Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Make change in registry _early_ in installation process / prevent XP h

- - - - -

  • Please log in to reply
21 replies to this topic

#1
MerijnB

MerijnB

    Newbie

  • Member
  • 22 posts
  • Joined 01-September 05
Hi all,

I'm looking for a way to avoid that XP has easy to crack passwords, see: http://www.windowsec...-Passwords.html

To achieve this, I've made an addon which looks like:

[general]
builddate=2010/02/18
description=Prevents Windows from generating easy to crack password hashes
language=English
title=No weak password hashes

[registry_addreg]
HKLM,"SYSTEM\CurrentControlSet\Control\Lsa","lmcompatibilitylevel",0x10001,05
HKLM,"SYSTEM\CurrentControlSet\Control\Lsa","nolmhash",0x10001,01

This works nice, but there is a problem.
After these registry values are set, the passwords still need to be changed before XP 'forgets' the lm hash of the previous password.
So it seems that during installation first the admin account is created with the password set in nlite, and after that this addon is run which changes the registry entries.

So in short: Is there any way to move the adding of these registry entries forward, so they are done before the admin account as defined with nlite is created?


How to remove advertisement from MSFN

#2
johnhc

johnhc

    MSFN Junkie

  • Member
  • PipPipPipPipPipPipPipPipPip
  • 3,362 posts
  • Joined 02-March 08
  • OS:Windows 7 x64
  • Country: Country Flag
MerijnB, I do not have an answer for you but it is an interesting question and I will think about it. Since the PWs input via nLite appear in plain text in the ISO and CD, my plan is to start with simple PWs, then change them after install. I suspect this would allow your new hash to be used in the new PW and your real PW would never be laying about in plain text. If you are using auto login set up by nLite, this places your PW into the Registry in plain text. Just using auto login will expose your PW to people that know how to use LSA secrets. Here is a link to the auto login threads. Enjoy, John.

#3
MerijnB

MerijnB

    Newbie

  • Member
  • 22 posts
  • Joined 01-September 05
Hi johnhc,

I'm my own research I'm doing something similar.
I'm trying to write a small app which I will include as an addon:

[general]
builddate=2010/02/18
description=Prevents Windows from generating easy to crack password hashes
language=English
title=No weak password hashes

[EditFile]
SVCPACK.INF,SetupHotfixesToRun,AddProgram

[AddProgram]
weakpass.exe

This app will do a few things:

- Locate the winnt.sif file on the nlite cd and extract the admin password from it (GuiUnattended -> AdminPassword).
- Make the appropriate registry changes.
- Change the admin password to "temp".
- Change the admin password back to what was read from winnt.sif

This has the advantage that it's quite transparent, you can just enter a password you wish to use in nLite.

I'll post here if I get any further with this.

Can you tell me if the admin password is always visible in the winnt.sif file made by nLite, or for example only if autologin is used?

Thanks for lending some brains ;)

Merijn

#4
johnhc

johnhc

    MSFN Junkie

  • Member
  • PipPipPipPipPipPipPipPipPip
  • 3,362 posts
  • Joined 02-March 08
  • OS:Windows 7 x64
  • Country: Country Flag
MerijnB, take a look at nLite.inf (will be NLITE.IN_ in your I386 or AMD64 folder). This is where the user account is created and the PW set. There is a call to Net1 command to do this. I do not know about the Administrator account and PW. I use Auto Login and I do see the Admin PW in my Winnt.sif file. I need to do some more looking to learn more. For you, I recommend some testing (hope you are using a virtual system) to see what works and what does not. Have you created a user account and if so, does your hash method deal with its PW OK? If not, perhaps placing your Registry updates into the nLite.inf (above the account creation) file will work. Let us know what you learn and I will also. Enjoy, John.

#5
MerijnB

MerijnB

    Newbie

  • Member
  • 22 posts
  • Joined 01-September 05
John,

The only thing I see in the nlite.in_ file is this:

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","AutoAdminLogon",0x00000000,1
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","DefaultUserName",0x00000000,"Administrator"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","DefaultPassword",0x00000000,"password"

Is this what you mean? This seems like it has to do with autologin only, and won't be there if you don't have autologin enabled.

