Open a Registry storage file
in [Win32 Kernel]
|
From: Ketchup on 14 Dec 2008 12:27 First, I apologize if I am posting this in the wrong newsgroup. I searched for a while and couldn't figure out where this go. I am trying to figure out if I can open a registry storage file and read data from it. The files that I specifically need to open are the ones for users that are not currently logged on, the NTUSER.DAT files. I am assuming that the procedure would be similar for SYSTEM and SOFTWARE. I have been reading the win32 documentation on the Registry and can't quite figure out how to do this. RegLoadAppKey function appears to be able to load entire hives, but the documentation says that the keys cannot be enumerated. How do I load an entire hive into memory and retrieve values from it? thanks!
From: Pavel A. on 14 Dec 2008 12:39 Ketchup wrote: > First, I apologize if I am posting this in the wrong newsgroup. I searched > for a while and couldn't figure out where this go. > > I am trying to figure out if I can open a registry storage file and read > data from it. The files that I specifically need to open are the ones for > users that are not currently logged on, the NTUSER.DAT files. I am > assuming that the procedure would be similar for SYSTEM and SOFTWARE. I > have been reading the win32 documentation on the Registry and can't quite > figure out how to do this. RegLoadAppKey function appears to be able to > load entire hives, but the documentation says that the keys cannot be > enumerated. How do I load an entire hive into memory and retrieve values > from it? > Use RegLoadKey. RegLoadAppKey requires Vista or Win2008. --PA
From: Alan Carre on 14 Dec 2008 14:59 "Ketchup" <ketchup(a)ketchup.com> wrote in message news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl... > First, I apologize if I am posting this in the wrong newsgroup. I > searched for a while and couldn't figure out where this go. > > I am trying to figure out if I can open a registry storage file and read > data from it. The files that I specifically need to open are the ones for > users that are not currently logged on, the NTUSER.DAT files. I am > assuming that the procedure would be similar for SYSTEM and SOFTWARE. I > have been reading the win32 documentation on the Registry and can't quite > figure out how to do this. RegLoadAppKey function appears to be able to > load entire hives, but the documentation says that the keys cannot be > enumerated. How do I load an entire hive into memory and retrieve values > from it? > > thanks! If that's all you plan to do (I mean open NTUSER.DAT for various users) then you could launch your app "as that user" and then use the regular registry functions (RegOpenKeyEx, RegQueryValueEx and so on). If you want to do this on-the-fly then I think you can "impersonate" another user with functions like SetThreadToken et al (see Access Control functions). Once you've managed to impersonate another user, I believe the registry functions will retrieve data from the impersonated user's NTUSER.DAT file. You can always re-launch your program as another user at the command line using "runas" or programatically using CreateProcessAsUser. As administrator I think you can bypass the password requirement (after all, you can change a user's password if you're logged on as admin). That would be my guess anyway... - Alan Carre BTW. If you want to enumerate all users for a specific machine just take your own SID and start walking from user # 500 upwards (500 == administrator) to about 2000 and check for user existence of those SID's. By "user #" I mean the last entry in the SID, for instance on my machine Administrator has SID = S-1-5-21-1957994488-859874398-725244543-500 or something like that. The preceeding digits are the same for all users.
From: Tommy on 14 Dec 2008 15:21 Ketchup wrote: > First, I apologize if I am posting this in the wrong newsgroup. I searched > for a while and couldn't figure out where this go. > > I am trying to figure out if I can open a registry storage file and read > data from it. The files that I specifically need to open are the ones for > users that are not currently logged on, the NTUSER.DAT files. I am > assuming that the procedure would be similar for SYSTEM and SOFTWARE. I > have been reading the win32 documentation on the Registry and can't quite > figure out how to do this. RegLoadAppKey function appears to be able to > load entire hives, but the documentation says that the keys cannot be > enumerated. How do I load an entire hive into memory and retrieve values > from it? I was just able to do it from an embedded XP boot CD with this application: http://regeditpe.sourceforge.net/ This comes with source code, but it asked to many questions, which hive, what users, etc, and there was 2nd editor which was quick to load (I don' remember off hand the name). However, I see now from the web page, the one I had was a 2006 version and the new one at the above web site is a 2007 version and from the instructions, no QUESTIONS are ask, it just loads like the other one I was using. Of course, this is offline when the OS is locking the files. But maybe you can see from the source code what it is doing. --
From: m on 14 Dec 2008 15:54
This is a very bad idea! Changing passwords to read from some unloaded registry hive would be a 'feature' of your software that no user would enjoy. Inferring users from SID layout is utter stupidity when there are documented APIs that will give you exact information without hacking the undocumented and subject to change SID format - look at NetUserEnum in MSDN. "Alan Carre" <alan(a)twilightgames.com> wrote in message news:uycnpZiXJHA.2440(a)TK2MSFTNGP06.phx.gbl... > "Ketchup" <ketchup(a)ketchup.com> wrote in message > news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl... >> First, I apologize if I am posting this in the wrong newsgroup. I >> searched for a while and couldn't figure out where this go. >> >> I am trying to figure out if I can open a registry storage file and read >> data from it. The files that I specifically need to open are the ones >> for users that are not currently logged on, the NTUSER.DAT files. I am >> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I >> have been reading the win32 documentation on the Registry and can't quite >> figure out how to do this. RegLoadAppKey function appears to be able to >> load entire hives, but the documentation says that the keys cannot be >> enumerated. How do I load an entire hive into memory and retrieve >> values from it? >> >> thanks! > > If that's all you plan to do (I mean open NTUSER.DAT for various users) > then you could launch your app "as that user" and then use the regular > registry functions (RegOpenKeyEx, RegQueryValueEx and so on). If you want > to do this on-the-fly then I think you can "impersonate" another user with > functions like SetThreadToken et al (see Access Control functions). Once > you've managed to impersonate another user, I believe the registry > functions will retrieve data from the impersonated user's NTUSER.DAT file. > > You can always re-launch your program as another user at the command line > using "runas" or programatically using CreateProcessAsUser. As > administrator I think you can bypass the password requirement (after all, > you can change a user's password if you're logged on as admin). > > That would be my guess anyway... > > - Alan Carre > > BTW. If you want to enumerate all users for a specific machine just take > your own SID and start walking from user # 500 upwards (500 == > administrator) to about 2000 and check for user existence of those SID's. > By "user #" I mean the last entry in the SID, for instance on my machine > Administrator has > > SID = S-1-5-21-1957994488-859874398-725244543-500 > > or something like that. The preceeding digits are the same for all users. > > > |