Windows Registry

Transcription

Windows Registry

Windows Registry
An introduction to registry editor
What is the Windows Registry?
• A hierarchical database of computer system
settings, hardware configurations, and user
preferences.
• The Windows Registry stores:
–
–
–
–
Software settings
Windows configuration settings
User profiles
Password Hashes and account settings
Registry Terminology
• The registry is created when windows
boots using data from several files
• Each file stores one or more hives
• Each hive is made up of keys and
subkeys
• Each key has one or more values and
value data
Windows Registry
•
Hives are a logical
group of keys, subkeys
and values
1)
HKEY_CLASSES_ROOT
2)
HKEY_CURRENT_USER
3)
HKEY_LOCAL_MACHINE
4)
HKEY_USERS
5)
HKEY_CURRENT_CONFIG
Windows Registry Hives
HKEY_CLASSES_ROOT (HKCR)- Contains information
about file types, filename extensions, and other details
related to files
It tells Windows how to handle different file types, and
controls basic interface options like double-clicking and
context menus.
HKEY_CURRENT_USER (HKCU) - Contains
configuration information about the setup of the person
currently logged into Windows
It controls the desktop, as well as Window‟s specific
appearance and behavior for that individual user,
including screen colors and the arrangement of the
desktop
It also manages the connections to the network and to
devices like digital cameras or printers.
HKEY_LOCAL_MACHINE (HKLM)- Contains information
about the computer itself, as well as the operating
system
It includes specific details about all hardware, including
the keyboard, printer ports, and storage devices
It also has information about security settings, installed
software, system startup, drivers, and other services,
like the ability to automatically connect to wireless
networks.
HKEY_USERS (HKU)- Contains information about every
user profile on the system
HKEY_CURRENT_CONFIG (HKCC)- Contains
information about the system‟s current hardware setup,
in the same way that HKEY_CURRENT_USER
contains information about whoever‟s logged into the
system at the moment.
It has details like the type of hard disk installed in your PC.
Windows Registry
• A list of active hives is listed in the registry itself at
HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\hivelist
Windows Registry Files
The following table lists the standard hives and their supporting
files:
Registry hive
Supporting files
HKEY_CURRENT_CONFIG
System, System.alt, System.log, System.sav
HKEY_CURRENT_USER
Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM
Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security
Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software
Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System
System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT
Default, Default.log, Default.sav
These files are located in %systemroot%\System32\Config
and at %userprofile%\Username
Windows Registry Files
The following table lists the registry files extensions and what
they mean:
.alt
A backup copy of the critical HKEY_LOCAL_MACHINE\System
hive. Only the System key has an .alt file.
.log A transaction log of changes to the keys and value entries in the hive.
.sav
Copies of the hive files as they looked at the end of the text-mode
stage in Setup.
Windows Registry
•
Values names have
data assigned to them
•
The data type can be:
•
String
•
Binary
•
DWORD
•
Multi-String
•
Expandable String
Windows Registry Data Types
Data type String
A string consists of plain readable text. String values are the most common values used in the Registry
All string values are indicated by an AB icon, which makes sense since the data type is readable text
There are 3 types of STRING: REG_SZ, REG_EXPAND_SZ
and REG_MULTI_SZ
Data type String (REG_SZ)
This is the main type of string data used in the registry
"YES" or "NO" are common Reg_SZ values, as are command line strings such as
"C:\Program Files\Outlook Express" or even phrases or complete sentences (like error
messages)
A string can also consist of numbers. Colors, for example, are usually stated numerically in
the registry
Examples of numeric string values are at HKEY_CURRENT_USER\Control Panel\Colors
Data type Expandable String (REG_EXPAND_SZ)
This is an "expandable" string value holding a variable.
Example: %SystemRoot% and %UserName% are variables that are used to indicate the
System folder and the name of the logged in user.
Windows will replace (or EXPAND) the variable with the full path when the command is
called.
By using a variable, you do not need to know the drive letter the user has Windows installed
on.
Data type: Multi - String (REG_MULTI_SZ)
A multiple string array type made up of characters and numbers
- used for entering more than one value, each one separated by a NULL character.
Example: This multi string value consists of 4 entries:
eqnclass.dll,CoInstallClass
spxcoins.dll,SpxClassCoInstaller
dgsetup.dll,DigiMultiPortCoInstaller
dgrpsetu.dll,DigiMultiPortCoInstaller
Note: Due to the NULL character being used to separate values, entering these from the keyboard can be
difficult. It is often easier to copy and existing multi-string and edit it.
Data type Binary (REG_BINARY)
Binary is used most commonly with hardware and configuration settings.
The data is usually displayed in hex format
Data type DWORD (REG_DWORD)
Dword data types also consist of binary data, but two points distinguish them from binary