#6
johnhc

johnhc

    MSFN Junkie

  • Member
  • PipPipPipPipPipPipPipPipPip
  • 3,362 posts
  • Joined 02-March 08
  • OS:Windows 7 x64
  • Country: Country Flag
MerijnB, that is the Auto Login information I told you about in my first reply. The PW is in plain text in the Registry. I have attached a test nLite.inf with the secret data all ???. I define a user account with administrator privileges and auto log it. I also set an Administrator PW (does not show in the .inf). I also attach my Last Session_u.ini with the real stuff obscured. Enjoy, John.

EDIT: I was wondering what your keys did (assumed they implemented the link you provided) and found this.

EDIT: In the Unattended Guide (see below) is this timeline. A single command can be executed at T-39 (long before SVCPACK and cmdlines). This is called DetachedProgram and is described here. This may be too early, but I suggest you give it a test.

Edited by johnhc, 22 February 2010 - 06:53 PM.


#7
MerijnB

MerijnB

    Newbie

  • Member
  • 22 posts
  • Joined 01-September 05
It seems I've cracked it.

Changing the registry before the administrator account as set in nLite is created doesn't seem possible, so I continued with the app which tries to do the trick afterward.
It's not possible to make something which can be used as an addon in nLite, because if you try to change a password (needed for the process) at the moment the addons are run, you get error #1351, which (according to Microsoft) means:

Indicates a domain controller could not be contacted or that objects within the domain are protected and necessary information could not be retrieved.

so that's obviously too early in the installation process.

So this tool should be run using RunOnce in nLite and should do everything automagically. Keep in mind that it only works for the administrator account.
The app can be used freely, I don't think it's worth its own thread, so I attached it to this post. Suggestions and questions are welcome of course!

Thanks for thinking with me.

Attached Files



#8
johnhc

johnhc

    MSFN Junkie

  • Member
  • PipPipPipPipPipPipPipPipPip
  • 3,362 posts
  • Joined 02-March 08
  • OS:Windows 7 x64
  • Country: Country Flag
MerijnB, you are welcome. Enjoy, John.

#9
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag
?? huh??

Open HIVESYS.INF
find HKLM,"SYSTEM\CurrentControlSet\Control\Lsa
Add your lines, save, close
Open LAYOUT.INF
Replace all ,_x, with ,, (comma underscore x comma with comma comma)
Save, close
Done

#10
MerijnB

MerijnB

    Newbie

  • Member
  • 22 posts
  • Joined 01-September 05

?? huh??

Open HIVESYS.INF
find HKLM,"SYSTEM\CurrentControlSet\Control\Lsa
Add your lines, save, close
Open LAYOUT.INF
Replace all ,_x, with ,, (comma underscore x comma with comma comma)
Save, close
Done


I was looking for a way to do this up front at first, but didn't find it, interesting information.
I understand HIVESYS.INF, but can you please explain why the changes in LAYOUT.INF?

Furthermore I'm mostly looking for something which can be done from an nLite setup, without making manual changes in the middle of the process, not sure if this could be automated in.

Thanks for info!

#11
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag

I understand HIVESYS.INF, but can you please explain why the changes in LAYOUT.INF?


See all of those lines with byte counts in LAYOUT that have an _x on the same line?
That is Windows saying "Hey, install process, if you see a line with an _x in it, check the byte count against the one listed here. If it does not match, abort the installation."

So you merrily change the byte counts for HIVE files to change them... but the LAYOUT line itself has a _x, so to make things easy and totally eliminate all of the self-checking, simply delete every single _x in all of the file lines in the entire file by replacing ,_x, with comma comma.

Nuhi made nLite so that it would delete files in TXTSETUP, presumably for a faster installation. But oddly, nLite never modifies LAYOUT. To make your install go really fast, you can copy the file list from TXTSETUP right into LAYOUT. That way, LAYOUT won't waste a lot of time copying files that TXTSETUP doesn't even use.

