How to write Registry Hives, Creating valid registry hives to be loaded with reg.exe or regedit External links Options

[Nuno Brito]

Hi everyone!

After some research done around the possible ways to read registry hives without using the internal windows API, now comes to time to actually write back the loaded hive onto disk.

Googling for documentation brought no usable results since this truly seems a *very* undocumented area. I actually tought it would be more difficult to read and understand a registry hive, but now I come to the conclusion that is more challenging to understand what takes for a registry to be considered as valid under the eyes of regedit or reg.exe.


Since this community counts with members whose expertise on this area is quite formidable, I hope that somehow we can fill this gap and properly document everything that is needed to handle registry hives for generations to count with this small step..


For current documentation, you can find several program source-codes showing how to read the registry hives. I personally didn't found any one that I liked to use under delphi - there was a raw offline reader, but the code wasn't very clear so I started one from scratch to also learn more about the registry design.

As tools to for this task I recommend using a good hex editor - I've used Tiny Hexer since it allows to open several copies of the same binary file and it's completely free (and easy to use)

You should use your favourite programming language to create your own registry read method, what we need here is to discover wich nuances are involved in the creation of a registry hive.

For documentation look here:
http://www.beginningtoseethelight.org/ntsecurity/ --> Complete map to the registry structure
http://download.sysinternals.com/Files/Win...ls-Chapter4.pdf --> Explaining the registry organization

Also a mirror here:
http://rjohnson.uninformed.org/ref/SAM.htm



I've also created a few images explaining some of the steps for reading (mostly done for writing) the registry keys, they'll probably make more sense after reading the above mentioned links.

I've done a small application for testing hives, available on our previous discussion topic here:
http://www.boot-land.net/forums/Running-re...ives-t1703.html

Check the resource links posted by Jaclaz and the last topics to get the binaries produced so far..


I will be posting my advances and knowledge regarding what can and not be done inside the registry hive to make it a valid file while I do my testings, but it would really help if more people could also join in and try to bring a working solution for this challenge.

Good luck and I hope this helps more people to see how this gets done!

[psc]

Hi everyone!

After some research done around the possible ways to read registry hives without using the internal windows API, now comes to time to actually write back the loaded hive onto disk.

Googling for documentation brought no usable results since this truly seems a *very* undocumented area. I actually tought it would be more difficult to read and understand a registry hive, but now I come to the conclusion that is more challenging to understand what takes for a registry to be considered as valid under the eyes of regedit or reg.exe.


Since this community counts with members whose expertise on this area is quite formidable, I hope that somehow we can fill this gap and properly document everything that is needed to handle registry hives for generations to count with this small step..

...

I've done a small application for testing hives, available on our previous discussion topic here:
http://www.boot-land.net/forums/Running-re...ives-t1703.html

Check the resource links posted by Jaclaz and the last topics to get the binaries produced so far..


I will be posting my advances and knowledge regarding what can and not be done inside the registry hive to make it a valid file while I do my testings, but it would really help if more people could also join in and try to bring a working solution for this challenge.

Good luck and I hope this helps more people to see how this gets done!

I'm seeing very interesting next days, weeks, months, ...

Peter

[Nuno Brito]

A few more work has been done..

After some tests comparing several registry hives, I've finally managed to reproduce a new hive based on an older one from scratch - the method I'm using is perfectly valid for reading back the registry tree structure back on my own small app - but unfortunatelly it kept not showing any registry entries when loaded with reg.exe and viewed with regedit.

Spent most of these days trying to figure the reasons why this occured since all values were inputed in the correct order with correct adresses (well, actually there were some bugs on the original codings, but now there were no excuses since everything was double checked and recoded back).

A solution appeared once I started comparing/editing a strange byte sequence that appeared after the data from the last reg key was written. Comparing back and forth revelead that this byte sequence was responsable for validating the hive on regedit.

Unfortunatelly this seems like a complete undocumented section - it is not required for reading keys nor writing back keys - but regedit won't accept the hive unless it has the correct byte sequence.

This byte sequence is also very strange - it contained all sort of junk bytes inside, wich I replaced with 00's. This sequence has to have 32 bytes or becomes invalid, and the only byte that wasn't changeable was the very first byte with a value of 0x20

0x20 in hex is 32 in decimal, so this might be some count mechanism - but why the junk data inside?

I guess that just too many things just don't seem right here, so I might be jumping into fast conclusions but I'm starting to see this as a security mechanism to keep registry hives from being easily modified by non-ms apps.


At first, this byte sequence (sized in 32 bytes?) seemed static so my first result was very sucessfull when creating a hive with only one key - but adding two keys results in a different byte sequence..

Will keep on taking notes to see how these values change and hopefully understand the algorithim that produces this validation sequence.

[MedEvil]

Could that be some hash code to verify that the hive is ok?

Also possible would be a key, that discribes the hive.

[Nuno Brito]

It was a bit late last night when I finally reached some working results - tonight will continue my testings then I might be able to say more about it - I think you are right and this is an hash meant to certify the integrity of all the data included in a certain key and this way avoid any intentional tampering/corruption.

Let's see if we can find out how this algorithim works..

[was_jaclaz]

Nuno, maybe completely unrelated, but what if you use regfind with it's "undocumented" feature offline to change a value?

