entry, an empty set of quotation marks can be used for a_string_value_name. E.g. -

offlinereg.exe PATH\SOFTWARE "Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32" setvalue " " X:\Windows\System32\actxprxy.dll
Are there any other useful commands that I'm missing?

:cheers:

Misty

P.s. It really is a fantastic tool :worship:

 

 

Thanks for this nice feedback :)

 

About commands, I should (will) update the help command.

 

The nobackup parameter and default value trick has definitely been overlooked : I am glad you found it in this thead.

 

Other unknown commands? 

I recall making a change to allow one to create a hive from scratch (like a BCD for example) : not sure this is known / documented. Example here.


  • misty likes this

#41 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 07:37 AM

Hi erwan.l

 

Excellent tool - very useful, wouldn't have known about it if misty hadn't of mentioned it on another post

 

One point though - on http://reboot.pro/fi...313-offlinereg/ it says value of 7 for reg_expand_sz - but it is actually 2 as shown when you just run offlinereg.exe

 

Great work :)

 

Will have to look into that.


  • misty likes this

#42 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 07:51 AM

I have updated OfflineReg so that it display a more up to date syntax help.



#43 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 22 January 2018 - 12:08 PM

Hi Erwan.l
I continue to play around with offlinereg and have attempted ot use the import command to add a few settings to a WinPE build. Command syntax used -
offlinereg.exe PATH\SOFTWARE PATH\actxprxy.reg import 
Contents of PATH\actxprxy.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
@="C:\\Windows\\System32\\actxprxy.dll"
"ThreadingModel"="Both"
Output in command console -
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
createkey failed:2:The system cannot find the file specified
could not open Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer
32
createkey failed:2:The system cannot find the file specified
could not open Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer
32
saved to C:\MistyPE\ADK_workspace\mount\Windows\System32\config\SOFTWARE.new ok
Using an edited .reg file with the following content to create the missing key structure -
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
@="C:\\Windows\\System32\\actxprxy.dll"
"ThreadingModel"="Both"
Output in command console -
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
saved to C:\MistyPE\ADK_workspace\mount\Windows\System32\config\SOFTWARE.new ok
I mounted and checked the new hive. The key structure has been created, however the contents have not.

Am I doing something wrong? Or is this a bug?

And there are references to a 64-bit version, but it's not included in the current download.

Misty

#44 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 427 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 22 January 2018 - 04:33 PM

Hi Erwan.l

 

Question for you

 

Trying to use your tool to see registry key as shown in .reg file below

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,\
  74,00,61,00,65,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,2e,00,64,00,6c,\
  00,6c,00,00,00

If you view this entry in regedit then it looks like attached pic - if you export it to reg file it looks like above

 

reg.png

 

So I used your tool as below:-

OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,74,00,61,00,65,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,2e,00,64,00,6c,00,6c,00,00,00 2 

But then in registry editor it show like entered rather than converting it to a path?

 

If I try entering it using your tool as 

OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " %SystemRoot%\system32\dataexchange.dll 2 

Then it converts %SystemRoot% to C:\Windows and write it to registry as C:\Windows\system32\dataexchange.dll - so then wrong in PE as should be changing it to X: which it does correctly if %SystemRoot%

 

Hope this make sense and you can advise how I can get it to add that key correctly

 

Thanks

 



#45 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 22 January 2018 - 04:50 PM

If I try entering it using your tool as 




OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " %SystemRoot%\system32\dataexchange.dll 2 
Then it converts %SystemRoot% to C:\Windows and write it to registry as C:\Windows\...


Have you tried using the following -
OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " %%SystemRoot%%\system32\dataexchange.dll 2 
Entering %SystemRoot% will parse the current %SystemRoot% variable. Entering %%SystemRoot%% should work. I've not tested this in offlinereg, but it works in other console applications.

Misty

EDIT - use %% in a batch, or try ^% on the commandline.

EDIT 2 - %% is working in a batch file. Not working in the console. Neither is ^%.

#46 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 427 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 22 January 2018 - 05:06 PM

@Misty

 

Thank you for the idea, but unfortunately not - that still parses it so we end up with %C:\Windows%\.....



#47 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 22 January 2018 - 05:11 PM

@Misty
 
Thank you for the idea, but unfortunately not - that still parses it so we end up with %C:\Windows%\.....

Refer to Edit 2 in my previous post - which you may have missed. %% is working in a batch. Not sure what escape character(s) can be used in offlinereg in the console though.

#48 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 427 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 22 January 2018 - 05:21 PM

Yes just saw that Thanks - unfortunately I am doing it from command prompt not in a batch file though, as passing command from my VB.NET tool for building PE

 

Hopefully some other way around it - as would rather not hardcode it to X:\Windows instead

 

Spent a while googling it and tried every single escape character I could think of with no joy



#49 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 06:04 PM

Hi Erwan.l
I continue to play around with offlinereg and have attempted ot use the import command to add a few settings to a WinPE build. Command syntax used -

offlinereg.exe PATH\SOFTWARE PATH\actxprxy.reg import 
Contents of PATH\actxprxy.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
@="C:\\Windows\\System32\\actxprxy.dll"
"ThreadingModel"="Both"
Output in command console -
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
createkey failed:2:The system cannot find the file specified
could not open Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer
32
createkey failed:2:The system cannot find the file specified
could not open Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer
32
saved to C:\MistyPE\ADK_workspace\mount\Windows\System32\config\SOFTWARE.new ok
Using an edited .reg file with the following content to create the missing key structure -
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
@="C:\\Windows\\System32\\actxprxy.dll"
"ThreadingModel"="Both"
Output in command console -
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}]
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
[Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32]
saved to C:\MistyPE\ADK_workspace\mount\Windows\System32\config\SOFTWARE.new ok
I mounted and checked the new hive. The key structure has been created, however the contents have not.

Am I doing something wrong? Or is this a bug?

And there are references to a 64-bit version, but it's not included in the current download.

Misty

 

 

let me give it a try, possibly later today (locked again in a hotel room :) ).



#50 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 22 January 2018 - 06:09 PM

....

 

So I used your tool as below:-

OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,74,00,61,00,65,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,2e,00,64,00,6c,00,6c,00,00,00 2 

But then in registry editor it show like entered rather than converting it to a path?

 

If I try entering it using your tool as 

OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " %SystemRoot%\system32\dataexchange.dll 2 

Then it converts %SystemRoot% to C:\Windows and write it to registry as C:\Windows\system32\dataexchange.dll - so then wrong in PE as should be changing it to X: which it does correctly if %SystemRoot%

 

Hope this make sense and you can advise how I can get it to add that key correctly

 

Thanks

 

You could for binary data like 

OfflineReg.exe D:\a\mount\Windows\System32\config\SOFTWARE Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 setvalue " " 25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,74,00,61,00,65,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,2e,00,64,00,6c,00,6c,00,00,00 3

or else use a string but then as spotted by Misty, you need to handle the % character.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users