From: Alan Carre on 14 Dec 2008 16:08 "m" <m(a)b.c> wrote in message news:eVkjl4iXJHA.5704(a)TK2MSFTNGP02.phx.gbl...> This is a very bad idea! I don't believe I ever suggested changing anyone's password. I said that I don't believe that you *need* the password in order to impersonate another user *as admin*. You misunderstood what I was saying. - Alan Carre
From: Ketchup on 14 Dec 2008 16:25 They appear to be using the reg.exe LOAD command to load the registry into a subkey of one of the already initialized hives on the system. I should be able to mimic this using RegLoadKey, although I was hoping to be able to create an entirely new hive. Thanks, this link was very helpful! "Tommy" <bad(a)reallybad.com> wrote in message news:uvUwKoiXJHA.5064(a)TK2MSFTNGP02.phx.gbl... > Ketchup wrote: >> First, I apologize if I am posting this in the wrong newsgroup. I >> searched for a while and couldn't figure out where this go. >> >> I am trying to figure out if I can open a registry storage file and read >> data from it. The files that I specifically need to open are the ones >> for users that are not currently logged on, the NTUSER.DAT files. I am >> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I >> have been reading the win32 documentation on the Registry and can't quite >> figure out how to do this. RegLoadAppKey function appears to be able to >> load entire hives, but the documentation says that the keys cannot be >> enumerated. How do I load an entire hive into memory and retrieve >> values from it? > > I was just able to do it from an embedded XP boot CD with this > application: > > http://regeditpe.sourceforge.net/ > > This comes with source code, but it asked to many questions, which hive, > what users, etc, and there was 2nd editor which was quick to load (I don' > remember off hand the name). However, I see now from the web page, the > one I had was a 2006 version and the new one at the above web site is a > 2007 version and from the instructions, no QUESTIONS are ask, it just > loads like the other one I was using. > > Of course, this is offline when the OS is locking the files. But maybe > you can see from the source code what it is doing. > > --
From: Ketchup on 14 Dec 2008 16:26 Thanks. I am guessing that I can use RegLoadKey to simply load an NTUSER.DAT file as a subkey of a currently load registry hive. I can make the key, HKEYCU_<USERNAME> and just walk through it to get what I need. "Pavel A." <pavel_a(a)NOfastmailNO.fm> wrote in message news:es61NMhXJHA.1184(a)TK2MSFTNGP05.phx.gbl... > Ketchup wrote: >> First, I apologize if I am posting this in the wrong newsgroup. I >> searched for a while and couldn't figure out where this go. >> >> I am trying to figure out if I can open a registry storage file and read >> data from it. The files that I specifically need to open are the ones >> for users that are not currently logged on, the NTUSER.DAT files. I am >> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I >> have been reading the win32 documentation on the Registry and can't quite >> figure out how to do this. RegLoadAppKey function appears to be able to >> load entire hives, but the documentation says that the keys cannot be >> enumerated. How do I load an entire hive into memory and retrieve >> values from it? >> > > Use RegLoadKey. RegLoadAppKey requires Vista or Win2008. > > --PA
From: Ketchup on 14 Dec 2008 16:27 Alan, thanks. I believe this approach would create too many forensics artifacts on the machine. I am interested in a more stealthy approach. I am actually copying files and reading them offline. There will be no issue with locking or user permissions. "Alan Carre" <alan(a)twilightgames.com> wrote in message news:uycnpZiXJHA.2440(a)TK2MSFTNGP06.phx.gbl... > "Ketchup" <ketchup(a)ketchup.com> wrote in message > news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl... >> First, I apologize if I am posting this in the wrong newsgroup. I >> searched for a while and couldn't figure out where this go. >> >> I am trying to figure out if I can open a registry storage file and read >> data from it. The files that I specifically need to open are the ones >> for users that are not currently logged on, the NTUSER.DAT files. I am >> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I >> have been reading the win32 documentation on the Registry and can't quite >> figure out how to do this. RegLoadAppKey function appears to be able to >> load entire hives, but the documentation says that the keys cannot be >> enumerated. How do I load an entire hive into memory and retrieve >> values from it? >> >> thanks! > > If that's all you plan to do (I mean open NTUSER.DAT for various users) > then you could launch your app "as that user" and then use the regular > registry functions (RegOpenKeyEx, RegQueryValueEx and so on). If you want > to do this on-the-fly then I think you can "impersonate" another user with > functions like SetThreadToken et al (see Access Control functions). Once > you've managed to impersonate another user, I believe the registry > functions will retrieve data from the impersonated user's NTUSER.DAT file. > > You can always re-launch your program as another user at the command line > using "runas" or programatically using CreateProcessAsUser. As > administrator I think you can bypass the password requirement (after all, > you can change a user's password if you're logged on as admin). > > That would be my guess anyway... > > - Alan Carre > > BTW. If you want to enumerate all users for a specific machine just take > your own SID and start walking from user # 500 upwards (500 == > administrator) to about 2000 and check for user existence of those SID's. > By "user #" I mean the last entry in the SID, for instance on my machine > Administrator has > > SID = S-1-5-21-1957994488-859874398-725244543-500 > > or something like that. The preceeding digits are the same for all users. > > >
From: Alan Carre on 14 Dec 2008 16:51 "m" <m(a)b.c> wrote in message news:eVkjl4iXJHA.5704(a)TK2MSFTNGP02.phx.gbl... > Inferring users from SID layout is utter stupidity when there are > documented APIs that will give you exact information without hacking the > undocumented and subject to change SID format - look at NetUserEnum in > MSDN. Oh, and thanks for that info. I've been looking around for just that function but search as I may, it never came up. I tried "enumerate users", "enum accounts", "get users", "get user list" every search string imaginable and it didn't come up. I knew there must be a way but the help search feature simply doesn't work. So I went to google finally, and the only example I could find used the SID approach I described. Of course it sucks but that's all that the universe came back with from my searches (which I think were pretty specific well-formed search phrases). Also I did not get the impression that this question related to a commercial piece of software. But I assume, if it was, then he'd eventually find the correct way to enumerate users. I mean it's obviously a hack but it *does* work if you just want to quickly get the list of users on your local machine so you have something to pass to those access control functions for testing. - Alan Carre
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: VC98 IDL compiler (MIDL) - Where to get it ? Next: Type Conversions |