Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
200 replies to this topic

#176 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 29 January 2018 - 10:04 AM

And to get a list of account IDs using OfflineReg. Run the following command -
OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys
Will return a list of accounts. Output from my system -
000001F4
000001F5
000003E9
Names
000001F4 = Default Admin Account
000001F5 = Default Guest Account

#177 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 29 January 2018 - 10:06 AM

...There is probably a way to retrive the RID from a username with an offlinereg command (need to look for it).
 
Side note : the new enumkeysr (note the 'r') may come handy as well associated to the dos findstr command.


Not sure if this document will be useful, however it looks interesting - Forensic_Determination_Users_Logon_Status.pdf

#178 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 29 January 2018 - 10:07 AM

Now please stop distracting me - I'm trying to update the guide!

#179 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 29 January 2018 - 10:23 AM

Not sure if this document will be useful, however it looks interesting - Forensic_Determination_Users_Logon_Status.pdf

 

Nice !!

 

At offset 4, if the designation is 0x BC, the user has administrative privilege. The signature of 0x D4 denotes a limited user privilege and the 0x B0 is a Microsoft designation for the Guest account.

 

Yummy ...  :hyper:

Too good to be true : now I have to wait until this evening to try this out!



#180 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 29 January 2018 - 10:25 AM

Now please stop distracting me - I'm trying to update the guide!

 

I'll be quiet for the next 8 hours :)



#181 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 29 January 2018 - 12:04 PM

Guide updated to include the new commands from the 1.0.3 (version 2!) release. It also now reflects the change in the executable name to offlinereg-win32.exe / offlinereg-win64.exe (all examples use the 32-bit version).

Link is in post #1 (and here)

Misty

P.s. Erwan - the improved import parsing is like lightning! Also, I'm liking the reduced size of the new 64-bit executables - its shrunk considerably despite the addition of the new commands :worship:
  • Atari800XL likes this

#182 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 30 January 2018 - 07:32 PM

Guide updated to include the new commands from the 1.0.3 (version 2!) release. It also now reflects the change in the executable name to offlinereg-win32.exe / offlinereg-win64.exe (all examples use the 32-bit version).

Link is in post #1 (and here)

Misty

P.s. Erwan - the improved import parsing is like lightning! Also, I'm liking the reduced size of the new 64-bit executables - its shrunk considerably despite the addition of the new commands :worship:

 

This last days were an excellent demonstration of team work : sharp and positive feedback, iterative work, comprehensive documentation ...

 

About the win32/win64, I was fed up to have to switch between two computers (delphi7 for win32 and delphixe for win64), I finally decided to use Lazarus 1.4.4 / FreePascal 2.6.4 : not only can I compile to win32/win64 with one unique computer / dev environement, but it generates smaller exe's :)

 

About the speed, I was lucky to find a better/faster searchandreplace function : I am amazed as well at how faster it is compared to the default builtin function (probably x100 ...).


  • darren rose likes this

#183 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 30 January 2018 - 07:36 PM

...About the win32/win64, I was fed up to have to switch between two computers (delphi7 for win32 and delphixe for win64), I finally decided to use Lazarus 1.4.4 / FreePascal 2.6.4 : not only can I compile to win32/win64 with one unique computer / dev environement, but it generates smaller exe's :)...


Just out of curiosity, will you be adopting this approach for your other programs?

#184 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 30 January 2018 - 07:48 PM

Just out of curiosity, will you be adopting this approach for your other programs?

 

for command line, yes, most probably : as much as I love delphi7, it is severely outdated and limited to win32

for gui, unfortunately, the visual classes differ too much : i cannot migrate a software from lazarus to delphi and vice et versa so i will stick to delphi for now.


  • misty likes this

#185 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 05 February 2018 - 09:13 PM

Hi Erwan,

I've been using OfflineReg to add some settings to a WinPE and noticed a few issues.

Firstly, when running commands from a file list, the registry hive was not saved as one of the commands failed - this was a deletekey command and the key was not present in the hive. It would be useful to either ignore the error and save the hive anyway, or alternatively add a new command that will save the changes despite any errors.

I've also encountered an issue when adding a DWORD value - the issue appears to be due to numbers above a certain value not being supported. I encountered the issue when running the following command (to remove "libraries" from explorer) -
offlinereg-win32.exe "PATH\Software" "Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder" setvalue "Attributes" "2839544064" 4
This returned the error -
setvalue error:"2839544064" is an invalid integer
I attempted to work around this by using a .reg file and the import command.

