Running reg.exe or WB under Vista to load hives, How to? External links Options

[Nuno Brito]

Vista seems to be more restrictive detecting what an application can or not do within a system and will only allow to do certain operations after prompting the user for authorization.

This was the case when running a project under Vista and noticing that the load hive command is no longer accepted because it requires administrative permission (even tought I was logged on an account wich belongs to the administration group) - end result: project fails because the hive isn't created as needed.

Tried to accomplish the same effect manually using reg.exe to load the hive, but it also refused.

These sort of API just get refused without notice - like reg.exe wich no longer seems to be able to load an hive into the local system registry.


How can I load an external hive now?

Anyone knows a good workaround or is there something that needs to be done prior to this?

RunAs also seems a valid way to get reg.exe going - but I didn't tried it since I'm looking for an unnatended method for loading the hive without requiring to enter username details. (unless there is a way to do this with runas and someone shares how..)

Here is a blog entry with some details and feedback from other users who also have some similar issues:
http://blogs.msdn.com/junfeng/archive/2006...dows-vista.aspx


The author specifically mentions that *only* under some conditions the application will be executed under full administrative rights:

1. If the application has a manifest that explicitly asks for administrator privilege.
2. The application is one of the well known setup installers.
3. Application Compatibility testing reveals that the application requires admin privilege.
4. A certain heuristics to determine if the application is an installer. For example, if the application name contains "setup" or "installer", it is a good indication that the application is an installer, thus requires administrator privilege.

So the third option seems reasonable to achieve - but I'm still wondering - how do we use the Application Compatibility to allow loading hives once again in wb?


Anyone?


Thanks!

Forgot to mention that one other option would be editing the hives without loading them onto the local registry - but this would certainly require a very detailed knowledge on how they work to code a stable tool and avoid messing the reg data..

[MedEvil]

Well, the point that i've never got is. why everyone is loading the hives into the local registry to patch them!
I know, that's the way regeedit works and it's easier to use what is already there.

But the hives are not encrypted. They are just binary files.
It should not be too hard to edit and patch them on their own.

So why has nobody ever writen a program like this, when there are millions of registry editors available?

[Nuno Brito]

There is already a registry hive reader (written in pascal..) but even the author had some issues editing/adding new data onto them..

[was_jaclaz]

So why has nobody ever writen a program like this, when there are millions of registry editors available?

Just for the record, there is a FREEWARE app (the one which Nuno was referring to):
http://paullee.ru/regstry

a few commercial ones, here are two of them, but I guess there are more:
http://www.resplendence.com/registrar_features_fileedit
http://www.registrytool.com/

and an alpha stage GNU project:
http://lilith.tec-man.com/hivetools/

Besides, of course, RegeditPE:
http://sourceforge.net/projects/regeditpe/


It seems like the Registry, is organized more like a filesystem, rather than a file, and there are utilities that can (not offline) also read the dates in which the hives were created, just like in an ordinary filesystem, and this is also coherent with access permissions, etc,:
http://www.torchsoft.com/en/rw_information.html

There is this (old) tool for linux:
http://www.bindview.com/Services/RAZOR/Uti...treg_readme.cfm
based on NTFS driver, that confirms this "filesystem-likeness" of the Registry files.

So the "right " way is probably to write/adapt a filesystem driver, rather than an editor, possibly ReactOS has/will have something appropriate.

Here is another interesting set of tools (for 9x only):
http://www.cs.mun.ca/~michael/regutils/

jaclaz

[Nuno Brito]

Hi Jaclaz, thank you for the helpful references - will take a closer look on them in case this matter means an offline registry edit approach.

The hive system from reactOS is different from MS and when applications are running under ROS they can still write the registry keys using a custom ms like API - but the written data hive itself is not compatible with windows.

Reading through your post it would be logical that the registry uses a treeview type of organization in wich the treenodes would hold the needed data in an abstract fashion. Delphi on this matter is very similar, and I also use this method to find files and add respective data on each node.