types.
1. The binary data that can be entered is limited to 32 bits (4 bytes) in length.
2. The binary data can be entered in hexadecimal or decimal format.
Editing the Windows Registry
Windows comes with a utility called Regedit for editing the registry data:
You can start regedit by going to the Start button,
Choosing Run… and then entering regedit
The Regedit Edit menu for creating, renaming and searching the registry data:
From the Edit menu, you can create new keys, subkeys, values and data.
You can also:
• Modify the permissions to registry elements
• Search for keys, subkeys, values and data
The Regedit File menu for importing and exporting the registry data:
From the File menu, you can import one or many registry keys, subkeys, values and data.
You can also:
• Export registry data for backup or copying to another computer
• Load a Hive file from another computer or user that is not logged in.
As an example edit, here is how to change the settings for Internet Explorer so that pop-up
windows are allowed from all websites in the *.ncsu.edu domain:
The objective is to create a value and data in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New
Windows\Allow
Windows\Allow
First double click on keys in the HKEY_LOCAL_MACHINE hive until you get to the
Microsoft key:
Windows\Allow
Then create keys for Internet Explorer, New Windows and Allow
Windows\Allow\*.ncsu.edu"="*.ncsu.edu"
Then create a String Value called *.ncsu.edu
Then enter data of *.ncsu.edu
Then enter data of *.ncsu.edu
As a second example edit, here is how to change the settings for Remote Desktop so it uses a
different port than the default, 3389:
The objective is to alter a data value at this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\Console\RDP-Tcp\PortNumber
Backing Up the Windows
Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDPTcp\PortNumber
Since this key already exists, make a backup of the current values using the
File | Export menu. Enter a name for the backup like RDP-orig
Double click on PortNumber and select Decimal
Enter a new number, like 3903
Note: For this change to work, also change the PortNumber in this key:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
This will change RDP to use port 3903 instead of 3389.
Next change the firewall to allow the connections to the new port.
Next change the firewall to allow the connections to the new port, 3903.
You could use the Windows Firewall configuration tool, but as you might expect, the
firewall settings are stored in the registry at these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew
allPolicy\StandardProfile
allPolicy\DomainProfile
Create a port exception for port TCP 3903:
In Regedit, goto this key:
allPolicy\StandardProfile\GloballyOpenPorts\List
Create a string value named 3903:TCP
Create a port exception for port TCP 3903:
In Regedit, goto this key:
allPolicy\StandardProfile\GloballyOpenPorts\List
Enter value data of 3903:TCP:*:Enabled:Remote Desktop
- Modify the Windows Firewall configuration settings for both the Standard Profile at:
allPolicy\StandardProfile
- And the Domain Profile at:
allPolicy\DomainProfile
-These edits will work with Windows XP and Windows Vista
Importing and Exporting
Windows Registry Data
-When you export data with the File | Export option, the data from the selected key or
subkey is written to a file with a .reg extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai
nProfile]
nProfile\GloballyOpenPorts]
nProfile\GloballyOpenPorts\List]
"21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa
rdProfile]
rdProfile\GloballyOpenPorts]
rdProfile\GloballyOpenPorts\List]
"21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener“
Example .reg file to update the Windows Firewall for Officescan
Editing the Windows Registry using .REG files
When you double click or import a .reg file, the settings in the file are copied into the
registry keys named in the file.
Registry keys and sub keys are created using the tree structure described in the
.reg file.
The values listed in the .reg file are created and assigned the data given in the
.reg file.
If the keys or values with the same names already exist, they are replaced with the
information in the .reg file.
If the keys already exist, the values in the .reg file are merged with those in the
registry
Editing the Windows Registry using .REG files
•It is possible to delete keys or values by placing a minus sign in front of the key name or equal
sign:
[-HKEY_LOCAL_MACHINE\Software\Test]
HKEY_LOCAL_MACHINE\Software\Test
"TestValue"=•If a key in a .reg file is preceeded by a minus sign, the key, its' sub-keys, and Value Names are
deleted
•If a “ValueName”=- line is presetn in a .reg file, the Value Name is deleted
•To rename a key or value using a .reg file, first delete the item and then add the data with a new
name
•To rename a key or value using regedit, select the item, right click and choose rename
•To avoid the “Are you sure?” prompt when importing, use the /s option in your script:
regedit /s test.reg
•Export the registry with this command:
regedit /e full.reg would export the full registry to the full.reg file.
•To export individual registry keys: regedit /e software.reg "HKEY_LOCAL_MACHINE\Software"
Searching the Windows Registry
If you need to find occurences of a particular string in registry key names, values or data,
Use the Edit | Find menu of regedit.exe:
