|
Note: most of what's written in this tutorial applies to Windows
9x as well.
What is the Registry?
The Registry is the central core registrar for Windows NT. Each
NT workstation for server has its own Registry, and each one contains
info on the hardware and software of the computer it resides on.
For example, com port definitions, Ethernet card settings, desktop
setting and profiles, and what a particular user can and cannot
do are stored in the Registry. Remember those ugly system INI files
in Windows 3.1? Well, they are all included with even more fun stuff
into one big database called the Registry in NT.
One of the main disadvantages to the older .INI files is that those
files are flat text files, which are unable to support nested headings
or contain data other than pure text. Registry keys can contain
nested headings in the form of subkeys. These subkeys provide finer
details and a greater range to the possible configuration information
for a particular operating system. Registry values can also consist
of executable code, as well as provide individual preferences for
multiple users of the same computer. The ability to store executable
code within the Registry extends its usage to operating system and
application developers. The ability to store user-specific profile
information allows one to tailor the environment for specific individual
users.
Always make sure that you know what you are doing when changing
the registry or else just one little mistake can crash the whole
system. That's why it's always good to back it up!
To view the registry of an NT server (or to back it up), you need
to use the Registry Editor tool. There are two versions of Registry
Editor:
:Regedt32.exe has the most menu items and more choices for the
menu items. You can search for keys and subkeys in the registry.
:Regedit.exe enables you to search for strings, values, keys, and
subkeys. This feature is useful if you want to find specific data.
Some Info on NT:
32 bit GUI Windows networking (client server model) Operating System.
1st version: 3.1 (circa 1994), then 3.5, then 3.51, then 4.0 (most
used and this version was the 1st to adopt the same GUI as Windows
95). NT stands for New Techology. NT's main competitor is Novel
Netware which is more established and has been around longer as
a network operating system. Despite that, it is losing market share
to NT and Linux. That's why NT is becoming a little bit more important.
Windows 2000 which is supposedly the next version is supposed to
be out sometime in October 1999. This version formerly called Cairo
has been delayed 3 times over the last 2-3 years. Everything in
this tutorial directory relates to Windows NT v. 4.0 . Some of this
might also be useful for Windows 95 and Windows 98 but please note
that despite the similar GUI environments all of them have major
differences between each other and each are distinct. The major
difference is security, with NT there is a decent degree of security
and robustness. With Windows 95, and 98 there is hardly any security
at all. For example with NT you cannot log in without a password
and a username that is correct. With Windows 98/95, just hit the
cancel button on the log on menu (which is not usually enabled anyways)
and you will get into the system. With NT, you can have a network
from anywhere from 20-20,000 users or so on the same domain. Each
Domain will have a Primary Domain Controller (PDC) and a few Backup
Domain Controllers (BDC's). There is only one PDC in a domain, it
is the main server that holds all the log in info and does most
of the work. BDC's are backups in case the PDC gets to busy such
as multiple users logging in at the same time. PDC has all the official
settings for the entire domain (in most cases an entire network)
on it. BDC's usually have partial and not right up-to-date settings
and information on it. Backing up the Registry of your PDC (Primary
Domain Controller) is an important part of disaster prevention,
because it contains all of your user accounts. If you ever have
to rebuild a PDC from scratch, then you can restore your user accounts
by restoring the Registry.
Backup and Restore:
Even with Windows 98, and Windows 95 you can not just backup the
registry when you back up files. What you would need to do is run
either: regedit32.exe (for NT) or regedit.exe and then click the
registry menu, then click export registry. The next step is to click
all, then pick the drive to back up onto (usually a removable drive
like tape, floppy, cd, zip drive, jazz drive etc.) and then hit
"ok". To restore a registry from a backed up version,
enter the registry program the same way, click import registry and
click the drive and path where the backup is and hit "ok".
It will restore it back to the previous backed up settings and may
require a reboot.
Note: registry backups are saved as .reg files, and they are associated
with regedit as default. This means that once you double-click a
.reg file, it's contents will be inserted into your own registry.
What is SAM?
SAM is short for Security Accounts Manager, which is located on
the PDC and has information on all user accounts and passwords.
Most of the time while the PDC is running, it is being accessed
or used.
What do I do with a copy of SAM?
You get passwords. First use a copy of SAMDUMP.EXE to extract the
user info out of it. You do not need to import this data into the
Registry of your home machine to play with it. You can simply load
it up into one of the many applications for cracking passwords,
such as L0phtCrack, which is available from: http://www.L0phtCrack.com
Of interest to hackers is the fact that all access control and
assorted parameters are located in the Registry. The Registry contains
thousands of individual items of data, and is grouped together into
"keys" or some type of optional value. These keys are
grouped together into subtrees -- placing like keys together and
making copies of others into separate trees for more convenient
system access.
The Registry is divided into four separate subtrees. These subtrees
are called
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
We'll go through them from most important to the hacker to least
important to the hacker.