Contents of my reg file (note that 2839544064 (decimal) = a9400100 (binary))
 
Windows Registry Editor Version 5.00

[HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]
"Attributes"=dword:a9400100
This ran, but returned the following -
[HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]

added -> Attributes=dword:-1455423232
saved to PATH\Software ok
Note that the dword value added is incorrect.

Just posting for bug reporting purposes.

Regards,

Misty

#186 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 05 February 2018 - 09:42 PM

Hi Misty,

Will be fixed tomorrow!

Cheers,
Erwan

#187 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 05 February 2018 - 09:45 PM

Hi Misty,

Will be fixed tomorrow!

Cheers,
Erwan

:thumbsup: Thank you. I'll test any new release as soon as I can.

#188 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 06 February 2018 - 08:36 AM

:thumbsup: Thank you. I'll test any new release as soon as I can.

 

New version uploaded.

 

I was able to reproduce the other bug you reported (one error in a list file making the whole batch fail) : if you can provide a list file, I will test it further.

fixed : setvalue error:"..." is an invalid integer on some integer
added : getvalue key " " 255 to display a binary into ascii


#189 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 06 February 2018 - 10:33 AM

Hi Erwan
 

New version uploaded.

And it's fixed the DWORD error I was getting (in post #185) :thumbsup:

Using the new version, importing the reg file using the commands and .reg file from my previous post (#185) resulted in the following error -
[HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]

setvalue error:not a valid integer value
saved to PATH\Software ok
.

I was able to reproduce the other bug you reported (one error in a list file making the whole batch fail) : if you can provide a list file, I will test it further....

Please check your PM.

:cheers:

Misty

#190 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2250 posts
  • Location:Nantes - France
  •  
    France

Posted 06 February 2018 - 06:14 PM

Job done ! (or rather bugs fixed !)

 

Check your PM.



#191 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 06 February 2018 - 07:22 PM

Tested. Fixed :thumbsup: Awesome :worship:

#192 dodenko

dodenko
  • Members
  • 8 posts
  •  
    Russian Federation

Posted 17 March 2018 - 10:47 AM

Where to find the newest version? In the downloads section its 0.9.8 ..

Anyway does this mount hives and then modify like reg load?



#193 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14093 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 March 2018 - 11:05 AM

Where to find the newest version? In the downloads section its 0.9.8 ..
Anyway does this mount hives and then modify like reg load?

Here:
http://labalec.fr/erwan/?p=1800

Anyway does this mount hives and then modify like reg load?

No, the whole point is that it uses a MS dll that allows changing values in a Regisstry file "offline", without mounting anything.
Some details are here:
http://reboot.pro/to...gistry-library/
http://reboot.pro/to...fline-registry/

:duff:
Wonko

#194 dodenko

dodenko
  • Members
  • 8 posts
  •  
    Russian Federation

Posted 17 March 2018 - 11:07 AM

Aw wow that would be much much faster than reg tool.

Another idea is to use wimlib and then directly modify hives inside a wim file.

I think wimlib has a dll.


Edited by dodenko, 17 March 2018 - 11:12 AM.


#195 dodenko

dodenko
  • Members
  • 8 posts
  •  
    Russian Federation

Posted 17 March 2018 - 12:35 PM

How does it handle permisions as well?



#196 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 17 March 2018 - 12:45 PM

...Another idea is to use wimlib and then directly modify hives inside a wim file...

wimlib cannot mount on Windows. A workaround is to extract the required registry hive > modify using offlinereg > add the modified hive back to the wim.
 

How does it handle permisions as well?

Very well - by ignoring them. offlinereg does not require elevated privileges and ignores any ACL settings on keys in the offline registry hive.

:cheers:

Misty
  • dodenko likes this

#197 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 17 March 2018 - 12:47 PM

@dodenko

...Excellent and comprehensive guide from Misty here...


  • dodenko likes this

#198 dodenko

dodenko
  • Members
  • 8 posts
  •  
    Russian Federation

Posted 17 March 2018 - 01:31 PM

Excellent.



#199 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14093 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 March 2018 - 02:16 PM

And - only to repeat myself ad nauseam (and notwithstanding the fact that I contributed to the very beginning of the nice erwan.l's tool) the "right" way is this other one (that no programmer ever cared to pursue, in the last 10 (ten) years or so):

 

http://reboot.pro/to...s-a-filesystem/

 

:duff:

Wonko



#200 dodenko

dodenko
  • Members
  • 8 posts
  •  
    Russian Federation

Posted 20 March 2018 - 12:52 PM

Can I use this tool during SetupComplete.cmd?






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users