Would it replace/fix the hash or simply not load it like regedit or reg.exe?

Reference:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=1084

Also, maybe there is something of use in the source of the "cmlib" of newish ReactOS:

2007-03-11
ReactOS 0.3.1 Released
....
Registry-support has been greatly improved thanks to addition of "cmlib", a library shared by the boot loader and the kernel to handle binary registry hives; it even supports binary registry hives created by Windows
.....

http://www.reactos.org/generated/doxygen/dir_000686.html

jaclaz

[Nuno Brito]

Thank you for the links, just started testing out regfind.exe and unfortunatelly it will also use WinAPI to load hives (I noticed this because of the generated log/backup files added when using this tool under vista reg virtualization), meaning that the API will be used to write the correct values..

Can you help me figuring out the correct command line to be used?

Here is the command line I've used on my test example:

CODE

regfind -h empty2.hiv System teste

I really miss a big round button saying "Start here" to see my test results on this tool..

For everyone wishing to join on this crusade, I attach my work files wich include LoadHive.exe, empty2.hiv and regfind.exe

 temp.7z ( 249.26K ) Number of downloads: 167


Just unpack to c:\temp


How to test?

Run LoadHive.exe - it will load empty2.hiv and allow you to save a new hive as empty3.hiv (I recommend creating a backup file of empty2.hiv to avoid any tampering during tests)

Run an hex editor and compare the results between empty2.hiv and empty3.hiv

You can view two keys inside the root key of empty2.hiv - wich are also viewable by regedit.

empty3.hiv is also valid, but the checksum is different - meaning that it will not be invalid - look again on my previous reply when comparing results to better understand why.

Try adding another data key on empty2.hiv from regedit and comparing back the changes from the previous checksum to see how this is fun..


btw: Jaclaz, about reactOS - sounds really good, but I wonder if they've added write support?

Will check!

This post has been edited by Nuno Brito: Apr 17 2007, 08:41 PM

[was_jaclaz]

Nuno,
syntax should be:

The KEYR parameter is undocumented.

To search for NOTEPAD in the SOFTWARE key of a users unloaded registry hive, use the following syntax:

REGFIND -h "c:\winnt\Profiles\UserName\ntuser.dat" KEYR -p KEYR\Software NOTEPAD

The above will list all SOFTWARE sub-keys that contain the NOTEPAD string. The KEYR parameter specifies the key name
for the root key of the hive.

A hive should have a root, and the key a name.

In your case it should be something like:

CODE

regfind -h "empty2.hiv" KEYR -p KEYR\ 12345

CODE

Y:\Registry\nuno>regfind -h "empty2.hiv" KEYR -p  KEYR\ 12345
Scanning KEYR\ registry tree
Search for '12345'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
KEYR\
    teste = 12345

Y:\Registry\nuno>regfind -h "empty2.hiv" KEYR -p  KEYR\ 67890
Scanning KEYR\ registry tree
Search for '67890'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
KEYR\
    test2 = 67890

Y:\Registry\nuno>

You need the -n parameter as follow to add searching into names:

CODE

Y:\Registry\nuno>regfind -h "empty2.hiv" KEYR -n -p  KEYR\ teste
Scanning KEYR\ registry tree
Search for 'teste'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
Search will include key or value names
KEYR\
    teste = 12345

Y:\Registry\nuno>regfind -h "empty2.hiv" KEYR -n -p  KEYR\ test2
Scanning KEYR\ registry tree
Search for 'test2'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
Search will include key or value names
KEYR\
    test2 = 67890

Y:\Registry\nuno>

Could you please check your app, it does not work with my resolution 1152x864 BIG fonts, commands in window are out of reach?

jaclaz

[Nuno Brito]

syntax should be:
A hive should have a root, and the key a name.

In your case it should be something like:

CODE

regfind -h "empty2.hiv" KEYR -p KEYR\ 12345

Thank you very much!!

I'm starting to think that you do own a crystal ball - I'm even a bit afraid to ask how you've found the KEYR\ parameter and got it working..

Running the above mentioned syntax for newly created empty3.hiv returned no results, need to add the correct hash value for making it correct - will start testing replacing values on empty2.hiv and see the differences on the hex editor.

Could you please check your app, it does not work with my resolution 1152x864 BIG fonts, commands in window are out of reach?

Updated the previous attachment with a new one wich won't try to scale itself..


Also read the code used on the reactOS NTOSKRNL - and they do seem to be effectivelly handling all these hashes calculations, but I'm having a bit of difficulty following the code - never been a big fan of C language, guess it's time to get started and see if I understand a bit more.

CODE

Status = CmiAddKeyToHashTable(RegistryHive,
01271                                 HashBlock,
01272                                 ParentKeyCell,
01273                                 Storage,
01274                                 NewKeyCell,
01275                                 NKBOffset);

The numbers 0127x represent the code lines from here:
http://www.reactos.org/generated/doxygen/d...rce.html#l01682

Maybe the authors can shed some light on this "HashTable" matter since documentation seems rare..

[Nuno Brito]

"Hash table" is a list of key-values - not an hash algorithim as we need here.

Also found the html version of the registry guide from winternals:
http://book.itzero.com/read/microsoft/0507...04lev1sec1.html

And the comments from the wine registry source also help:
http://source.winehq.org/source/misc/regis...?v=wine20011226