Copy locked file

white scorpion · December 24, 2007, 03:06:11 PM

Quote from: masmuser on December 22, 2007, 10:11:49 PM
the file you are getting is zero filled because the code will create a file regardless of the return value of CreateFile. these files are protected by the system and it seems to be very difficult to get read or write access to them. It is however possible, I know of at least one freeware program which can do it. it is called erunt. I also know some big name system back up utilities which pass on these protected files. so we are dealing with a very tough issue here. :dazzled:

Yes, you are right, erunt does backup the SYSTEM file while Windows is running.
Since I got pretty interested at this I've taken a closer look at it, this is how it works:

1. AdjustTokenPrivileges for SeBackupPrivilege
2. Open HKEY_LOCAL_MACHINE\SYSTEM
3. invoke RegSaveKeyExA,hKey,addr backupfile,0,REG_NO_COMPRESSION

That's it, no need to get handles or stuff like that.

The above also works for the other files like SAM, SOFTWARE, etc.

I'll setup a program soon which should do the above automatically ;)

masmuser · December 24, 2007, 10:15:18 PM

Quote from: white scorpion on December 24, 2007, 03:06:11 PM
Quote from: masmuser on December 22, 2007, 10:11:49 PM
the file you are getting is zero filled because the code will create a file regardless of the return value of CreateFile. these files are protected by the system and it seems to be very difficult to get read or write access to them. It is however possible, I know of at least one freeware program which can do it. it is called erunt. I also know some big name system back up utilities which pass on these protected files. so we are dealing with a very tough issue here. :dazzled:

Yes, you are right, erunt does backup the SYSTEM file while Windows is running.
Since I got pretty interested at this I've taken a closer look at it, this is how it works:

1. AdjustTokenPrivileges for SeBackupPrivilege
2. Open HKEY_LOCAL_MACHINE\SYSTEM
3. invoke RegSaveKeyExA,hKey,addr backupfile,0,REG_NO_COMPRESSION

That's it, no need to get handles or stuff like that.

The above also works for the other files like SAM, SOFTWARE, etc.

I'll setup a program soon which should do the above automatically ;)

:(
sorry but won't work.
when you restore the registry in this manner it will only be added to the new registry without replacing it.

white scorpion · December 25, 2007, 12:08:52 AM

Well, you can boot with the recovery console and replace the file manually, I thought that was your intention in the first place.
That way you make a backup now, and when (if) the system crashes you can set the hives back by overwriting the original files with the backed up ones...

masmuser · December 25, 2007, 12:58:03 AM

Quote from: white scorpion on December 25, 2007, 12:08:52 AM
Well, you can boot with the recovery console and replace the file manually, I thought that was your intention in the first place.
That way you make a backup now, and when (if) the system crashes you can set the hives back by overwriting the original files with the backed up ones...

:(
that would be too slow and for novices quite user unfriendly. :eek

getting read & write access to those files would make the whole thing lightning fast with a single click.

hutch-- · December 25, 2007, 01:15:00 AM

this is my concern with the request, there is almost no reason at all to need to be able to read and write to the special system files unless you want to do something destructive to a running machine. if you needed a copy for some technical reason, you can make a copy be booting the machine from the installation disk and copying it that way but accessing the file on the fly from a running OS version is a major security problem, much the reason why Microsoft protect the file so it cannot be easily messed with.

I would like to know why you need to access this file from a running OS and unless I am happy with the answer this topic will be closed and removed.

masmuser · December 25, 2007, 02:12:14 AM

Quote from: hutch-- on December 25, 2007, 01:15:00 AM
this is my concern with the request, there is almost no reason at all to need to be able to read and write to the special system files unless you want to do something destructive to a running machine. if you needed a copy for some technical reason, you can make a copy be booting the machine from the installation disk and copying it that way but accessing the file on the fly from a running OS version is a major security problem, much the reason why Microsoft protect the file so it cannot be easily messed with.

I would like to know why you need to access this file from a running OS and unless I am happy with the answer this topic will be closed and removed.

Come on now. If I was a hacker why would I come here???????? :boohoo: :boohoo:
You have successfully screwed the purpose of masm and this forum, fiddling with those macros and moving in cicles. A bit more advanced coders are absolutely in the wrong place here.
you have completely kept it at a kindergarten level. more advanced discussions are beyond your knowledge and patience, and will be removed. what a power.

sorry if I touched your ego with that code. But keep in mind an API like CreateFile does deserve to have it's return value examied.
:boohoo:

hutch-- · December 25, 2007, 03:57:07 AM

:bg

Thanks for answering the question, it seems that you were up to no good trying to access and modify special system files on a running machine. Virus and trojan writers get no mileage here and you are no exception, feel free to take you "advanced" lack of knowledge elsewhere wher you will be more appreciated and feel like you are in the company of your peers.

News:

Copy locked file

white scorpion

masmuser

white scorpion

masmuser

hutch--

masmuser

hutch--