IPB

Welcome Guest ( Log In | Register )

Recommended
BootDisk.com

Active Users

5 Pages V   1 2 3 > »   
Reply to this topicStart new topic
Raw Registry Editor, Edit registry hives without using Windows API functions
Nuno Brito
post May 16 2008, 09:30 AM
Post #1


Advanced Member
***

Group: .script developer
Posts: 6,137
Thank(s): 127
Joined: 13-July 06
From: Azores
Member No.: 1


Portugal


Raw Registry Editor


This was a project that started some time ago and intended to understand how the registry hives worked.

Today I can say that this goal was achieved and the registry hive can be edited without using windows registry functions.



Download link: http://nunobrito.eu/download.php?view.10


What is the advantage of not using Win32 API?

- No need to load a hive into the local registry
- Overcome any security restrictions imposed by Win32 API
- Works on every Windows platform (from Windows 9x all the way up to Vista)
- No UAC restrictions regarding hive load without administrator permissions
- More features can be added in the future.



--------------------------------


Things to expect from this Raw Registry Editor (RawReg for short name)


- Freeware
- Fast
- Gives a (huge) amount of details and information about any given hive


----------

What can it do?

- Browse the hive structure
- Edit the data on values
- Change the title of values
- Show a map with information of data inside each bin
- Show details about physical offset of any given key


Please note that unlike any other raw registry editors, this is the only program that can really add more data onto a given registry hive and manage the bin space properly. In the past, people were limited to only change data on keys that needed to have the exact same size, there are no such restrictions here and many things can be added - post your requests and I'll see if they can be included.



It is also the initial test version, more features will be added in the future.

Hope you like this tool.

(IMG:../forums/style_emoticons/default/smile.gif)
Go to the top of the page
 
+Quote Post
jaclaz
post May 16 2008, 09:54 AM
Post #2


Finder
***

Group: Advanced user
Posts: 3,000
Thank(s): 120
Joined: 14-July 06
Member No.: 2


Italy


GOOD!

I will test it as soon as I can and report.

(IMG:../forums/style_emoticons/default/smile.gif)

jaclaz
Go to the top of the page
 
+Quote Post
paraglider
post May 16 2008, 12:06 PM
Post #3


Advanced Member
***

Group: .script developer
Posts: 312
Thank(s): 19
Joined: 12-August 06
From: NC,USA
Member No.: 153


United States


It crashes when I load a none live software hive:

Unhandled exception at 0x772388f7 in RawReg.exe: 0xC0000005: Access violation writing location 0x00030fc4.
Go to the top of the page
 
+Quote Post
jaclaz
post May 16 2008, 12:19 PM
Post #4


Finder
***

Group: Advanced user
Posts: 3,000
Thank(s): 120
Joined: 14-July 06
Member No.: 2


Italy


Hmmm, (IMG:../forums/style_emoticons/default/dubbio.gif) as I see it not (yet (IMG:../forums/style_emoticons/default/wink.gif) ) ready for anything but debugging.

Problems/reprts (on win2k):
1) by default the "open hive on start" is checked, thus if there is a problem with a hive, the program won't run EVER again until you have deleted rawreg.ini
2) Open a "default" hive, size 164 Kb in size - result OK
3) Open a "SAM" hive, size 32 Kb in size - result OK
4) Open a "SECURITY" hive, size 32 Kb - problems:
a. when clicking on "Policy" ERROR - Access violation error at address 0047F530
b. when clicking on the small + sign near "Policy" it opens the subtree correctly, but clicking on any folder below "Policy" results in "cannot access file <path>\SECURITY file is in use by another process
c. file seems to remain "in use" even if you open another hive and then try reloading "SECURITY"
d. if you DO NOT click on "Policy" and open the sub-tree clicking on the + sign, keys are accessed allright
5) Open "software" hive size 11.460 Kb, CPU goes 98 %, memory usage goes beserk, stepping up in 4 kb steps, each step every two seconds roughly, app does not respond, terminated after 5 minutes running and at 54.368 Kb memory occupied
6) Open "system" hive size 5.368 Kb as 5) above
7) Same for "software" and "system" hives sized respectively 2.756 and 1.840 Kb memory usage grows MUCH faster, after two minutes running around 240.000 Kb (IMG:../forums/style_emoticons/default/w00t.gif) still not respondong, then dropped down to aout 11.000 kb, still not responding, starting growing again, after another two minutes back to around 240.000 Kb - killed-

