From: Alan Carre on
I should also add (might be of interest) that "runas" doesn't use this
function. Which was one of the places I went searching for an enumerate API:

The following:

C:\>dumpbin /imports C:\Windows\system32\runas.exe |find /i "enum"

Produces no output.

When unfiltered, it does produce a nice listing of possibly-interesting
user-related functions to explore:

====================

dumpbin /imports runas.exe (slightly pruned)
-------------------------------------

ADVAPI32.dll

77DD96C4 20F SaferGetPolicyInformation
77DE494C 20E SaferGetLevelInformation
77E171AE 20D SaferCreateLevel
77DD2EC0 20C SaferComputeTokenFromLevel
77DE5382 60 CreateProcessAsUserW
77DD31D3 20B SaferCloseLevel
77E128D4 72 CredMarshalCredentialW
77DDBDE7 7B CredUnmarshalCredentialW
77E1239B 6B CredFree
77DDBB6F 85 CryptAcquireContextW
77DFBE2F 9A CryptGetProvParam
77DE042E 9F CryptReleaseContext
77E10682 61 CreateProcessWithLogonW

credui.dll

76C0961D 3 CredUIConfirmCredentialsW
76C09E37 1 CredUICmdLinePromptForCredentialsW

CRYPT32.dll

762D5773 32 CertFindCertificateInStore
762CE057 3C CertFreeCertificateContext
762C4EA4 F CertCloseStore
762CBB2E 46 CertGetNameStringW
762C7C4A 41 CertGetCertificateContextProperty
762F644A 52 CertOpenSystemStoreW

NETAPI32.dll

71C350BF 116 NetpGetDomainName
71C214BA 68 NetApiBufferFree
71C26365 111 NetpGetComputerName

=========================

- Alan Carre


From: Alan Carre on
"Ketchup" <ketchup(a)ketchup.com> wrote in message
news:OURmNLjXJHA.760(a)TK2MSFTNGP02.phx.gbl...
> Alan, thanks. I believe this approach would create too many forensics
> artifacts on the machine. I am interested in a more stealthy approach.
> I am actually copying files and reading them offline. There will be no
> issue with locking or user permissions.

Hmm, offline eh. I guess Tommy pointed you towards some source code that
might help.

Note that it still might be necessary to impersonate the user (in one form
or another) since it's actually a full copy of NTUSER.DAT which is, as far
as I know, tied into at least part of the user's SID [for obvious security
reasons]. I'm assuming that when you "save as hive" that that information is
stripped away [ie. No username/password required for access].

I remember once I wanted to retrieve some encrypted files from my machine
after a hardware malfunction [CPU overheated and died] where I had to
reinstall the OS. I couldn't read the files but I still had the user name
(myself) and I knew the password (my own password). So I went online and
found this...

http://www.beginningtoseethelight.org/efsrecovery/

So I created an account that had the same username/password and same "user
#". Luckily user 1003 or whatever was available so I used the trick
described in there under "recovery with the orginal profile in the file
system" (which I had obviously) to make sure that the next user was going to
have that number and created it with the correct password. After logon I
could recover the encrypted files, and decrypt them! I'll never make that
mistake again...

Anyway, there's a lot of useful info in there that could help you in this
scenario. Particularly recovering encrypted files *without* the origninal
file system intact. That's certainly similar to what you're trying to do as
NTUSER.DAT will be tied into the user's SID in much the same way as
encrypted files are. I'd be quite surprised if that wasn't the case.

- Alan Carre


From: daniel on
You can only load a hive with RegLoadKey as an immediate subkey of HKLM and
not as one of its subkeys.
Your process must have SE_BACKUP_NAME and SE_RESTORE_NAME privileges
enabled. The hive will be a volatile key. Another option is to use
RegRestoreKey which allows you to place the loaded hive anywhere in the
registry.

//Daniel



"Ketchup" <ketchup(a)ketchup.com> wrote in message
news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl...
> First, I apologize if I am posting this in the wrong newsgroup. I
> searched for a while and couldn't figure out where this go.
>
> I am trying to figure out if I can open a registry storage file and read
> data from it. The files that I specifically need to open are the ones for
> users that are not currently logged on, the NTUSER.DAT files. I am
> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
> have been reading the win32 documentation on the Registry and can't quite
> figure out how to do this. RegLoadAppKey function appears to be able to
> load entire hives, but the documentation says that the keys cannot be
> enumerated. How do I load an entire hive into memory and retrieve values
> from it?
>
> thanks!
>

From: m on
I'm sorry if I misunderstood you suggestion - keep in mind that even admins
can't just impersonate users without their passwords



There is, of course, no reason for RunAs to get a list of users because if
the one that you pass it doesn't exist, it will just get an error (no
mapping between account name and SID or something like it). It would be
prohibitively difficult to validate the username too because in an
enterprise AD environment, there may be many domains too look in or it may
be an account managed by another, possibly 3rd party, system with a trust
relationship.