The best way to explain this is to download my fileset and compare TXTSETUP and LAYOUT. As long as the _x and byte counts are gone, Windows treats the files the same -- it's just that LAYOUT copies from media to one directory on the HDD, and TXTSETUP copies from this one directory to final destination on the same HDD.

Editing HIVE files is the best way to put tweaks into your base install permanently. For example, why not fix the time zones permanently? They're in HIVESFT. What's the point of leaving all of that incorrect information? (Rhetorical, not asking anyone in particular). Sure, you can slipstream a timezone hotfix, but all you're doing is writing wrong data, then overwriting it with correct data. Same with everything else -- colors, icon spacing, file associations, network settings, service settings (manual, autostart, etc, you can even remove them, like indexing for example), and tons of preferences -- all of that is in the HIVE files. There is a wealth of data in these things that very few people seem interested in (speaking generally, not at you). nLite does edit these files to some degree, but does not scrub them completely. Check out HIVECLS, for example... the amount of junk related to windowscodecs.dll alone will shock you. It's a HUGE chunk of the file. Not an issue if you always use the proprietary Microsoft Photo format or do not care about registry size (and in XP, it's not really an issue like it was in 2000), but something that you could probably do without.

#12
Patosan

Patosan

    Newbie

  • Member
  • 40 posts
  • Joined 18-February 09
  • OS:XP Home
  • Country: Country Flag

Editing HIVE files is the best way to put tweaks into your base install permanently.


fdv, is there a reference you can point me to in order to do some changes ?

Edited by Patosan, 27 February 2010 - 12:11 PM.


#13
Martin H

Martin H

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 802 posts
  • Joined 24-November 06
  • OS:none specified
The hive files are just reg-entries in INF format...

Just check out FDV's WinXP-SP3 fileset as a refrence...

http://www.vorck.com...dows/index.html

/* Moved to Linux - Thanks for a nice stay all! */
Posted Image


#14
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag
Yep. More specifically, since you just want the files and probably don't need all the information: grab here

Buried therein you will find many dozens of settings. Not necessarily commented -- sorry!! But some are. And of course some are easy to spot. Open HIVEDEF for example and search for "ActiveWndTrkTimeout" and you will see a huge block of reg edits. The files are most notable for what they rip out... a lot of obsolete stuff and media crap. See also AXANT5.INF for many tweaks. I am making changes all the time these days. I just added but did not yet upload a tweak to have explorer always in view details mode because I got so sick of changing it. Anyway. 95% of the tweaks are well known, and just slipped into the HIVEs. There are some gems that are not very well known but I usually do try to post my findings in the right threads. The problem is that in my HIVE files I am trying to repair XP by getting it back to how Windows NT is supposed to be, so it has fixes like using CTRL ALT DEL for logon rather than... whatever the heck that other account pictures thing is. So you'd have to find that tweak and comment it out to change it, or run a second tweak later in the install process to undo it. (Which is what nLite's tweaks essentially do -- many of those values you see start out in the HIVE files and the nlite tweak INF simply changes them.)

I suppose you could simply try renaming your HIVE files and trying mine to see how you like the result I guess.

#15
Patosan

Patosan

    Newbie

  • Member
  • 40 posts
  • Joined 18-February 09
  • OS:XP Home
  • Country: Country Flag

Yep. More specifically, since you just want the files and probably don't need all the information: grab here
I suppose you could simply try renaming your HIVE files and trying mine to see how you like the result I guess.

I definitely will do that, yet for the exact momment my reason for asking is a relatively simple one, I feel. I want to change the "install language" from 0411 to 0c09 (Japanese to Australian). In the registry it's at :
MACHINE\SYSTEM\ControlSet001\Control\NIs\Language (last key)

In HIVESYS.inf there is :
HKLM,"SYSTEM\CurrentControlSet\Control\Nls\Language","InstallLanguage",0x00000002,"%INSTALL_LANGUAGE%"
But how do I make a change and is it correct since it has CurrentControlSet NOT ControlSet001 ?
Also do I just make the one change or must I alter something else too ?

#16
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag
Well, we have taken a left turn and probably we have veered into non-nlite area but I will loop around and address nLite at the end of the post.

That having been said, the whole reg process takes experimentation.