First and foremost is the HKEY_LOCAL_MACHINE subtree. It contains
five different keys. These keys are as follows:
SAM and SECURITY - These keys contain the info such as user rights,
user and group info for the domain (or workgroup if there is no
domain), and passwords. In the NT hacker game of capture the flag,
this is the flag. Bag this and all bets are off.
The keys are binary data only (for security reasons) and are typically
not accessible unless you are an Administrator or in the Administrators
group. It is easier to copy the data and play with it offline than
to work on directly. This is discussed in a little more detail in
section 09-4.
HARDWARE - this is a storage database of throw-away data that describes
the hardware components of the computer. Device drivers and applications
build this database during boot and update it during runtime (although
most of the database is updated during the boot process). When the
computer is rebooted, the data is built again from scratch. It is
not recommended to directly edit this particular database unless
you can read hex easily.
There are three subkeys under HARDWARE, these are the Description
key, the DeviceMap key, and the ResourceMap key. The Description
key has describes each hardware resource, the DeviceMap key has
data in it specific to individual groups of drivers, and the ResourceMap
key tells which driver goes with which resource.
SYSTEM - This key contains basic operating stuff like what happens
at startup, what device drivers are loaded, what services are in
use, etc. These are split into ControlSets which have unique system
configurations (some bootable, some not), with each ControlSet containing
service data and OS components for that ControlSet. Ever had to
boot from the "Last Known Good" configuration because
something got hosed? That is a ControlSet stored here.
SOFTWARE - This key has info on software loaded locally. File associations,
OLE info, and some miscellaneous configuration data is located here.
The second most important main key is HKEY_USERS. It contains a
subkey for each local user who accesses the system, either locally
or remotely. If the server is a part of a domain and logs in across
the network, their subkey is not stored here, but on a Domain Controller.
Things such as Desktop settings and user profiles are stored here.
The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT,
contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE
respectively. HKEY_CURRENT_USER contains exactly would you would
expect a copy of the subkey from HKEY_USERS of the currently logged
in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE,
specifically from the SOFTWARE subkey. File associations, OLE configuration
and dependency information.
What are hives?
Hives are the major subdivisions of all of these subtrees, keys,
subkeys, and values that make up the Registry. They contain "related"
data. Look, I know what you might be thinking, but this is just
how Microsoft divided things up -- I'm just relaying the info, even
I don't know exactly what all the advantages to this setup are.
;-)
All hives are stored in %systemroot%\SYSTEM32\CONFIG. The major
hives and their files are as follows:
Hive File Backup File
HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE SOFTWARE.LOG
HKEY_LOCAL_MACHINE\SECURITY SECURITY SECURITY.LOG
HKEY_LOCAL_MACHINE\SYSTEM SYSTEM SYSTEM.LOG
HKEY_LOCAL_MACHINE\SAM SAM SAM.LOG
HKEY_CURRENT_USER USERxxx
ADMINxxx USERxxx.LOG
ADMINxxx.LOG
HKEY_USERS\.DEFAULT DEFAULT DEFAULT.LOG
Hackers should look for the SAM file, with the SAM.LOG file as
a secondary target. This contains the password info.
For ease of use, the Registry is divided into five separate structures
that represent the Registry database in its entirety. These five
groups are known as Keys, and are discussed below:
HKEY_CURRENT_USER
This registry key contains the configuration information for the
user that is currently logged in. The users folders, screen colors,
and control panel settings are stored here. This information is
known as a User Profile.
HKEY_USERS
In windowsNT 3.5x, user profiles were stored locally (by default)
in the systemroot\system32\config directory. In NT4.0, they are
stored in the systemroot\profiles directory. User-Specific information
is kept there, as well as common, system wide user information.
This change in storage location has been brought about to parallel
the way in which Windows95 handles its user profiles. In earlier
releases of NT, the user profile was stored as a single file - either
locally in the \config directory or centrally on a server. In windowsNT
4, the single user profile has been broken up into a number of subdirectories
located below the \profiles directory. The reason for this is mainly
due to the way in which the Win95 and WinNT4 operating systems use
the underlying directory structure to form part of their new user
interface.
A user profile is now contained within the NtUser.dat (and NtUser.dat.log)
files, as well as the following subdirectories:
Application Data: This is a place to store application data specific
to this particular user.
Desktop: Placing an icon or a shortcut into this folder causes the
that icon or shortcut to appear on the desktop of the user.
Favorites: Provides a user with a personalized storage place for
files, shortcuts and other information.
NetHood: Maintains a list of personlized network connections.
Personal: Keeps track of personal documents for a particular user.
PrintHood: Similar to NetHood folder, PrintHood keeps track of printers
rather than network connections.
Recent: Contains information of recently used data.
SendTo: Provides a centralized store of shortcuts and output devices.
Start Menu: Contains configuration information for the users menu
items.
Templates: Storage location for document templates.
HKEY_LOCAL_MACHINE
This key contains configuration information particular to the computer.