(IMG:../forums/style_emoticons/default/sad.gif)

Do you need any form of logging?

jaclaz
Go to the top of the page
 
+Quote Post
paraglider
post May 16 2008, 12:31 PM
Post #5


Advanced Member
***

Group: .script developer
Posts: 312
Thank(s): 19
Joined: 12-August 06
From: NC,USA
Member No.: 153


United States


That was similar to what happened to me. Opened sam file ok then tried to open software. The program hung. Killed it, deleted the ini file, then restarted the program and attempted to load software. I now get the crash every time.
Go to the top of the page
 
+Quote Post
jaclaz
post May 16 2008, 12:35 PM
Post #6


Finder
***

Group: Advanced user
Posts: 3,000
Thank(s): 120
Joined: 14-July 06
Member No.: 2


Italy


More probs:
Opened a ntuser.dat 192 kb in size
1) changing details to "hive map" gives a "Richedit insertion line error"
2) hive time stamp reported as 01/01/1601, I do have this machine since a long time, but NOT such a long time (IMG:../forums/style_emoticons/default/wink.gif)

jaclaz
Go to the top of the page
 
+Quote Post
Nuno Brito
post May 16 2008, 03:54 PM
Post #7


Advanced Member
***

Group: .script developer
Posts: 6,137
Thank(s): 127
Joined: 13-July 06
From: Azores
Member No.: 1


Portugal


Interesting results, thank you for testing and posting the results.

My experiments up to this point have been done with setupreg.hiv and bcd files.

Will now pick on the other hives to see why they are different and improve the results.

Thank you!

(IMG:../forums/style_emoticons/default/smile.gif)
Go to the top of the page
 
+Quote Post
MedEvil
post May 16 2008, 05:24 PM
Post #8


Advanced Member
***

Group: .script developer
Posts: 2,545
Thank(s): 27
Joined: 29-December 06
Member No.: 2,192



Even though there are still a few initial problems.
(IMG:../forums/style_emoticons/default/thumbup.gif) (IMG:../forums/style_emoticons/default/thumbup.gif) (IMG:../forums/style_emoticons/default/thumbup.gif) (IMG:../forums/style_emoticons/default/thumbup.gif) (IMG:../forums/style_emoticons/default/thumbup.gif) For finishing this Baby!!!

Great work Nuno!
Go to the top of the page
 
+Quote Post
Nuno Brito
post May 16 2008, 09:01 PM
Post #9


Advanced Member
***

Group: .script developer
Posts: 6,137
Thank(s): 127
Joined: 13-July 06
From: Azores
Member No.: 1


Portugal


One detail:
If the program crashes while trying to load a hive (or non-hive) file - then the memory won't be properly disposed until the system is rebooted. Please forgive me as I'm still a bit unexperienced handling memory streams when things go wrong.. (IMG:../forums/style_emoticons/default/rolleyes.gif)

For those who know delphi - I'm using TFileStream to map the file into memory. Have to learn a bit more about them or use a better way to open files and properly dispose the memory they use when the program crashes.

-------------------------------


One request:

Please send me as email attachments the problematic hives so that I can test them at home.

Thank you for the feedback.

(IMG:../forums/style_emoticons/default/smile.gif)



Go to the top of the page
 
+Quote Post
The Following 1 Users Say Thank You to Nuno Brito For This Useful Post:
TheHive
paraglider
post May 17 2008, 01:37 PM
Post #10


Advanced Member
***

Group: .script developer
Posts: 312
Thank(s): 19
Joined: 12-August 06
From: NC,USA
Member No.: 153


United States


Registry hives tend to be quite large even when zipped. Are you sure you want them as an email attachment?They may also contain sensitive information that its not a good idea to trust to email.
Go to the top of the page
 
+Quote Post
« Next Oldest · Project forge · Next Newest »
 

5 Pages V   1 2 3 > » 
Fast ReplyReply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

RSS Lo-Fi Version Time is now: 12th October 2008 - 12:48 AM

W3C XHTML • © 2008 Boot Land • All rights reserved • W3C CSS