Text only | Text with Images

The MASM Forum Archive 2004 to 2012

Miscellaneous Forums => The Orphanage => Topic started by: sinsi on May 15, 2010, 06:21:22 AM

Title: Registry viewer
Post by: sinsi on May 15, 2010, 06:21:22 AM
Cleaning a computer with a virus/malware, you log on and it logs off straight away, even in safe mode.
I wanted to look at the startup files but couldn't, so I put the hard drive in the old celeron then went looking for a program that could read a registry file, found one here http://www.snapfiles.com/get/rfv.html

Very good program, let me see everything. Deleted the files in startup and a couple of odd services, since I could see the path.
Title: Re: Registry viewer
Post by: Vortex on May 15, 2010, 09:26:04 AM
Hi sinsi,

Thanks for the info. Using the volume shadow copy service and robocopy, I was able to copy the NTUSER.DAT file and view it through Registry Viewer.

ERUNT can be found here :

http://www.larshederer.homepage.t-online.de/erunt
Title: Re: Registry viewer
Post by: dedndave on May 15, 2010, 01:09:59 PM
it works great for non-booted drives
might be a nice portable app to put on a utility boot CD   :bg
Title: Re: Registry viewer
Post by: hutch-- on May 15, 2010, 10:52:14 PM
Sinsi,

Interesting way to do it. You are lucky you have old stuff that still runs. My oldest processor is now a 3.8 gig PIV, everything else has died by way of the boards.
Title: Re: Registry viewer
Post by: sinsi on May 18, 2010, 05:18:50 AM
Well, it's only a viewer, and when I went looking for the file replacing userinit.exe in the winlogon key it wasn't there.
That's why it was a logon->logoff cycle, since windows won't default to userinit.exe if it can't find the file.

Finding the strings (userinit and shell) I just replaced them with a hex editor (luckily the malware ones were longer than the standard ones) and
it boots perfectly now. I thought strings in the registry were counted unicode to allow for embedded nulls but so far windows hasn't chucked a wobbly.

I tried to find an editor but could only find one and that was for sale. Considering that microsoft won't detail the file format I'm not sure I would trust one anyway  :bdg
Title: Re: Registry viewer
Post by: Ghandi on May 18, 2010, 05:34:59 AM
You can edit and view the registry on the PC via a BartPE bootable disc. regedt32.exe instead of regedit.exe and you're away.

This explains a little better:

http://windowsxp.mvps.org/peboot.htm

HR,
Ghandi
Title: Re: Registry viewer
Post by: sinsi on May 18, 2010, 05:39:00 AM
I saw a few bartpe and live linux ones, but it was too much hassle - after the second iso wouldn't finish downloading (after 100 meg) I lost interest :bg

Besides, who can resist using a hex editor on such a crucial set of system files?
Title: Re: Registry viewer
Post by: dedndave on May 20, 2010, 02:43:51 PM
actually, you can use REGEDIT
just load the external file under it's own temporary hive and edit it
there may be cases where a key is marked read-only, however
this is common in malware
Text only | Text with Images