Jump to content

Finnish_Fellow

Member
  • Posts

    5
  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    Finland

About Finnish_Fellow

Profile Information

  • OS
    none specified

Finnish_Fellow's Achievements

0

Reputation

  1. @Yzöwl [Detailed Information]==[Appropriate Assistance]: I think I did this at first post by providing format to parse and even command to get key large enough to test and replicate the issue as said I found this issue quite hard to explain. Offtopic: My previous project, search and replace at Windows Enterprise N (x86 edition) is 5084 rough 8000-9000 entries at x64 architecture side entries as I was moving entire \Windows root (which is, btw, currently successful project working from almost any existing writable media) beside few thousand other modifications like programdata, users, program files x86/x64. Currently running any NT6.xx OS from any folder name. Which also considers Program Files, Users and other folders true movable by reboot. Currently, I am working using registry near database a like and we are talking about corporate data, so, revealing the data itself from custom made keys is exactly the same as me giving 'generic data' as example. So, I provided example from Microsoft Windows own key as everyone has that key at any Windows NT6 system and it was way easier to use and dump as an example than me sending files to forum and as above we did see solution was found in whole another style of what I was using, so, this example gave way more ways to think about matter to come up with solution. :Offtopic So, you can believe me or not that still is the honest truth that, we are talking about several thousand keys not just single entry processed through a single batch. I do appreciate that you're willing to help, specially with powershell side which is, well, quite a bit trickier, but also extremely useful and I believe most, if not all could of been processed with powershell script (even better idea to search, save, modify and directly modify back to registry through powershell which is what I was thinking originally, if I would of understand how to redirect found data as variable through powershell get-content or such which I was trying to explain few posts back).
  2. I am sorry, if my examples were not good enough. I found it extremely hard to explain my intentions as there were few ways to approach the matter(cmd, powershell, vb + 3rd party) and hand full of tools(3rd party) that could of been used with few different formats to process not to mention I am actually processing through over 5000 registry keys even while only handful are actually binary and having this issue which I can isolate and process separately, but I believe generic example was also needed, so, it's not restricted to singular case. @jaclaz That is pretty amazing. sfk, I did try sfk earlier I think I ended up not getting wanted result at hexdump, it's pretty amazing too just pain to understand correctly as it's indeed a "do it all, no matter what".gsar, if I understand correctly you replaced end spaces, \, line split with gsar at "regtoraw.cmd" this is kinda function I didn't have anywhere. Still need to understand all you wrote there, even those 'regtoraw.cmd' if statements are something I've never used before, heh, but it's pretty easy to read thanks for that. Going to try it as Christmas ends and because that works the way it works got few ideas now on my head how to lose a few steps there.
  3. You are not exporting a key, you are redirecting the output of REG.EXE to a file, and then you want to edit this output "raw"? Correct, answer follow.. Why not export using a .reg file and the re-import/merge the .reg file? Because of the format of data, the .reg data format is as follows:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE]key=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00\Now consider you have 80K bytes and line split happens at \, what you would have to process is a for loop join all 80K bytes to singular line to be sure replacement entry is not at the split then resplit the data and reconstruct the entire 25xbyte format to import it back to registry. So, you now probably understand that I did consider this method, but it will fail at regular cmd for loop because of size of data being expanded even further by ',' separator and it's even harder to re-split the data. It would even be easier to replace at raw data then reconstruct the line with ',' separator. Kinda need a xmas miracle powershell script here, heh. BTW, Merry Christmas to everyone, if convenient.
  4. "the "nature" of the the data 80Kb seems like a lot to be needed parsing/changing nor in what consists the actual find/replace." = Find and replace itself is not issue I can deal with that by multiple tools(example fart.exe) or even by looping it. Writing new command from such a long binary data however is an really big issue as it won't go through any cmd pipeline. Example find/replace itself is simple as replacing "000011111111111000" to "000022222222121000" and can be done by set variable from binary values from a-z,A-Z,0-9 and then combining new binary from user given entry. This can be done from powershell also of course: get-content somefile.dat | %{$_ -replace '000011111111111000','000022222222121000'} | out-file -filepath somefile2.dat So, data size at this point is not an issue issue becomes when trying to inject it back to registry from above example REG QUERY dump you have to construct new REG ADD command or use powershell Set-Content, but I still face same issue with selecting Keyname for below value, type, data. Issue there: * I simply cannot build for loop at powershell which would Select-String/-match "HKEY_LOCAL_MACHINE" -> Add this to $keyname -> while getting value,type,data -> build command against this info including idea that the $keyname variable would have to be set until next is found. Can you post an actual example (using "dummy" data if needed)? Yes, I can all I have to do is press 00, 80000 times to above example. I can of course do quick search and dump some reg_binary with REG.EXE for example some of microsoft own keys use same size data as binary. --edit/ TEST FILE from your own system- In fact now that I did fast search on this regular Windows 8.1 you can get test file with command: REG QUERY "HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache" /f AppCompatCache /v /d /t REG_BINARY>mytestfile.datand try replacing for example \Program Files\ to something else (inside file this would be "5C00500072006F006700720061006D002000460069006C00650073005C"). Now you see with this key replacement of data is nothing compared to writing command to get it back to registry. A tool often used by me is gsar - not looking for replacement tool as explained now above I can do replacement from powershell or 3rd party tools like fart. Not saying it wouldn't be good tool. OS: I am looking to get this working with any NT6.x OS. So, we're talking Windows Vista->10 and server variants. What I need: IF/FOREACH/WHILE/whatever gets the job done loop from powershell like: get-content regquerydump.dat | select-string '(HKEY_LOCAL_MACHINE)|(REG_BINARY)' | IF($_ -match "HKEY_LOCAL_MACHINE") { set-variable -name key - Value $_ } | IF($_ -match "REG_BINARY") { %{$_ -replace ' REG_BINARY ','/t REG_BINARY /d '} | %{$_ -replace ' ',' /v '} } | write-host "REG ADD ";$key;$_ | out-file -filepath backtoregistry.ps1
  5. Hello, I've currently hit a stop on my project was wondering, if here someone could help me. -Going to quote out my previous message since it seems extremely long to read/understand even to me- ---Edit--- File to parse (value is fictional and note that data is 81800 characters long so it will not go through cmd echo or findstr): HKEY_LOCAL_MACHINE\SOFTWARE\Mykey datavalue1 REG_BINARY 000000000000000000000000900000000000000000000000000000000000000end of entriesHKEY_LOCAL_MACHINE\SOFTWARE\Mykey997012379 datavalue2 REG_BINARY 000000000000111111111111000000000000000111111111110000000000000end of entriesI need to form lines in cmd/ps1: REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Mykey" /v datavalue1 /t REG_BINARY /d 000000000000000000000000900000000000000000000000000000000000000 /fREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Mykey997012379" /v datavalue2 /t REG_BINARY /d 000000000000111111111111000000000000000111111111110000000000000 /fwith cmd or powershell any help is welcome.
×
×
  • Create New...