[TheWalrus]

Is there a way to change stuff in the registry of mounted image? Obviously I can't use the reg command, because that would access the running system.

[jaclaz]

TheWalrus, on 01 August 2011 - 07:40 AM, said:

Is there a way to change stuff in the registry of mounted image? Obviously I can't use the reg command, because that would access the running system.

Hmm, obviously you can use the REG command, if you LOAD the corresponding hives.

However :
http://reboot.pro/11212/
http://reboot.pro/11312/

there is a library to do that and erwan.l wrote a small app to make use of it.

jaclaz

[TheWalrus]

Aha. Can you tell me more about the first method? I tried to google around, but most articles are about XP only (guess it's the same, but who knows), and are a bit messy.

I assume the logic is pretty much the same as with images - load, change, save, unload, etc.

Can you give me very brief rundown through the commands I need?

[jaclaz]

TheWalrus, on 01 August 2011 - 09:16 AM, said:

Aha. Can you tell me more about the first method? I tried to google around, but most articles are about XP only (guess it's the same, but who knows), and are a bit messy.

I assume the logic is pretty much the same as with images - load, change, save, unload, etc.

Can you give me very brief rundown through the commands I need?

Are you serious?
Until the mentioned library came out it was the ONLY available method to change contents of an offline Registry.
And yes, nothing has changed from XP.
You load the Registry file hive (usually to HKLM) giving a name to it.
Then you do the whatever you want to do to it (of course all the REG commands need to be targeted to the loaded hive).
Then you unload the hive.
http://technet.micro...643(WS.10).aspx

You can get *any* tutorial that uses regedit, the procedure is exactly the same, only reg.exe is command line, regedit is GUI (2K - see below - used REGEDT32)., example:
http://smallvoid.com...istry-edit.html
http://technet.micro...303(WS.10).aspx

The advantage of using the Offline Registry library seems to me evident, as you don't need to re-target the REG editing commands to the mounted hive.

jaclaz

[TheWalrus]

Yes I was serious, ever heard of people who asked about something they only just started to learn?...


Thanks for the links, but considering I have all of the tweaks I gathered in the command line form, I think I will pass, because comletely rewriting tens of lines of text into different format is too much. Bleh.



I really don't understand the .reg files syntax. And Google failed me again. I can't seem to find any good examples or lists of commands I can use there.

This post has been edited by TheWalrus: 01 August 2011 - 11:46 AM

[myselfidem]

You can also read an example here:

http://www.msfn.org/...post__p__952850

[TheWalrus]

Good one.

I am puzzled about the value types. What's .reg file equivalent of REG_EXPAND_SZ for example?

I tried the most simply thing, changing temp variable, and it doesn't work

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"TMP"="%SystemDrive%\TEMP"





Nothing gets added.

And the syntax is probably a bit more complicated than I guessed, because trying to go with the "Value Name"=<Value type>:<Value data> didn't do jack either.

[myselfidem]

It's needed to change the reg files to set inside the correct registry hive.

Example: Values

HKEY_LOCAL_MACHINE\WIM_Default = HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE\WIM_Software = HKEY_LOCAL_MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\WIM_Software\Classes = HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE\WIM_System = HKEY_LOCAL_MACHINE\SYSTEM


Your example:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\WIM_System\ControlSet001\Control\Session Manager\Environment]
"TMP"="%SystemDrive%\\TEMP"

When the image is mounted, you can also change the reg files manually and check if you need permissions with some keys!

This post has been edited by myselfidem: 02 August 2011 - 08:33 AM

[TheWalrus]

Eh, you are not making this any easier, lol.

I only tried the temp variable on my running system so far, and it just doesn't work. I don't understand why. When I do it through command line, the key gets added/changed right away.
edit: ok I found out I can only add pure strings, no backslashes no special chars. How in the hell am I supposed to set a path then?



Also, why the controlset001 when they key is currentcontrolset?

This post has been edited by TheWalrus: 01 August 2011 - 12:48 PM

[myselfidem]

Try to use on your computer:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment]
"TMP"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,76,00,\
65,00,25,00,5c,00,54,00,45,00,4d,00,50,00,00,00

And restart the computer!

This post has been edited by myselfidem: 01 August 2011 - 12:52 PM

[TheWalrus]

Ew, please no, please don't tell me I have to use hex values!! That would be a real nightmare But it seems to be THE only format regedit is willing to export to, unfortunately




What about my second question regarding the different key?

+

Is there any system in what shall I add to the registry path when I am working with an image?

[myselfidem]

TheWalrus, on 01 August 2011 - 12:42 PM, said:

Also, why the controlset001 when they key is currentcontrolset?

