Hack 76 Edit the Windows Registry

The chntpw tool not only resets an Administrator password, but it also comes with a full-fledged registry editor. This makes it a useful tool for solving other types of Windows problems (e.g., deleting the registry keys put in place by a virus or worm) without booting into Windows.

The chntpw tool mentioned in [Hack #75] works by changing the values in the Windows registry. This tool uses the same ability that allow you to navigate through the Windows registry, much like you would navigate through a Linux filesystem, and edit values. While this tool can be useful in a pinch, it is recommended to edit your registry using the tools included in Windows, such as regedit.exe. This example assumes that you are using chntpw to edit a registry value that is preventing you from booting Windows.

Directly editing your Windows registry can be very risky and should be left to seasoned Windows administrators. One bad change could render your machine unbootable. Always back up your complete registry, and make sure you know what you are doing before attempting to change things.

7.7.1 Prepare to Edit the Registry

First, obtain the chntpw tool [Hack #75] to edit the registry. This example assumes that you are editing the registry of a Windows partition on /dev/hda1. If /dev/hda1 is a FAT or FAT32 partition, click on the hard-drive icon to mount it, and then right-click on the icon and choose ActionsChange Read/Write Mode. You can also type the following command:

knoppix@ttyp1[knoppix]$ mount /dev/hda1

If the partition is NTFS, follow the steps in [Hack #73], and then mount it with:

knoppix@ttyp1[knoppix]$ sudo mount -t captive-ntfs -o uid=knoppix,gid=knoppix 

/dev/hda1 /mnt/hda1

7.7.2 Getting to Know Your Registry

After you mount the filesystem, you must find where Windows is storing the registry. This is actually more difficult than just finding some Registry.reg file tucked away in a corner of your filesystem. Windows stores sections of the registry in different files called hives, located in different directories on the drive. (I like to think they are called "hives" because it's easy to get stung while you are poking around in them!) Most of the important hives (DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM) are stored under systemroot\System32\Config, where systemroot is usually WINNT or Windows on Windows 2000 or newer systems. The remaining hive is located in the NTuser.dat file, which is located in Documents and Settings\username or in systemroot\Profiles\username. These files correspond to specific hives in the registry, as listed in the following table:

Registry key name	Hive filename
HKEY_CURRENT_CONFIG	SYSTEM
HKEY_CURRENT_USER	NTuser.dat
HKEY_LOCAL_MACHINE\SAM	SAM
HKEY_LOCAL_MACHINE\SECURITY	SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE	SOFTWARE
HKEY_USERS\DEFAULT	DEFAULT

7.7.3 Edit the Registry

Once you decide which registry keys you need to edit and which hive they are in, open a terminal and change to the directory containing that hive's file. For this example, I change the value of my SystemRoot registry key to point to E:\WINDOWS instead of D:\WINDOWS because I have changed my partitioning scheme, and I must move my WINDOWS directory to a different partition. To find the location of your registry keys, browse in chntpw, browse regedit under Windows, or search the Web for information about the location of your key. In my case, the key is located under the following directory:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

I must open the corresponding hive file, SOFTWARE, with chntpw:

knoppix@ttyp1[config]$ /home/knoppix/chntpw -e SOFTWARE

chntpw version 0.99.2 040105, (c) Petter N Hagen

Hive's name (from header): <emRoot\System32\Config\SOFTWARE>

ROOT KEY at offset: 0x001020

Page at 0x7f2000 is not 'hbin', assuming file contains garbage at end

File size 8388608 [800000] bytes, containing 1967 pages (+ 1 headerpage)

Used for data: 166446/8253944 blocks/bytes, unused: 1069/10280 blocks/bytes.

Simple registry editor. ? for help.



[1020] >

The last line is a command prompt that accepts a limited number of shell-like commands to browse through the registry structure and to edit values. Type a question mark (?) and hit Enter. The following list of commands and their syntax appears:

[1020] > ?

Simple registry editor:

hive [<n>] - list loaded hives or switch to hive numer n'

cd <key> - change key

ls | dir [<key>] - show subkeys & values,

cat | type <value> - show key value

st [<hexaddr>] - show struct info

nk <keyname> - add key

dk <keyname> - delete key (must be empty. recursion not supported yet)

ed <value>            - Edit value

nv <type> <valuename> - Add value

dv <valuename>        - Delete value

delallv               - Delete all values in current key

debug - enter buffer hexeditor

q - quit

The main commands that you use are ls and cd, much in the same way as on the command line. However, instead of directories, you list the contents of registry keys. Type ls to see a list of keys in this hash and cd to go inside a specific key:

[1020] > ls

ls of node at offset 0x1024

Node has 12 subkeys and 0 values

offs          key name

[  11b8]   <Aureal>

[  1958]   <C07ft5Y>

[  1a30]   <Classes>

[637248]   <Clients>

[63bbc8]   <Gemplus>

[63bde0]   <Microsoft>

[7c9978]   <ODBC>

[7ccc80]   <Policies>

[7d8750]   <Program Groups>

[7d87d8]   <Schlumberger>

[7da6c8]   <Secure>

[7e5528]   <Windows 3.1 Migration Status>



[1020] > cd Mi



[63bde0] \Microsoft>

Notice that you don't have to type out Microsoft to go to that key. This command shell does not support tab completion, but if you type the first few characters of a key's name, it automatically fills it in with the first key that matches those characters when you press Enter. Also, if you know the full path of the key you want to change to, you can type it all at once, such as cd Microsoft\Windows NT\CurrentVersion. Once you get to the directory containing the key you wish to change, type ls and confirm that the key exists, and then you can use the cat command to show the value of the key:

[791488] \Microsoft\Windows NT\CurrentVersion> cat SystemRoot

Value <SystemRoot> of type REG_SZ, data length 22 [0x16]

D:\WINDOWS

[791488] \Microsoft\Windows NT\CurrentVersion>

If you want to delete this key, simply type dk SystemRoot at the prompt.

Use the ed command to change the value:

[791488] \Microsoft\Windows NT\CurrentVersion> ed SystemRoot

EDIT: <SystemRoot> of type REG_SZ with length 22 [0x16]

[ 0]: D:\WINDOWS



Now enter new strings, one by one.

Enter nothing to keep old.

[ 0]: D:\WINDOWS

-> E:\WINDOWS



[791488] \Microsoft\Windows NT\CurrentVersion> cat SystemRoot

Value <SystemRoot> of type REG_SZ, data length 24 [0x18]

E:\WINDOWS

If you hit Enter, chntpw lets you leave the key as is. You can also type in the new value and hit Enter to make the change. After you make your changes, hit q to quit the registry editor. If you have changed any keys, chntpw prompts you to save your changes. Until now, chntpw has not actually written the changes you have made to the file; saying "yes" here writes any changes to the registry. Once the changes are written, you can exit chntpw, unmount your partition, and then reboot your computer back to Windows to observe the changes.