From: Alan Carre on
"m" <m(a)b.c> wrote in message news:eVkjl4iXJHA.5704(a)TK2MSFTNGP02.phx.gbl...>
This is a very bad idea!

I don't believe I ever suggested changing anyone's password. I said that I
don't believe that you *need* the password in order to impersonate another
user *as admin*. You misunderstood what I was saying.

- Alan Carre


From: Ketchup on
They appear to be using the reg.exe LOAD command to load the registry into a
subkey of one of the already initialized hives on the system. I should be
able to mimic this using RegLoadKey, although I was hoping to be able to
create an entirely new hive. Thanks, this link was very helpful!

"Tommy" <bad(a)reallybad.com> wrote in message
news:uvUwKoiXJHA.5064(a)TK2MSFTNGP02.phx.gbl...
> Ketchup wrote:
>> First, I apologize if I am posting this in the wrong newsgroup. I
>> searched for a while and couldn't figure out where this go.
>>
>> I am trying to figure out if I can open a registry storage file and read
>> data from it. The files that I specifically need to open are the ones
>> for users that are not currently logged on, the NTUSER.DAT files. I am
>> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
>> have been reading the win32 documentation on the Registry and can't quite
>> figure out how to do this. RegLoadAppKey function appears to be able to
>> load entire hives, but the documentation says that the keys cannot be
>> enumerated. How do I load an entire hive into memory and retrieve
>> values from it?
>
> I was just able to do it from an embedded XP boot CD with this
> application:
>
> http://regeditpe.sourceforge.net/
>
> This comes with source code, but it asked to many questions, which hive,
> what users, etc, and there was 2nd editor which was quick to load (I don'
> remember off hand the name). However, I see now from the web page, the
> one I had was a 2006 version and the new one at the above web site is a
> 2007 version and from the instructions, no QUESTIONS are ask, it just
> loads like the other one I was using.
>
> Of course, this is offline when the OS is locking the files. But maybe
> you can see from the source code what it is doing.
>
> --


From: Ketchup on
Thanks. I am guessing that I can use RegLoadKey to simply load an
NTUSER.DAT file as a subkey of a currently load registry hive. I can make
the key, HKEYCU_<USERNAME> and just walk through it to get what I need.

"Pavel A." <pavel_a(a)NOfastmailNO.fm> wrote in message
news:es61NMhXJHA.1184(a)TK2MSFTNGP05.phx.gbl...
> Ketchup wrote:
>> First, I apologize if I am posting this in the wrong newsgroup. I
>> searched for a while and couldn't figure out where this go.
>>
>> I am trying to figure out if I can open a registry storage file and read
>> data from it. The files that I specifically need to open are the ones
>> for users that are not currently logged on, the NTUSER.DAT files. I am
>> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
>> have been reading the win32 documentation on the Registry and can't quite
>> figure out how to do this. RegLoadAppKey function appears to be able to
>> load entire hives, but the documentation says that the keys cannot be
>> enumerated. How do I load an entire hive into memory and retrieve
>> values from it?
>>
>
> Use RegLoadKey. RegLoadAppKey requires Vista or Win2008.
>
> --PA


From: Ketchup on
Alan, thanks. I believe this approach would create too many forensics
artifacts on the machine. I am interested in a more stealthy approach. I
am actually copying files and reading them offline. There will be no issue
with locking or user permissions.


"Alan Carre" <alan(a)twilightgames.com> wrote in message
news:uycnpZiXJHA.2440(a)TK2MSFTNGP06.phx.gbl...
> "Ketchup" <ketchup(a)ketchup.com> wrote in message
> news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl...
>> First, I apologize if I am posting this in the wrong newsgroup. I
>> searched for a while and couldn't figure out where this go.
>>
>> I am trying to figure out if I can open a registry storage file and read
>> data from it. The files that I specifically need to open are the ones
>> for users that are not currently logged on, the NTUSER.DAT files. I am
>> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
>> have been reading the win32 documentation on the Registry and can't quite
>> figure out how to do this. RegLoadAppKey function appears to be able to
>> load entire hives, but the documentation says that the keys cannot be
>> enumerated. How do I load an entire hive into memory and retrieve
>> values from it?
>>
>> thanks!
>
> If that's all you plan to do (I mean open NTUSER.DAT for various users)
> then you could launch your app "as that user" and then use the regular
> registry functions (RegOpenKeyEx, RegQueryValueEx and so on). If you want
> to do this on-the-fly then I think you can "impersonate" another user with
> functions like SetThreadToken et al (see Access Control functions). Once
> you've managed to impersonate another user, I believe the registry
> functions will retrieve data from the impersonated user's NTUSER.DAT file.
>
> You can always re-launch your program as another user at the command line
> using "runas" or programatically using CreateProcessAsUser. As
> administrator I think you can bypass the password requirement (after all,
> you can change a user's password if you're logged on as admin).
>
> That would be my guess anyway...
>
> - Alan Carre
>
> BTW. If you want to enumerate all users for a specific machine just take
> your own SID and start walking from user # 500 upwards (500 ==
> administrator) to about 2000 and check for user existence of those SID's.
> By "user #" I mean the last entry in the SID, for instance on my machine
> Administrator has
>
> SID = S-1-5-21-1957994488-859874398-725244543-500
>
> or something like that. The preceeding digits are the same for all users.
>
>
>


From: Alan Carre on
"m" <m(a)b.c> wrote in message news:eVkjl4iXJHA.5704(a)TK2MSFTNGP02.phx.gbl...
> Inferring users from SID layout is utter stupidity when there are
> documented APIs that will give you exact information without hacking the
> undocumented and subject to change SID format - look at NetUserEnum in
> MSDN.

Oh, and thanks for that info. I've been looking around for just that
function but search as I may, it never came up. I tried "enumerate users",
"enum accounts", "get users", "get user list" every search string imaginable
and it didn't come up. I knew there must be a way but the help search
feature simply doesn't work. So I went to google finally, and the only
example I could find used the SID approach I described.

Of course it sucks but that's all that the universe came back with from my
searches (which I think were pretty specific well-formed search phrases).
Also I did not get the impression that this question related to a commercial
piece of software. But I assume, if it was, then he'd eventually find the
correct way to enumerate users. I mean it's obviously a hack but it *does*
work if you just want to quickly get the list of users on your local machine
so you have something to pass to those access control functions for testing.

- Alan Carre