Altought simple binary files, how would one replicate the same methods used by windows API?

--------------------------------------------------------

Regarding Vista user limitations, also found that it is possible to disable UAC (user account control) in several ways:
http://www.petri.co.il/disable_uac_in_windows_vista.htm

In all proposed methods, it still implies for the user to reboot the machine to allow UAC to be effectively disabled.

Even without UAC still seem unable to load the hive using reg.exe, but using winbuilder, the nativeEX project seems to work - only showing an error "Error unloading Hive"..

Here is another interesting method:
http://blogs.msdn.com/tims/archive/2006/09...abling-uac.aspx


But then I would think - UAC was added as a safety lock to avoid malware alike drivers and programs to be installed, but still - it's a pretty limitative situation since there isn't even room on the local registry that we can use as sandbox?

No need to run (all) applications with full administrative rights since it wouldn't also be safe, but would really be good to have a small location on the registry were applications could work with the registry in safe fashion and also load hives..

[MedEvil]

Maybe we're looking at it wrong. We don't need to write our own program that handles everything on it's own.
We just need one that uses it's own seperate Registry to load other hives into.
The question is how much of the paths are hardcoded into the API?
Could 'our' program use the windows APi for manipulating it's separate 'Registry', or would all the functions automaticly try to work on the 'real' registry?

[MedEvil]

Besides, of course, RegeditPE:
http://sourceforge.net/projects/regeditpe/

RegeditPE is the only program, i know from your list.
I've tryed it once, it's also loading the hive into the local registry.



PS: Who stole my smiley panel?

[Nuno Brito]

Hi medEvil,

JacLaz has presented some links to software that I didn't knew, regEditPE will use the local registry to load hives from a "dead/offline" windows dir on disk.

The idea of a registry file system is appeling, but how much time would it take to be accomplished? It seems a lot of work needed for a "simple" task like loading a hive.

However it would be an open door to sucessfully create ms boot disks on other platforms like mac, linux or even plain DOS since all the other disk operations on wb can also be replicated up to some extent - API does provide the registry handling.

Here's a talk on wine development regarding compatibility:
http://wiki.jswindle.com/index.php/Wine_Re...Registry_format

Where I've found this quote:

Wine had support for reading win2000 registry files once. It was dropped some time ago. I had implemented it around 1999/2000

Wine developers had a somewhat lengthy discussion about suporting or not the binary NT format, and came around to the conclusion that ReactOS would be an example on this area (altought it is not truly compatible to NT):
http://www.winehq.org/?issue=280#Binary%20Registry%20Ideas

btw: Here's a interesting link showing how to add shell folders:
http://www.virtualplastic.net/html/ui_shell.html

So far I'm only motivated on trying to expand the code provided by the freeware registry viewer:
http://paullee.ru/regstry


But this seems the best option to use since it seems much more developed:
http://lilith.tec-man.com/hivetools/

Tought question indeed..

[psc]

Try:
Create a new DWORD EnableLUA in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System if not yet present

Set it to :

0 = Disable UAC
1 = Enable UAC

Peter

[Nuno Brito]

Nice tought, but It was already disabled, here's my registry:

CODE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"dontdisplaylastusername"=dword:00000000
"scforceoption"=dword:00000000
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"FilterAdministratorToken"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

Retrying again without UAC enabled I am able to load the hive - this time I've tried on HKU and it worked as expected.

Went to try it again under the protective UAC and blocked this action again..


Now I've googled a few more ways to make apps run with administrative level on the administrative account, it turns out that I have to modify the manifest file of the exe to ask for administrative permissions when process starts:

CODE

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0"
     processorArchitecture="X86"
     name="WinBuilder"
     type="win32"/>

  <description>Application designed to create boot disks</description>
  <!-- Identify the application security requirements. -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="requireAdministrator"
          uiAccess="true"/>
        </requestedPrivileges>
       </security>
  </trustInfo>
</assembly>

Tried manually editing the resource on the compiled Exe with resource hacker but didn't work - more investigation required...