News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Registry viewer

Started by sinsi, May 15, 2010, 06:21:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

sinsi

May 15, 2010, 06:21:22 AM
Cleaning a computer with a virus/malware, you log on and it logs off straight away, even in safe mode.
I wanted to look at the startup files but couldn't, so I put the hard drive in the old celeron then went looking for a program that could read a registry file, found one here http://www.snapfiles.com/get/rfv.html

Very good program, let me see everything. Deleted the files in startup and a couple of odd services, since I could see the path.
Light travels faster than sound, that's why some people seem bright until you hear them.

Vortex

#1
May 15, 2010, 09:26:04 AM
Hi sinsi,

Thanks for the info. Using the volume shadow copy service and robocopy, I was able to copy the NTUSER.DAT file and view it through Registry Viewer.

ERUNT can be found here :

http://www.larshederer.homepage.t-online.de/erunt

dedndave

#2
May 15, 2010, 01:09:59 PM
it works great for non-booted drives
might be a nice portable app to put on a utility boot CD   :bg

hutch--

#3
May 15, 2010, 10:52:14 PM
Sinsi,

Interesting way to do it. You are lucky you have old stuff that still runs. My oldest processor is now a 3.8 gig PIV, everything else has died by way of the boards.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

sinsi

#4
May 18, 2010, 05:18:50 AM
Well, it's only a viewer, and when I went looking for the file replacing userinit.exe in the winlogon key it wasn't there.
That's why it was a logon->logoff cycle, since windows won't default to userinit.exe if it can't find the file.

Finding the strings (userinit and shell) I just replaced them with a hex editor (luckily the malware ones were longer than the standard ones) and
it boots perfectly now. I thought strings in the registry were counted unicode to allow for embedded nulls but so far windows hasn't chucked a wobbly.

I tried to find an editor but could only find one and that was for sale. Considering that microsoft won't detail the file format I'm not sure I would trust one anyway  :bdg
Light travels faster than sound, that's why some people seem bright until you hear them.

Ghandi

#5
May 18, 2010, 05:34:59 AM
You can edit and view the registry on the PC via a BartPE bootable disc. regedt32.exe instead of regedit.exe and you're away.

This explains a little better:

http://windowsxp.mvps.org/peboot.htm

HR,
Ghandi

sinsi

#6
May 18, 2010, 05:39:00 AM
I saw a few bartpe and live linux ones, but it was too much hassle - after the second iso wouldn't finish downloading (after 100 meg) I lost interest :bg

Besides, who can resist using a hex editor on such a crucial set of system files?
Light travels faster than sound, that's why some people seem bright until you hear them.

dedndave

#7
May 20, 2010, 02:43:51 PM
actually, you can use REGEDIT
just load the external file under it's own temporary hive and edit it
there may be cases where a key is marked read-only, however
this is common in malware
Print
Go Up Pages1
User actions