This information is stored in the systemroot\system32\config directory
as persistent operating system files, with the exception of the
volatile hardware key.
The information gleaned from this configuration data is used by
applications, device drivers, and the WindowsNT 4 operating system.
The latter usage determines what system configuration data to use,
without respect to the user currently logged on. For this reason
the HKEY_LOCAL_MACHINE regsitry key is of specific importance to
administrators who want to support and troubleshoot NT 4.
HKEY_LOCAL_MACHINE is probably the most important key in the registry
and it contains five subkeys:
Hardware: Database that describes the physical hardware in the
computer, the way device drivers use that hardware, and mappings
and related data that link kernel-mode drivers with various user-mode
code. All data in this sub-tree is re-created everytime the system
is started.
SAM: The security accounts manager. Security information for user
and group accounts and for the domains in NT 4 server.
Security: Database that contains the local security policy, such
as specific user rights. This key is used only by the NT 4 security
subsystem.
Software: Pre-computer software database. This key contains data
about software installed on the local computer, as well as configuration
information.
System: Database that controls system start-up, device driver loading,
NT 4 services and OS behavior.
Information about the HKEY_LOCAL_MACHINE\SAM Key
This subtree contains the user and group accounts in the SAM database
for the local computer. For a computer that is running NT 4, this
subtree also contains security information for the domain. The information
contained within the SAM registry key is what appears in the user
interface of the User Manager utility, as well as in the lists of
users and groups that appear when you make use of the Security menu
commands in NT4 explorer.
Information about the HKEY_LOCAL_MACHINE\Security key
This subtree contains security information for the local computer.
This includes aspects such as assigning user rights, establishing
password policies, and the membership of local groups, which are
configurable in User Manager.
HKEY_CLASSES_ROOT
The information stored here is used to open the correct application
when a file is opened by using Explorer and for Object Linking and
Embedding. It is actually a window that reflects information from
the HKEY_LOCAL_MACHINE\Software subkey.
HKEY_CURRENT_CONFIG
The information contained in this key is to configure settings such
as the software and device drivers to load or the display resolution
to use. This key has a software and system subkeys, which keep track
of configuration information.
Understanding Hives
The registry is divided into parts called hives. These hives are
mapped to a single file and a .LOG file. These files are in the
systemroot\system32\config directory.
Registry Hive File Name
HKEY_LOCAL_MACHINE\SAM SAM and SAM.LOG
HKEY_LOCAL_MACHINE\SECURITY Security and Security.LOG
HKEY_LOCAL_MACHINE\SOFTWARE Software and Software.LOG
HKEY_LOCAL_MACHINE\SYSTEM System and System.ALT
QuickNotes
Ownership = The ownership menu item presents a dialog box that identifies
the user who owns the selected registry key. The owner of a key
can permit another user to take ownership of a key. In addition,
a system administrator can assign a user the right to take ownership,
or outright take ownership himself.
REGINI.EXE = This utility is a character based console application
that you can use to add keys to the NT registry by specifying a
Registry script.
--------------------------------------------------------------------------------
The Following table lists the major Registry hives and some subkeys
and the DEFAULT access permissions assigned:
\\ denotes a major hive
\denotes a subkey of the prior major hive
\\HKEY_LOCAL_MACHINE Admin-Full Control
Everyone-Read Access
System-Full Control
\HARDWARE Admin-Full Control
Everyone-Read Access
System-Full Control
\SAM Admin-Full Control
Everyone-Read Access
System-Full Control
\SECURITY Admin-Special (Write DAC, Read Control)
System-Full Control
\SOFTWARE Admin-Full Control
Creator Owner-Full Control
Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete,
Read)
System-Full Control
\SYSTEM Admin-Special (Query, Set, Create, Enumerate, Notify, Delete,
Read)
Everyone-Read Access
System-Full Control
\\HKEY_CURRENT_USER Admin-Full Control
Current User-Full Control
System-Full Control
\\HKEY_USERS Admin-Full Control
Current User-Full Control
System-Full Control
\\HKET_CLASSES_ROOT Admin-Full Control
Creator Owner-Full Control
Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete,
Read)
System-Full Control
\\HKEY_CURRENT CONFIG Admin-Full Control
Creator Owner-Full Control
Everyone-Read Access
System-Full Control
--------------------------------------------------------------------------------
That's it for the Registry Tutorial. Questions or Comments should
be forwarded to nijjerm@cadvision.com
Jatt
Checkout these sites for more info:
NT registry Hacks: http://www.jsiinc.com/default.htm?/reghack.htm
Unofficial NT Hack: http://www.nmrc.org/faqs/nt/index.html
Rhino9: The Windows NT Security Research Team: http://www.xtreme.abyss.com/techvoodoo/rhino9
Regedit.com - cool registry tricks: http://www.regedit.com
Also please checkout: www.windows2000test.com and give it your
best shot because Microsoft wants you to test their operating system's
security flaws for them. They are challenging all hackers to hack
that site.
|