Hexing the Registry

by divarin

This article covers editing the Windows Registry without the convenience of the registry editor so as to bypass access restrictions.

For my purposes I wanted to turn off and on various services such as the messenger service but you can use these techniques to make just about any change you desire.

The heart of any Windows based system, whether you're talking about Windows 9x, NT, 2000, or XP lies in the system registry.  The registry is where just about all system settings are stored as well as settings for most programs running on the system.  This article will not go into too much detail on various registry keys because there's already plenty of knowledge out there on this matter.

It all started for me at work.

I use PuTTY to SSH into my home machine from work, but I like to cover my tracks so I would go into the system registry and remove the key cached by PuTTY, saving it into a .REG file on a floppy disk.  Then the next time I would go to use PuTTY I would just merge that .REG file's info into the registry, use PuTTY, then delete the keys again.  Even though the keys themselves would not be enough to decrypt the data packets of my SSH session or to gain access to my home machine, they were evidence that I was running a program that wasn't "approved" by the admins.

This all worked well until one day I tried to run REGEDIT only to find that I was stopped by a "Registry editing has been disabled by the system administrator" error.  Later I learned that I was the only employee to have this restriction.  I knew then that a game of cat-and-mouse had begun between me and one of the admins.  So the first thing I needed to do was find a way to edit a registry value without using REGEDIT.

It must be possible, since PuTTY is able to cache the key into the registry and PuTTY doesn't have any more access than I do.  I could go on and on about my trials and errors but it's time to get to the meat of the article.

The system registry files are kept in two places: NTUSER.DAT is kept in the C:\Documents and Settings\{USERNAME} directory and all other registry files are kept in C:\{WINDOWS}\System32\Config.

(Replace {USERNAME} with your username and {WINDOWS} with the name of your Windows directory - Windows, WinNT, WinXP, etc.)

Turns out the key I needed to change (DisableRegistryTools) was in NTUSER.DAT.

It's a user specific setting, right?  Like I said, all of my coworkers could run REGEDIT, though where I work I'm the only one who knows what to do with it.  Well, in my corporate setting these XP boxes use a logon/logoff script system that copies your user specific settings (NTUSER.DAT, desktop background, My Documents, IE settings, cache, history, etc.) to a server elsewhere, then when you log back on these settings are copied back so that when you move from one machine to another your settings move with you.

This turned out to be a huge advantage to me because you can't just edit a file that's in use and NTUSER.DAT, like all registry files, was always in use.

So I tracked down the offline copy of NTUSER.DAT (meaning the copy that was not in use now, but saved on a remote system) and I was able to use XP's DOS-like editor (edit) to unlock the registry:

C:> X: X:> attrib -h NTUSER.DAT X:> edit /70 NTUSER.DAT

Let me talk about edit /70 for a little bit.  It's important!  The /70 means:

• This is a binary file so use ghetto hex editor mode (shows value of each character in the bottom-right corner of the screen)
• Limit to 70 character per line.

What's important is that on most systems this file will be too large to load into memory.  If this is the case you will be presented with a warning when you enter the editor.  If edit was unable to load the whole file, forget about editing this way or you'll end up corrupting the registry.  You'll need a real hex editor (such as UltraEdit).

What I did at this point was look for the string DisableRegistryTools and when I found it I simply changed the T in Tools to an F.  (Initially I was thinking the joke would be a boolean, T/F, True/False.  It wasn't until later I realized it said "Fools.")

I figured if XP couldn't find the key it would have to set it to a default value, which should be 0 (not disabled).  And I was right.

Then what I did was set the file to read only so that when I logged out the logoff script would not be able to overwrite the file with the current settings:

X:> attrib +r NTUSER.DAT

Logged out, back in, tada I could run REGEDIT again.

However, the next day I was unable to keep that file +r so they must have added attrib -r X:\NTUSER.DAT to the logout script.

Well, I could just not log out or I could unplug the Ethernet cable while I do.  But what's interesting is that they didn't disable the registry tools again.

I was able to remove my PuTTY SSH keys.  But then I started poking around in the rest of the registry thinking "You know I always hated that messenger service - it gives me a dialog box that says 'Your document has printed successfully' every time I print something."

Most NT/XP administrators administer their systems using point-and-click GUIs.  You ask them how to turn on or off a service and they say to click on "Control Panel", "Administrative tools", "Services", etc.  But at this level the OS really pays attention to the user's rights and policies so therefore I was unable to disable the service at this level.

So I dropped to the next level, somewhat like the DNA level, regedit.

I found the key "Messenger" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger and the DWORD value Start currently was set to 2.  What I wanted was to change that to 4.  (2 means automatic, 3 means manual, and 4 means disabled.)

Let's walk through the process.  When we try to change the value here to 4 we get an error, something like: "Unable to save changes."  Apparently our access restrictions are still taken into consideration at this level so it was time to drop down another level.  This is somewhat like the atomic level and to get there we're going to need two tools: a hex editor and a Windows 2000 CD-ROM or boot floppies.

What we need to do is hex edit the C:\Windows\System32\Config\System file, but you can't edit a file that's in use remember?  Unlike NTUSER.DAT this file is not copied to another system at logoff so there is no offline copy of it... yet.  This is where the Windows 2000 CD-ROM comes in.

We need to boot up to the recovery console in the Windows 2000 setup program to make a copy of the system file.