"Alan Carre" <alan(a)twilightgames.com> wrote in message
news:%232iYwkjXJHA.552(a)TK2MSFTNGP06.phx.gbl...
>I should also add (might be of interest) that "runas" doesn't use this
>function. Which was one of the places I went searching for an enumerate
>API:
>
> The following:
>
> C:\>dumpbin /imports C:\Windows\system32\runas.exe |find /i "enum"
>
> Produces no output.
>
> When unfiltered, it does produce a nice listing of possibly-interesting
> user-related functions to explore:
>
> ====================
>
> dumpbin /imports runas.exe (slightly pruned)
> -------------------------------------
>
> ADVAPI32.dll
>
> 77DD96C4 20F SaferGetPolicyInformation
> 77DE494C 20E SaferGetLevelInformation
> 77E171AE 20D SaferCreateLevel
> 77DD2EC0 20C SaferComputeTokenFromLevel
> 77DE5382 60 CreateProcessAsUserW
> 77DD31D3 20B SaferCloseLevel
> 77E128D4 72 CredMarshalCredentialW
> 77DDBDE7 7B CredUnmarshalCredentialW
> 77E1239B 6B CredFree
> 77DDBB6F 85 CryptAcquireContextW
> 77DFBE2F 9A CryptGetProvParam
> 77DE042E 9F CryptReleaseContext
> 77E10682 61 CreateProcessWithLogonW
>
> credui.dll
>
> 76C0961D 3 CredUIConfirmCredentialsW
> 76C09E37 1 CredUICmdLinePromptForCredentialsW
>
> CRYPT32.dll
>
> 762D5773 32 CertFindCertificateInStore
> 762CE057 3C CertFreeCertificateContext
> 762C4EA4 F CertCloseStore
> 762CBB2E 46 CertGetNameStringW
> 762C7C4A 41 CertGetCertificateContextProperty
> 762F644A 52 CertOpenSystemStoreW
>
> NETAPI32.dll
>
> 71C350BF 116 NetpGetDomainName
> 71C214BA 68 NetApiBufferFree
> 71C26365 111 NetpGetComputerName
>
> =========================
>
> - Alan Carre
>
>


From: m on
What hive were you hoping to create? AFAIK the hives are (semi) static

look at the description of the registry in MSDN
http://msdn.microsoft.com/en-us/library/ms724182(VS.85).aspx

"Ketchup" <ketchup(a)ketchup.com> wrote in message
news:OfGn2JjXJHA.5828(a)TK2MSFTNGP03.phx.gbl...
> They appear to be using the reg.exe LOAD command to load the registry into
> a subkey of one of the already initialized hives on the system. I should
> be able to mimic this using RegLoadKey, although I was hoping to be able
> to create an entirely new hive. Thanks, this link was very helpful!
>
> "Tommy" <bad(a)reallybad.com> wrote in message
> news:uvUwKoiXJHA.5064(a)TK2MSFTNGP02.phx.gbl...
>> Ketchup wrote:
>>> First, I apologize if I am posting this in the wrong newsgroup. I
>>> searched for a while and couldn't figure out where this go.
>>>
>>> I am trying to figure out if I can open a registry storage file and read
>>> data from it. The files that I specifically need to open are the ones
>>> for users that are not currently logged on, the NTUSER.DAT files. I am
>>> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
>>> have been reading the win32 documentation on the Registry and can't
>>> quite figure out how to do this. RegLoadAppKey function appears to be
>>> able to load entire hives, but the documentation says that the keys
>>> cannot be enumerated. How do I load an entire hive into memory and
>>> retrieve values from it?
>>
>> I was just able to do it from an embedded XP boot CD with this
>> application:
>>
>> http://regeditpe.sourceforge.net/
>>
>> This comes with source code, but it asked to many questions, which hive,
>> what users, etc, and there was 2nd editor which was quick to load (I don'
>> remember off hand the name). However, I see now from the web page, the
>> one I had was a 2006 version and the new one at the above web site is a
>> 2007 version and from the instructions, no QUESTIONS are ask, it just
>> loads like the other one I was using.
>>
>> Of course, this is offline when the OS is locking the files. But maybe
>> you can see from the source code what it is doing.
>>
>> --
>
>