Is your system currently changed how you want it? Then do a search in your current registry and export the keys, then convert the REG files to INF (I have been doing this for over a decade so I am very, very good at it; I do recognize that it takes some fiddling) and then search for the same strings in the HIVE files. If they exist, change them, if they don't, add them. Make sure the HKU, HKLM, HKCU etc match. In other words, HIVEDEF is full of HKCU keys. It populates that whole branch in one big "explosion" and putting a bunch of HKLM or other keys will work, but results in a fragmented registry (which can of course be solved by a Winternals utility).

I have run into this CurrentControlSet versus Set001 several times -- you need to see your current registry to know if it's smart to add it to the HIVEs. (Don't worry too much, adding keys that don't belong rarely causes a problem, it's the deletion that causes problems).

Your absolute best bet of all? Install the OS on a totally clean system like a VM. Then install registry and file snapshot software. Set everything how you want it to be, compare before and after snapshots, and you will know precisely which reg settings need to be added or changed and which files have to go where, which you can adjust in TXTSETUP and LAYOUT. (Note that nLite edits SYSSETUP.DLL so that TXTSETUP and other files can be changed. You DO need to do this, or to take this edited file and put it into your original XP i386 folder so that you have it forever.)

Finally, when removing languages, note that there are something like 3 or 4 lang files that Windows requires to boot (nlite keeps them automatically). The rest can be eliminated. nLite actually leaves a few Japanese and Hangul language files, as well as Croatian (for Nuhi himself of course) even if you select all languages for removal, so to really take everything out, you sometimes have to make changes manually....

Yes, there really are things that nLite leaves that it doesn't have to! Open up SYSSETUP.INF for example and you'll see the files that go into SYSTEM (not32, just system). You can delete them all and leave that directory empty. And if you set permissions on it by manually editing DEFLTWK.INF and denying system, you could conceivably delete SYSTEM. This DEFLTWK file can also be used to prevent the prefetcher from even being created by denying system permissions on that directory.) Like so:
"%SystemRoot%\Prefetch",2,"D:PAR(D;;FAGAGRGWGXWD;;;SY)" ; DENY system
Any hard-to-delete directory can work the same way, for example:
"%SystemDirectory%\1025",2,"D:P(A;CIOI;GA;;;WD)(A;CI;GA;;;WD)" ; allow world so it can be deleted without deny access

I'll stop before this post becomes "Fred's one million undocumented windows tricks that he's kind of pi??sed he's never seen anywhere else because not enough people read MSFN"

ABout that last point: it seriously puzzles me why 'competitor' sites even bother carrying on considering by comparison they are literally in the dark ages, with users scared to death of editing system files, which the MSFN crowd got over years and years ago...

Edited by fdv, 28 February 2010 - 01:27 PM.


#17
5eraph

5eraph

    Update Packrat

  • MSFN Sponsor
  • 1,159 posts
  • Joined 04-July 05
  • OS:XP Pro x64
  • Country: Country Flag

Donator

it seriously puzzles me why 'competitor' sites even bother carrying on considering by comparison they are literally in the dark ages, with users scared to death of editing system files, which the MSFN crowd got over years and years ago...

You seem to be making comparisons and assumptions that may not be justifiable. I won't call you out on them specifically, but elitist attitudes rarely convey maturity and wisdom. Take what knowledge you can from where you can find it. There is much to be learned here on MSFN and elsewhere. Many of the "competitor" sites you mention were started by MSFN members.

#18
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag

elitist attitudes rarely convey maturity and wisdom.


I'm actually comfortable with that: my celebrating MSFN isn't meant to convey either one. I don't really think other sites should shut down and turn out the 'closed for business' sign. I do, however, believe that MSFN is the cream at the top.

You seem to be making comparisons and assumptions that may not be justifiable. I won't call you out on them specifically


You don't need to call me out; I'll specify for you. Go ahead and list for me those other sites that have Windows component removal projects, hotfix slipstream projects, post installation projects, making changes to windows prior to installation by editing setup and HIVE files, etc, all in one site. Then I'll agree my comparison is not justifiable. Caveat: singularly focused sites like bootland would obviously not apply.