Why Windows 2000?  A long run-on paragraph can explain this but since I'm a nerd I'll use a chart instead:

CD-ROM Why We Can't Use It DOS/Win9x No NTFS support. Win XP Asks for admin password. Linux Limited NTFS support, not enough to do what we need done. NTFSDOS Pro Supports NTFS4 but not NTFS5 which is used in XP. Win NT4 Same problem as NTFSDOS Pro. Win 2K No reason!

If you don't have a Windows 2000 CD-ROM, don't fret.  You can get the boot disks (requires four floppy disks) from www.bootdisk.com.

Reboot the machine and boot off either those floppies or the CD-ROM.  I'll leave it up to you to deal with the boot sequence in case the admins have set the system up to not boot from CD or floppies.  There are ways around this by getting into the CMOS setup, but that's out of the scope of this article.

Now when given the choice say:

(R)epair

Then: (C)onsole

Then: (1) C:\Windows (or WinNT, whatever):

C:\Windows> mkdir C:\REGHACK C:\Windows> copy System C:\REGHACK 1 file(s) copied

(You'll notice if you try to copy *.* it won't work.  You must copy one file at a time - strange...)

C:\Windows> exit

O.K., that's one part down.

Keep that Windows 2000 CD handy.  You'll be needing it soon.

Boot back into XP and load up your favorite hex editor.  In this article I will use UltraEdit-32 because it's nice, but any hex editor should do as long as you can do ASCII searches.

Load up your hex editor and use it to open the C:\REGHACK\System file.

Yeah, it's an alien language, isn't it?  I've used hex editors (and in my childhood a sector editor) to alter string values before but altering numeric values is a bit of a trick.

Let's continue with my example as we try to turn off the messenger service.

Do a search for "messenger".  Be sure you're searching ASCII, not hex.  You'll get a match.  In fact, repeat the search and you'll see you get a lot of matches.  I counted eight on my system.

So how do you know which one you really want to edit?  Load up REGEDIT and use it as a "map" to navigate your way around the binary data that is the system file.

Look at the key:

(Note:  Some lines cut off to save space in this article.)

NAME TYPE DATA (Default) REG_SZ (value not set) DependOnGroup REG_MULTI_SZ DependOnService REG_MULTI_SZ LanmanWorkstation NetBIOS... Description REG_SZ Transmits net send and... DisplayName REG_SZ Messenger ErrorControl REG_DWORD 0x00000001 (1) ImagePath REG_SZ %SystemRoot%\System32\svch... ObjectName REG_SZ LocalSystem Start REG_DWORD 0x00000002 (2) Type REG_DWORD 0x00000020 (32)

The DWORD value we want to change is labeled: Start

The value it is now is 2.  Let's go back to our hex editor and look at the first match:

00056d50h: 4D 65 73 73 65 6E 67 65 72 00 0A 00 48 00 4B 00 ; Messenger...H.K.

We don't see Start, or Type, or ErrorControl or anything else like that near here so let's move on to the next match.  (For this example I will use ? to replace strange extended ASCII characters that are font specific):

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 000bca10h: 82 00 00 00 09 00 00 00 4D 65 73 J3 65 6E 67 65 ; ,......Messenge 000bca20h: 72 00 00 00 00 00 00 00 30 FF FF FF 76 6B 04 00 ; r......????vk.. 000bca30h: 04 00 00 80 20 00 00 00 04 00 00 00 01 00 00 00 ; ...? .......... 000bca40h: 54 79 70 65 00 00 00 00 08 00 00 00 28 BA 0B 00 ; Type.......(?.. 000bca50h: E0 FF FF FF 76 6B 05 00 04 00 00 80 02 00 00 00 ; ????vk....€.... 000bca60h: 04 00 00 00 01 00 00 00 53 74 61 72 74 00 00 00 ; .......Start...

And there it is!

Only three lines below Messenger you see Type and two lines below that, Start.

Now the trick is finding the value of Start.

DWORD values are easy to spot, if you know what you're looking for.  And what you're looking for is hex character 80, which is the euro (€) look'n symbol.  Here it's on 00bca50h as the 12^th byte.

Notice how the value for Start actually appears before the word Start.  Strange, huh?

The hex 80 character means that this is the start of a DWORD value.

DWORD is "double word."

A double word is two words, a word is just an expression for two bytes.  Therefore, a double word (DWORD) is four bytes.

So the next four bytes represents the value of Start.

This example shows 02 as the value because the messenger service is turned on.  You might think that a value of "2", represented in four bytes would look like 00 00 00 02 but that's thinking like a human.  Don't do that!

Computers read left-to-right regardless of whether they're reading numerical values or words.

Well "2" in hex is "2" in decimal, and "4" in hex is "4" in decimal.  So to turn off the messenger service, simply replace the 02 with 04 and then save the file.

Now just use your Windows 2000 boot CD/floppy to get back to the recovery console, make a backup of the registry before you mess things up, and copy over your changed system file:

C:\Windows> copy SYSTEM SYSTEM.BAK C:\Windows> copy C:\REGHACK\SYSTEM . Overwrite (Yes/No)?: Yes C:\Windows> exit

That should do it.  The messenger service should now be disabled.

You can use this technique to make any change to the registry you want but know that some keys are in different files (system, software, NTUSER.DAT, etc.).

Finding the values is the real trick.  Also, if you are looking for a string value, take note that each character is separated by a 00h character.  Strange...

So if you are doing a search, be sure that regular expressions is turned on and add ? between each character: s?o?m?e???s?t?r?i?n?g???v?a?l?u?e

P.S. Yes, I have attempted to load my copied registry files into the registry editor with the /L and /R options but that trick doesn't seem to work anymore.  Perhaps it was taken out in XP or perhaps it only works on exported key files.