26 replies to this topic

[darkman738]

I've found this program, RunScanner, and am atempting to work with the author on getting this to work with my built, and will keep this post up in regards to the progress; however, I would like to reach out to you guys to see if any of you have used this or other apps like this that may work better?
Explination:
This program redirects regiestry requests to a remote hive. This is quite useful when scannig for malware, or disabling startup items to troubleshoot a non-working install.

Here are some possiable restrictions that I have found with this app, now I am not sure of these restrictions, as I have not tested this app throughly yet, but was hopful that you guys could direct me if I'm wrong or there are better apps that do this for me:

1) it appears that it is a per-instance use (by that I mean that you have to call it with every app you launch, and dosen't redirect every registery call regardless.)
2) also appears that it only loads 1 section of the regestery rather than all keys.
3) can only load one user account, rather than multiple

If anyone knows of something that has any of these features PLEASE let me know, as this is functionality I need ASAP.

[Galapo]

1) it appears that it is a per-instance use (by that I mean that you have to call it with every app you launch, and dosen't redirect every registery call regardless.)

You can get it to also redirect any app launched by the initial one: /cp.

3) can only load one user account, rather than multiple

You can load more than one account: /m+.

The following apps off the LiveXP server make use of runscanner:

http://livexp.boot-l...werTools.script
http://livexp.boot-l...eSysPrep.script

Script for runscanner here: http://livexp.boot-l...nscanner.Script

Known limitation: user profile is mapped to HKCU, and does not also provide some sort of security level impersonation as the target user GUID.

Regards,
Galapo.

[darkman738]

You can get it to also redirect any app launched by the initial one: /cp.



You can load more than one account: /m+.

The following apps off the LiveXP server make use of runscanner:

http://livexp.boot-l...werTools.script
http://livexp.boot-l...eSysPrep.script

Script for runscanner here: http://livexp.boot-l...nscanner.Script

Known limitation: user profile is mapped to HKCU, and does not also provide some sort of security level impersonation as the target user GUID.

Regards,
Galapo.

Thanks again for the info! I'm running some preliminary trials, and it just dosent seem like I'm yealding any results. to be hoest it dosen't seem to be working at all. If it is, it seems that its only working for one user account and not the rest of the registery. I could be wrong here, and will be testing more, but so far it seem to be dissapointing, which sucks because I NEED this functinality!

Now correct me if I'm wrong here but this is how I think it works:

run:
runscanner.exe myApp.exe

runscanner
|--myApp
|--writekey -> HKLM -> SFTWR -> myCpny -> myApp -> serial="2134" (here the command is cought and redirected)
|--writekey -> HostOS_HKLM -> SFTWR -> myCpny -> myApp -> serial="2134"

now this can be applied to malware scanners, registery scanners, and apps like autoruns (which for some reason isn't working within PE anyone know why? it just dosen't open?) for scanning and editing remote regestery entries.

Am I correct? or dose this app only work for usr acounts and not all of the windows registery? and if it dose please excuse my ignorance, but do I need a special switch for this, because I can't seem to find any documentation on these questions. Also do I need to list which key I want loaded (i.e. HKLM OR HKCR not both at the same time?) Thanks for the advice.

Frank

[Galapo]

Read here: http://www.paraglide.../runscanner.htm

Regards,
Galapo.

[darkman738]

Read here: http://www.paraglide.../runscanner.htm

Regards,
Galapo.

yes I've been combing over this page for an hour or two, and I'm not making much since of it. I get the basics if it, and actualy, that is the link that I posted in my firt staement, but not a lot of info on if it works the way I want it to. this is difficult to test as may apps that I atempt to run through this fail, they just dont open, it asks to load a user then nothing... some apps do, but often error too much to work with. I have tried with:

jv16 - used 2 versons. 1 the script you mentioned (it errored like crazy and closed) and another version that I installed to the x:\ and it never opens while it opens if I click on the exe
ccleaner -appears to work OK, but it found more entries after booting into normal mode (and yes I made multiple passes until it did not find anything else)
regcleaner I am testing now, it seems to work OK, but will be comparing results in normal mode soon.

also, any reason that there may be a problem since I'm using Vista rather then XP?

Thanks

[Galapo]

also, any reason that there may be a problem since I'm using Vista rather then XP?

No, not Vista as such, just VistaPE. The script I posted assumes runscanner to be located under '%ProgramFiles%\RunScanner'. If that is not so, of course it will error. Maybe there's some files needed by your VistaPE for runscanner to run properly. JonF has been posting VistaPE scripts for a while now related to malware etc.

Regards,
Galapo.

