Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
190 replies to this topic

#176 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 3 weeks ago

And to get a list of account IDs using OfflineReg. Run the following command -
OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys
Will return a list of accounts. Output from my system -
000001F4
000001F5
000003E9
Names
000001F4 = Default Admin Account
000001F5 = Default Guest Account

#177 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 3 weeks ago

...There is probably a way to retrive the RID from a username with an offlinereg command (need to look for it).
 
Side note : the new enumkeysr (note the 'r') may come handy as well associated to the dos findstr command.


Not sure if this document will be useful, however it looks interesting - Forensic_Determination_Users_Logon_Status.pdf

#178 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 3 weeks ago

Now please stop distracting me - I'm trying to update the guide!

#179 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Not sure if this document will be useful, however it looks interesting - Forensic_Determination_Users_Logon_Status.pdf

 

Nice !!

 

At offset 4, if the designation is 0x BC, the user has administrative privilege. The signature of 0x D4 denotes a limited user privilege and the 0x B0 is a Microsoft designation for the Guest account.

 

Yummy ...  :hyper:

Too good to be true : now I have to wait until this evening to try this out!



#180 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Now please stop distracting me - I'm trying to update the guide!

 

I'll be quiet for the next 8 hours :)



#181 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 3 weeks ago

Guide updated to include the new commands from the 1.0.3 (version 2!) release. It also now reflects the change in the executable name to offlinereg-win32.exe / offlinereg-win64.exe (all examples use the 32-bit version).

Link is in post #1 (and here)

Misty

P.s. Erwan - the improved import parsing is like lightning! Also, I'm liking the reduced size of the new 64-bit executables - its shrunk considerably despite the addition of the new commands :worship:
  • Atari800XL likes this

#182 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Guide updated to include the new commands from the 1.0.3 (version 2!) release. It also now reflects the change in the executable name to offlinereg-win32.exe / offlinereg-win64.exe (all examples use the 32-bit version).

Link is in post #1 (and here)

Misty

P.s. Erwan - the improved import parsing is like lightning! Also, I'm liking the reduced size of the new 64-bit executables - its shrunk considerably despite the addition of the new commands :worship:

 

This last days were an excellent demonstration of team work : sharp and positive feedback, iterative work, comprehensive documentation ...

 

About the win32/win64, I was fed up to have to switch between two computers (delphi7 for win32 and delphixe for win64), I finally decided to use Lazarus 1.4.4 / FreePascal 2.6.4 : not only can I compile to win32/win64 with one unique computer / dev environement, but it generates smaller exe's :)

 

About the speed, I was lucky to find a better/faster searchandreplace function : I am amazed as well at how faster it is compared to the default builtin function (probably x100 ...).


  • darren rose likes this

#183 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 3 weeks ago

...About the win32/win64, I was fed up to have to switch between two computers (delphi7 for win32 and delphixe for win64), I finally decided to use Lazarus 1.4.4 / FreePascal 2.6.4 : not only can I compile to win32/win64 with one unique computer / dev environement, but it generates smaller exe's :)...


Just out of curiosity, will you be adopting this approach for your other programs?

#184 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 3 weeks ago

Just out of curiosity, will you be adopting this approach for your other programs?

 

for command line, yes, most probably : as much as I love delphi7, it is severely outdated and limited to win32

for gui, unfortunately, the visual classes differ too much : i cannot migrate a software from lazarus to delphi and vice et versa so i will stick to delphi for now.


  • misty likes this

#185 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 2 weeks ago

Hi Erwan,

I've been using OfflineReg to add some settings to a WinPE and noticed a few issues.

Firstly, when running commands from a file list, the registry hive was not saved as one of the commands failed - this was a deletekey command and the key was not present in the hive. It would be useful to either ignore the error and save the hive anyway, or alternatively add a new command that will save the changes despite any errors.

I've also encountered an issue when adding a DWORD value - the issue appears to be due to numbers above a certain value not being supported. I encountered the issue when running the following command (to remove "libraries" from explorer) -
offlinereg-win32.exe "PATH\Software" "Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder" setvalue "Attributes" "2839544064" 4
This returned the error -
setvalue error:"2839544064" is an invalid integer
I attempted to work around this by using a .reg file and the import command.

Contents of my reg file (note that 2839544064 (decimal) = a9400100 (binary))
 
Windows Registry Editor Version 5.00

[HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]
"Attributes"=dword:a9400100
This ran, but returned the following -
[HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]

added -> Attributes=dword:-1455423232
saved to PATH\Software ok
Note that the dword value added is incorrect.

Just posting for bug reporting purposes.

Regards,

Misty

#186 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

Hi Misty,

Will be fixed tomorrow!

Cheers,
Erwan

#187 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 2 weeks ago

Hi Misty,

Will be fixed tomorrow!

Cheers,
Erwan

:thumbsup: Thank you. I'll test any new release as soon as I can.

#188 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

:thumbsup: Thank you. I'll test any new release as soon as I can.

 

New version uploaded.

 

I was able to reproduce the other bug you reported (one error in a list file making the whole batch fail) : if you can provide a list file, I will test it further.

fixed : setvalue error:"..." is an invalid integer on some integer
added : getvalue key " " 255 to display a binary into ascii


#189 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 2 weeks ago

Hi Erwan
 

New version uploaded.

And it's fixed the DWORD error I was getting (in post #185) :thumbsup:

Using the new version, importing the reg file using the commands and .reg file from my previous post (#185) resulted in the following error -
[HKLM\Software\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]

setvalue error:not a valid integer value
saved to PATH\Software ok
.

I was able to reproduce the other bug you reported (one error in a list file making the whole batch fail) : if you can provide a list file, I will test it further....

Please check your PM.

:cheers:

Misty

#190 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 2 weeks ago

Job done ! (or rather bugs fixed !)

 

Check your PM.



#191 misty

misty

    Silver Member

  • Developer
  • 869 posts
  •  
    United Kingdom

Posted 2 weeks ago

Tested. Fixed :thumbsup: Awesome :worship:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users