The search will start from the highlighted position and go downward in the registry window
You may need to select My Computer to search through all hives
If you need to replace all occurrences of a registry string with another string, you may be able to
accomplish this by:
Exporting the keys to a .REG file
Search and replace the strings in the text file with a text editor
Import the .REG file.
There are also third party utilities to
do this such as Registry Toolkit
from https://www.funduc.com
Registry Search + Replace (also
from funduc.com)
Beware that there are lots
“Registry Cleaner” type programs
that are trojans
•Finding settings in the Windows Registry can be difficult due to the fact that there is
no standard naming convention for registry keys, values and data
•The website jsiinc.com was a good online resource for finding what registry keys
control a setting
•You may find search engine results that refer to jsiinc.com. These are usually very
helpful
•The JSI website is still available on the internet archive site, web.archive.org
•The Microsoft knowledge base is also a good source for clues about what registry
keys do
Registry Permissions
Like files and directories, Registry keys have security permissions to control who can view, alter
and delete registry data
You can view/change the permissions for a key by selecting the key and using the Edit |
Permissions menu
The general permissions are Read, Full Control and Special Permissions
These Special Permissions can be configured using the advanced button:
Permission
QV Query Value
SV Set Value
CS Create Subkey
ES Enumerate Subkeys
NT Notify
DE Delete
WD Write DAC
CL Create Link
WO Write Owner
RC Read Control
Definition
allows assigned user or group to read the settings of a value entry located in the Registry
allows assigned user or group to set the value of a value entry located in the subkey
allows assigned user or group to create a subkey located in this selected subkey.
allows assigned user or group to identify all the subkeys in the selected subkey.
allows assigned user or group to receive audit notifications from this subkey.
allows assigned user or group the right to delete the subkey.
allows assigned user or group the right to read the discretionary access control list
for the selected subkey.
allows assigned user or group to create a symbolic link to this subkey.
allows assigned user or group the right to take ownership of the subkey.
allows assigned user or group the right to read the access control list
•When a key is created, it inherits its permissions from its parent key
•As with file and directories, it is possible set the permissions of a key different from its parent key and to break
the inheritance of permissions if needed.
•Values do not have permissions – only keys and subkeys have permissions
Since password hashes and other security data is stored in the SAM hive,
keys in the SAM hive have special permissions
You must run regedit as the SYSTEM user to view the SAM hive:
Start a SYSTEM shell with: at 22:08 /interactive “c:\windows\regedit.exe”
Where 22:08 is a time a minute or more in the future and Windows is installed at
c:\windows
At the time specified in the command, regedit will run and you will be able to see the
SAM information on the computer
Notice the Administrator has no access, only the SYSTEM user is supposed to read SAM information
Useful Registry Edits
Here are some things you can change with Registry edits:
Alter the DNS Cache time from the default of 1 Day to 30 minutes
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"MaxCacheTtl"=dword:00000708
Turn on file name completion in the DOS window
[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
"CompletionChar"=dword:00000009
"EnableExtensions"=dword:00000001
"PathCompletionChar"=dword:00000040
Disable Dynamic DNS in the TCP/IP Parameters
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DisableDynamicUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DisableReverseAddressRegistrations"=dword:00000001
Find a list of programs that run at startup in these Run keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Load
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Load
The values of these keys and others that control startup programs are listed on the Startup tab of the
msconfig utility. However, you can not change them from that program.
If you see a „path not found‟ or „file not found error‟ at login, it maybe because one of the Run key values
has the wrong filename or directory. This can be corrected with Regedit.
The uninstall path for applications is stored at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
If you are having trouble getting the uninstalled to run, perhaps because a drive
letter changed or a directory name changed, you can fix the problem by editing the
path in the Uninstall key.
Windows can synchronize time with the government NIST time server
Enter the name of the time server in the following key:
HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProvider\NtpClient\NtpServer = hostname, 0x1
Registry Forensics
The registry stores all kinds of information about how Windows is being used and
what a user is doing when logged in.
The registry stores:
List of terms entered into the Windows File Search tool
History of command entered in the Start | Run menu choice
History of mapped drives
History of mounted USB devices (cameras, flash drives, printers)