[JonF]

Runscanner can load more than one user profile but it can only load one user profile into HKCU, because there's only on HKCU. The other profiles are loaded into HKEY_USERS. There's nothing that can be done about that, that's a restriction of the way that the registry is structured.

The HKLM/Sam, HKLM/Security, HKLM/Software, and HKLM/System branches are loaded into "fake" HKLM/Sam_on_C, HKLM/Security_on_C, ... branches.

HKCR and HKCF are, AFIAK, untouched.

I don't know the details of which registry calls are redirected and which are not. Obviously some cannot be reirected or the system's gonna crash. Paraglider knows a lto more than I do about the whole thing, obviously.

[paraglider]

I would be very careful with the /cp parameter. I have seen it lead to system hangs / bsods. It also only picks up processes launched directly not those by dcom or services as these are owned and launched by a seperate system process.

The registry redirection only happens after the timeout period specified by the /t parameter which defaults to 10 seconds ( 10000 ).

If you load all user hives then as long as your scanner program scans all user hives then they will get scanned directly without any redirection. References to HKCU are redirected to the first user you select.

HKLM registry access is redirected to the remote hive. What is redirected is key open / create not the actual access to the values.

The redirection happens at the windows 32 registry api level not the native registry access function level. Some shell functions appear to not use the api functions to access the registry so these don't get redirected.

For services there is an option to poll for the service starting and then attach runscanner to that service.

[JonF]

No, not Vista as such, just VistaPE. The script I posted assumes runscanner to be located under '%ProgramFiles%\RunScanner'. If that is not so, of course it will error. Maybe there's some files needed by your VistaPE for runscanner to run properly. JonF has been posting VistaPE scripts for a while now related to malware etc.

Runscanner doesn't need anything special to run under VistaPE. The problem is locating the Runscanner files from another program; they may be in the WIM at %ProgramFiles%\RunScanner or they may be on the CD (for which there's no environment variable). Handling the general case is pretty complex, so I stomp the problem by including the Runscanner files inside all my scripts that use Runscanner. It's a little wasted space but it's ever so much easier.

[JonF]

jv16 - used 2 versons. 1 the script you mentioned (it errored like crazy and closed) and another version that I installed to the x:\ and it never opens while it opens if I click on the exe
ccleaner -appears to work OK, but it found more entries after booting into normal mode (and yes I made multiple passes until it did not find anything else)

If your target installation is Vista, then CCleaner doesn't see the target %temp folder, even when redirected by Runscanner. I don't know why.

[paraglider]

Note sysinternals autoruns does not appear to work on VistaPE even if called directly. It also exhibits exactly the same problem if launched from an xp based pe via runscanner and is pointed at a vista installation.

In both cases it appears to exit around the same place - it throws an exception after scanning the user profiles and exits.

Registry redirection is also an imperfect technique. Any program using it will be in a very confused state. The registry is crucial to not just the scanning process but also to a program running correctly. For some registry access its crucial for the well being of the program that the local registry is accessed. Hence the reason for the /t parameter. You want to ensure that all the system dlls that the program requires for execution are loaded from the local pe not the remote system.

The next version of runscanner will have better support for autoruns in an xp environment.

Its far better to use tools that are designed to work in a pe environment - the tools by safer networking like spybot and runalyzer are pe aware.

HKCR is redirected to the remore registry.

It you want to run runscanner without specifying path information then you should install the exe and dll to the system32 directory.

Add /t 0 before the app you want to run:

<installpath>runscanner.exe /t 0 myApp.exe

if you want immediate redirection.

Add /m if you want the option to select which user profiles to load or /m+ to automatically select all remaining user profiles.

Add /y to suppress the queuestion about loading user profiles and answer yes i.e. it will go straight to prompting for the user profile which corresponds to HKCU.

If you are using Vista targets then you should also add /sv ( requires bcdedit.exe to be present in the runscanner directory ) or /sd which does a one level directory scan on all drives looking for windows installations.

[darkman738]

a lot of realy good information.

Thanks for all of the clairification of how your app works. Great to hear that this is an ongoing project, and I look forward to using it, and hopefuly a part of development. I do have an idea or two I'd like to share:

I know of a company who is doing this same thing in a proprietary app, there solution was to create a driver that loads with the shell(or as a service, haven't realy looked into which) and redirects ALL reg calls defautly, as this enviroment's primary use is malware removial. They mount all hives as somthing like:
HKCL
HKLM
HKCU
RemoteOS_HKCL
RemoteOS_HKLM
RemoteOS_HKCU
ect.
Any chance of this as an option? Would either of these aproaches allow possiably fix some of the restrictions or problems? As an aditional benifit to this aproach, one can open regedit, and manualy edit the remote OS registery. I have found difficulty performing this with the current verson.