As you've experienced it works well like this with reg files on an mounted image!

Other example with keys needing permissions:

http://www.msfn.org/...post__p__971385

You can use some tools to have permissions on keys:
http://sourceforge.n...s/setacl/files/

http://www.msfn.org/...registry-tweak/

This post has been edited by myselfidem: 02 August 2011 - 01:39 AM

[TheWalrus]

Sorry I do not understand at all.

I asked why you told me to change completely different key than the one the stuff I want to change is located in.

I didn't experience anything so far, I am still drowning in it (did make SOME progress though)




Also which keys exactly need special permissions? So far I didn't run any problems except for things around HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\Windows.delete, which says read only. Do you have any list maybe?

[myselfidem]

TheWalrus, on 01 August 2011 - 07:40 AM, said:

Is there a way to change stuff in the registry of mounted image? Obviously I can't use the reg command, because that would access the running system.

Your question was change keys inside an "mounted" image !

[jaclaz]

TheWalrus, on 01 August 2011 - 11:27 AM, said:

Thanks for the links, but considering I have all of the tweaks I gathered in the command line form, I think I will pass, because comletely rewriting tens of lines of text into different format is too much. Bleh.

Post a couple examples of tweaks that you have in "command line form". (and I presumme are targeted to "online" system).

jaclaz

[TheWalrus]

I think I have it sorted now. It's a bit messy though.

Using variables and paths in standard REG_SZ types is tricky and sometimes doesn't work, but paths have to be written with duoble backslashes else the key doesn't get added at all. And even then it doesn't work sometimes.

;Add Services
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Services]
"Icon"="%SystemRoot%\\System32\\imageres.dll,-67"
"Position"="Top"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Services\command]
@="mmc.exe services.msc"

The icon part works, but if I write the command part in the same way, it doesn't. Fortunately we have system paths variables set by default.




myselfidem, you told me to change stuff in controlset001 key instead of currentcontrolset, which confused me. Google says something about these keys being more or less copies of one another, so it will probably work either way.

[jaclaz]

TheWalrus, on 02 August 2011 - 04:42 AM, said:

Google says something about these keys being more or less copies of one another, so it will probably work either way.

Heck, NO!

CurrentControlSet DOES NOT EXIST at an OFFLINE Registry!

When a NT system boots it checks the Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\Select
and based on it's contents it creates a LINK named CurrentControSet that actually redirects to ControlSetxyz (normally it is ControlSet001 and normally there are only two ControSet's, ControSet001 and ControlSet002)

jaclaz

[TheWalrus]

Aaaah! I see! It's clear now.

Btw the whole registry to load are these three files, right?

reg.exe load HKLM\WIM_Default "d:\mount\Users\Administrator\NTUSER.DAT"
reg.exe load HKLM\WIM_Software "d:\mount\Windows\System32\config\SOFTWARE"
reg.exe load HKLM\WIM_System "d:\mount\Windows\System32\config\SYSTEM"

[jaclaz]

TheWalrus, on 02 August 2011 - 06:35 AM, said:

Btw the whole registry to load are these three files, right?

reg.exe load HKLM\WIM_Default "d:\mount\Users\Administrator\NTUSER.DAT"
reg.exe load HKLM\WIM_Software "d:\mount\Windows\System32\config\SOFTWARE"
reg.exe load HKLM\WIM_System "d:\mount\Windows\System32\config\SYSTEM"

Yes/No.
There are more files, though it is unlikely you will need to mount/modify them. (SECURITY and SAM), while it is possible that you will want to edit DEFAULT.
http://msdn.microsof...7(v=vs.85).aspx
Be aware (if needed) about HKEY_CLASSES_ROOT (that in ONline registry is actually a LINK to HKEY_LOCAL_MACHINE\SOFTWARE\Classes and does not exist OFFline)

jaclaz

[myselfidem]

TheWalrus, on 02 August 2011 - 04:42 AM, said:

;Add Services
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Services]
"Icon"="%SystemRoot%\\System32\\imageres.dll,-67"
"Position"="Top"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Services\command]
@="mmc.exe services.msc"

The icon part works, but if I write the command part in the same way, it doesn't. Fortunately we have system paths variables set by default.

Missing the switch /s (Example with another icon):

Windows Registry Editor Version 5.00
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Services]
@="Services"
 "Icon"="filemgmt.dll"
 "Position"="Top"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Services\command]
 @="mmc.exe /s services.msc"

Some registry keys:
http://www.msfn.org/...post__p__966749

This post has been edited by myselfidem: 02 August 2011 - 08:40 AM