Recent file lists for Microsoft Word, Excel, Powerpoint, Access, and Wordpad
URLs typed into Internet Explorer, Windows Media Player and Firefox
Internet Explorer saved passwords and URL pairs
List of wireless network used
Other information listed at: http://windowsxp.mvps.org/RegistryMRU.htm
The registry also stores a list of all applications run on the computer and a count of how many times each was
launched. This includes applications run by double-clicking on a document, shortcut or Control Panel Applet.
Along with the cound mentioned above, the registry stores the last time the application was run.
Using this information, it is possible to see what program was launched, when it was launched and how many
times it was launched.
For a list of registry keys and how to read them, see: http://www.forensicswiki.org/wiki/Windows_Registry
Loading Offline Registry
Hives
The Windows Registry is stored in several files located in the Windows folders and in user‟s profile space
There are also backups of the registry in Windows restore points located in the \System Volume Information
Folder
Registry backups have the word _REGISTRY_ in the file name
These hive files can be loaded into regedit
Hives
Here is how to load a hive from a file:
Run regedit and select the HKEY_LOCAL_MACHINE hive to activate the LOAD HIVE menu
After selecting Load Hive… browse to the hive file and open it
When prompted for a Key Name, enter something to describe the hive
Hives
Here an ntuser.dat file has been loaded with the Key Name default-user:
The hive will show up in regedit under the HKEY_LOCAL_MACHINE hive
If you make changes to the loaded hive and want to save them:
Select the Key Name of the loaded hive (default-user in the example above)
Choose File | Unload Hive…
Registry Backup Tools
There are several ways to backup the registry:
•
One way is to copy the files (SAM, Security, Software, System and Default) from the
\Windows\system32\config directory
These cannot be copied when Windows is running, but can be copied from Recovery Console
•
A second way to make a registry backup is to manually create a Windows restore point
To create a restore point in Windows XP:
1.
Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK.
2.
On the Welcome to System Restore page, click Create a restore point, and then click Next .
3.
On the Create a Restore Point page, type a name for the restore point and then click Create
4.
After the restore point has been created, click Close.
To restore the registry in Windows XP:
1.
Click Start, click Run, type %SystemRoot%\System32\Restore\Rstrui.exe, and then click OK.
2.
On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not
already selected), and then click Next .
1.
On the Select a Restore Point page, click the system checkpoint. In the On this list select the restore
point area, click an entry that is named "Guided Help (Registry Backup)," and then click Next.
If a System Restore message appears that lists configuration changes that System Restore
will make, click OK.
•
On the Confirm Restore Point Selection page, click Next. System Restore restores the previous
Windows XP configuration and then restarts the computer.
•
Log on to the computer. When the System Restore confirmation page appears, click OK.
To backup the registry in Windows Vista using a restore point:
1.
Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.
2.
If you are prompted for an administrator password or for a confirmation, type the password, or click
Allow.
3.
Wait for Windows to search for available disks and most recent restore points.
In the System Properties dialog box, on the System Protection tab, click Create
4.
Type a name for the restore point and then click Create.
5.
After the restore point has been created successfully, click OK two times.
Note If System Restore is turned off, click to select the local disk, click Apply and then click Create.
To restore the registry in Windows Vista using a restore point:
1.
Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.
2.
If you are prompted for an administrator password or for a confirmation, type the password, or click
Allow.
3.
In the System Properties dialog box, on the System Protection tab, click System Restore,
4.
In the System Restore dialog box select Choose a different restore point, and then click Next
5.
Select the restore point that you want to use, and then click Next.
6.
Confirm your restore point, and then click Finish System restore restores the selected Windows Vista
configuration and then restarts the computer.
7.
Log on to the computer. When the System Restore confirmation page appears, click OK.
There are several ways to backup the registry:
Another is to make a System state backup and then restore it to an Alternate location
When you restore the System state backup, you can restore to the running system (this is the default) or
to an alternate location. If you want to edit or view the registry copy, restore to an alternate location:
Note: There is a copy of the registry from the last System state backup in
\Windows\Repair

Windows Registry

Transcription

Similar documents

exclusive gift

Reg Organizer

Calphalon - Crate and Barrel

PLEASE ENJOY OUR GIFT of a Sophie Conran set of two Ramekins

our exclusive free Gift Registry App

here - Vexillium

View the PDF flyer for details

Service Virtualization - Northwestern University Information

Addressing Registry Issues Using RegCure

C.N.A. Recertification