Is there a way in add a switch that will load the first, or any for that matter, profile(that isn't "Administrator", "Network" ect. unless no other exist, then defaults to "Administrator") without asking or having to confirm? I am atempting to create an automated procedure for removial, and having to click on each instance of an app load is preventing automation, and forceing me to be infront of the computer waiting until each scan compleats, which defeates the purpose.

I look forwared to hearing from you.
Thanks,
Frank

[paraglider]

Remote regedit is already supplied with runscanner.

/ac automatically selects the user hive as HKCU as long as only one user hive is defined.

If you are writing your own malware removal software then there is no need to resort to registry redirection - you just code your app to directly access the remote hives. That's exactly what spybot does as do a small number of other apps.

[darkman738]

Remote regedit is already supplied with runscanner.

/ac automatically selects the user hive as HKCU as long as only one user hive is defined.

And if I don't know a user?

[paraglider]

Don't understand your question. You don't need to know if there is only one. Then /ac will automatically select it. If there is more than one then you have to choose one as I cannot guess which is the correct one.

[darkman738]

Don't understand your question. You don't need to know if there is only one. Then /ac will automatically select it. If there is more than one then you have to choose one as I cannot guess which is the correct one.

You answered it there, you won't guess which to auto load. That kind of sucks, as I'll be running several apps in sucession, but perhaps I can setup an auto click script to run.

Eirelier today I found a thread with someone who encountered this error, and I can't, for the life of me, find it again. I'm reciving this error on a command line scanner:

Create of Target Process Failed:

Insert the diskette for drive %1.

Any clue why this would be?

[Galapo]

Create of Target Process Failed:

Insert the diskette for drive %1.

Any clue why this would be?

Indicates registry hives are already mounted.

Regards,
Galapo.

[JonF]

Create of Target Process Failed:

Insert the diskette for drive %1.

Any clue why this would be?

It usually means that the file you asked Runscanner to run (that is, the target process) does not exist in the location specified. You've got the wrong path and/or the wrong executable file name. I don't know why the "Insert the diskette for drive %1" is there, it doesn't add any information and it's just confusing.

[paraglider]

I just lookup the error code returned by CreateProcess using the FormatMessage api and that is what it returns - maybe in the next version I will just output the error code as in most cases the error message does not help. You should fully specify the path of the target executable.

Other option is the target process is not runable because of missing dependency dlls.

[paraglider]

It was actually a bug in my error handling routine - I was not passing the correct error code to FormatMessage.

[darren rose]

As mentioned earlier - regalyzer and runalyzer are great apps to use in VistaPE as they detect all the registries on the local drives etc and allow you to access them, and runalyzer great for showing startup apps etc from all local registries

try these scripts:-

[JonF]

If your target installation is Vista, then CCleaner doesn't see the target %temp folder, even when redirected by Runscanner. I don't know why.

Aha, so it was the environment! Thanks, Paraglider.

http://www.boot-land...mp;showfile=279

[paraglider]

Its fixed in the current recently released version of runscanner. Current version however does appear to have problems if running from an XP based PE and is being used to clean a Vista installation. It attempts to load shell32 from the target OS which fails because of missing entry points in msvcrt.dll.

[JonF]

Its fixed in the current recently released version of runscanner. Current version however does appear to have problems if running from an XP based PE and is being used to clean a Vista installation. It attempts to load shell32 from the target OS which fails because of missing entry points in msvcrt.dll.

Well, since I have a BartPE disk I should be able to avoid that.

[darkman738]

From paraglider's site:

Runscanner also allows other options to be specified via the BartPE registry. The following registry settings are currently supported:

[Software.AddReg]
0x1,"Paraglider\RunScanner","Software","%s_ON_%c"
0x1,"Paraglider\RunScanner","System","%s_ON_%c"
0x1,"Paraglider\RunScanner","Security","%s_ON_%c"
0x1,"Paraglider\RunScanner","Sam","%s_ON_%c"
0x1,"Paraglider\RunScanner","Default","%s_ON_%c"
0x1,"Paraglider\RunScanner","User0","%s_ON_%c"
0x1,"Paraglider\RunScanner","User1","%s_ON_%c"
0x1,"Paraglider\RunScanner","User2","%s_ON_%c"
0x1,"Paraglider\RunScanner","User3","%s_ON_%c"

I'm a bit confused by this:
1. Dose this mean that it will mount the hives on startup?
2. Is "User0" a variable, or is it intended to be the actual user account?
3. If 1&2, then could I call an app supressing the dialoge asking which user I would like? (by this I mean, can it scan the user accounts that are already loaded, without asking for their info again?)
4. If so, dose anyone have this implemented with VistaPE?

I think I have more, but I'll wait for now.