hartl3y94 / winregfs Goto Github PK
View Code? Open in Web Editor NEWThis project forked from jbruchon/winregfs
Windows Registry FUSE filesystem
License: GNU Lesser General Public License v2.1
winregfs's Introduction
THE WINDOWS REGISTRY FUSE FILESYSTEM
====================================
If you have any questions, comments, or patches, send me an email:
[email protected]
This program's components are distributed under either LGPL v2.1 or
The MIT License. Compiled binaries thus fall under LGPL v2.1.
One of the most difficult things to deal with in years of writing Linux
utilities to work with and repair Windows PCs is the Windows registry.
While many excellent tools exist to work with NTFS filesystems and to change
and remove passwords from user accounts, the ability to work with the
registry has always been severely lacking. Included in the excellent chntpw
package is a primitive registry editor "reged" which has largely been quite
helpful and I have been grateful for its existence, but it suffers from a
very limited interface and a complete lack of scriptability that presents a
major hurdle for anyone wanting to do more with the registry than wipe out a
password or change the "Start" flag of a system service.
Because of the serious limitations of "reged," the only practical way to do
anything registry-oriented with a shell script was to export an ENTIRE HIVE
to a .reg file, crudely parse the file for what you want, create a .reg file
from the script to import the changes, and import them. Needless to say, the
process is slow, complicated, and frustrating. I even wrote a tool called
"read_inf_section" to help my scripts parse INF/INI/REG files faster because
of this need (but also for an unrelated need to read .inf files from driver
packages.) This complexity became too excessive, so I came up with a much
better way to tweak the registry from shell scripts and programs.
Thus, the Windows Registry FUSE Filesystem "winregfs" was born. chntpw
( http://pogostick.net/~pnh/ntpasswd/ ) has an excellent library for
working with Windows NT registry hive files, distributed under the LGPL.
winregfs is essentially a glue layer between ntreg.c and FUSE, translating
Windows registry keys and values into ordinary directories and files.
Features include:
* Full write support (value size limited to 8192 bytes)
* Case-insensitivity in key/value name matching
* Automatic forward-slash escaping (gets around the Linux pathname limitation)
* "Wildcard" name matching on reads, i.e. "cat foo/bar" matches "foo/bar.sz"
* Friendly DWORD editing in hexadecimal ASCII text rather than raw data
Also included is a tool called "fsck.winregfs" which will perform a basic check
of the integrity of a registry hive. It recursively follows all possible keys
and values, checking for errors in offsets, reading data, and value types. To
use it, type "fsck.winregfs [hivename]" and when the scan completes a detailed
list of statistics and error counts will be produced. The exit status can be
checked (i.e. in a script) for success or failure of the check.
A few keys and value names in the Windows registry such as MIME types contain
forward slash characters; winregfs substitutes "_SLASH_" where a forward
slash appears in names.
********** WARNING **********
ALWAYS BACK UP REGISTRY HIVES BEFORE EDITING THEM WITH WINREGFS! THIS SOFTWARE
IS NOT PRODUCTION-SAFE! IT WORKS, BUT HAS SEVERAL BUGS! YOU HAVE BEEN WARNED!
********** WARNING **********
To use winregfs, make a directory to mount on and point it to the registry
hive of interest:
---
$ mkdir reg
$ mount.winregfs /mnt/sdc2/Windows/System32/config/software reg/
---
Now, you can see everything in that hive under "reg":
---
$ ls reg
7-Zip/ Google/ Policies/
AVAST Software/ InstalledOptions/ Program Groups/
Adobe/ Intel/ RegisteredApplications/
Analog Devices/ LibreOffice/ S3/
C07ft5Y/ Macromedia/ Schlumberger/
Classes/ Microsoft/ Secure/
Clients/ Mozilla/ Sigmatel/
Diskeeper Corporation/ MozillaPlugins/ The Document Foundation/
GNU/ NVIDIA Corporation/ Windows 3.1 Migration Status/
Gabest/ ODBC/ mozilla.org/
Gemplus/ Piriform/
---
Let's say you want to see some things that automatically run during startup.
---
$ ls -l reg/Microsoft/Windows/CurrentVersion/Run
total 0
-r--r--r-- 1 root root 118 Dec 31 1969 Adobe ARM.sz
-r--r--r-- 1 root root 124 Dec 31 1969 DiskeeperSystray.sz
-r--r--r-- 1 root root 60 Dec 31 1969 HotKeysCmds.sz
-r--r--r-- 1 root root 66 Dec 31 1969 IgfxTray.sz
-r--r--r-- 1 root root 70 Dec 31 1969 KernelFaultCheck.esz
-r--r--r-- 1 root root 66 Dec 31 1969 Persistence.sz
-r--r--r-- 1 root root 100 Dec 31 1969 SoundMAXPnP.sz
-r--r--r-- 1 root root 118 Dec 31 1969 avast.sz
---
You want to see what these values contain.
---
$ for X in reg/Microsoft/Windows/CurrentVersion/Run/*
> do echo -en "$X\n "; cat "$X"; echo; done
reg/Microsoft/Windows/CurrentVersion/Run/Adobe ARM.sz
"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
reg/Microsoft/Windows/CurrentVersion/Run/DiskeeperSystray.sz
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
reg/Microsoft/Windows/CurrentVersion/Run/HotKeysCmds.sz
C:\WINDOWS\system32\hkcmd.exe
reg/Microsoft/Windows/CurrentVersion/Run/IgfxTray.sz
C:\WINDOWS\system32\igfxtray.exe
reg/Microsoft/Windows/CurrentVersion/Run/KernelFaultCheck.esz
%systemroot%\system32\dumprep 0 -k
reg/Microsoft/Windows/CurrentVersion/Run/Persistence.sz
C:\WINDOWS\system32\igfxpers.exe
reg/Microsoft/Windows/CurrentVersion/Run/SoundMAXPnP.sz
C:\Program Files\Analog Devices\Core\smax4pnp.exe
reg/Microsoft/Windows/CurrentVersion/Run/avast.sz
"C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
---
Has anything hijacked the Windows "shell" value that runs explorer.exe?
---
$ cat reg/Microsoft/Windows\ NT/CurrentVersion/Winlogon/Shell.sz
Explorer.exe
---
How about the userinit.exe value?
---
$ cat reg/Microsoft/Windows\ NT/CurrentVersion/Winlogon/Userinit.sz
C:\WINDOWS\system32\userinit.exe,
---
Perhaps check if some system policies are set (note that REG_DWORD values now
work as friendly hexadecimal text files instead of raw data):
---
$ cat \
> reg/Policies/Microsoft/Windows/System/Allow-LogonScript-NetbiosDisabled.dw
00000001
You can probably figure out what to do with it from here. ;-)
LICENSING NOTICE
----------------
ntreg.c and ntreg.h are distributed under the terms of the LGPL v2.1 (see
LICENSE-LGPLv2.1); all other components are distributed under the terms of
The MIT License (see LICENSE-MIT). Any binaries compiled from this code are
under LGPL v2.1.
winregfs's People
Contributors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.