Many of the "competitor" sites you mention were started by MSFN members.


I didn't mention any, actually. But I won't call you out on them specifically, I'll just figure that when I go to techsupportforum, pchelpforum, computerhelpforum, techguy, geekstogo, tek-tips, etc. that any such site could have been set up by someone from here. I don't doubt it at all, but I still don't see others covering the breadth of ground that MSFN does.

We've got a nice place here, and that's nearly the whole of what was meant. Don't deep six an entire novel-length post for a sardonic, throwaway remark at the end that's 2 lines long.

Edited by fdv, 28 February 2010 - 11:27 PM.


#19
5eraph

5eraph

    Update Packrat

  • MSFN Sponsor
  • 1,159 posts
  • Joined 04-July 05
  • OS:XP Pro x64
  • Country: Country Flag

Donator

No offense intended. I was just attempting to offer a solution to your puzzlement. ;)

Edited by 5eraph, 01 March 2010 - 06:08 AM.


#20
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Caveat: singularly focused sites like bootland would obviously not apply.


Is boot-land "singularly focused"? :unsure:

Being it the Official support Forum for:
  • Winbuilder (and all projects based on this engine) <- PE builds of any kind based on XP/2003/Vista/2008/Windows 7
  • grub4dos <- universal boot-manager
  • IMDISK <- ramdisk and filedisk driver
  • RMPREPUSB <- USB partitioning/formatting utility
  • Sardu <- multiboot CD build with Linux
  • TFTP32 <- TFTP Server
  • Winimize <- reduce Windows 98 size and boot it from almost anything
  • bearwindows <- universal video driver for 9x and NT based systems
  • Unetbootin <- advanced install from USB app
  • Firadisk <- new ramdisk driver with advanced capabilities

And the UNofficial one for:
  • fbinst <- USB partitioning, formatting and more
  • Syslinux/isolinux/memdisk <- you know what this is ;)
  • LODR packs <- a new approach to portable apps
  • Aerostudio <- graphical bootmanager for CD/DVD's and more

Besides being "another" home for these:
http://www.msfn.org/...ooting-with-pe/
http://www.msfn.org/...ll-xp-from-usb/

Maybe it is not as "singularly focused" as some other boards :whistle: , but who cares?

I mean, the imortant thing is to share and exchange experiences, ideas and knowledge and help each other, it doesn't matter on which board/place on the net. :)

And, BTW, this is cheating :ph34r: :

Well, we have taken a left turn and probably we have veered into non-nlite area but I will loop around and address nLite at the end of the post.


:P

:hello:

jaclaz

Edited by jaclaz, 01 March 2010 - 07:34 AM.


#21
fdv

fdv

    MSFN Expert

  • Developer
  • 1,111 posts
  • Joined 16-July 04
  • OS:Windows 7 x64
  • Country: Country Flag
Jaclaz, your first list is all boot-stuff. But your second one is new to me, so I stand corrected that bootland is singularly focused. I've only ever used it for PE stuff which is my limitation not theirs.
5eraph, no offense taken. There's only been one individual in my history of using this site that I didn't get along with (actually he had a problem with several of us here) and he's pretty much never around.

I hereby purchase a virtual beer for you both :D

#22
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,593 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I hereby purchase a virtual beer for you both :D


Hah, you should make it a LARGE one and also (virtually) deliver it. ;)

Posted Image

For the record, among others, bearwindows, and IMDISK and FIRADISK (and WinVBlock which I forgot to mention :blushing: ):
http://www.boot-land...?showtopic=8168
are not necessarily "boot-related", whilst this one:
Universal HDD Image files for XP and Windows 7
http://www.boot-land...?showtopic=9830
(which also I forgot to mention :blushing: )
though "boot-related" is more the kind of topic you would like to find on MSFN, as well as Clonedisk:
http://www.boot-land...?showtopic=8480

and the new "replacements" for NT setup (these should actually be of your interest ;)):
http://www.boot-land...?showtopic=7721
http://www.boot-land...showtopic=10126

and even this small thingy to which I contributed a little may be of use in your future:
http://www.boot-land...?showtopic=9765

:hello:

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users