Unknown Kadath

Windows ‘File Recovery’ series : Part 6 Reading/Editing The Windows Registry From Outside of Windows

Posted on May 14th, 2012 by James Litten

Windows ‘File Recovery’ series
Part 6 Reading/Editing The Windows Registry From Outside of Windows

DISCLAIMER: These examples use techniques that I actually employ in the real world to deal with real problems. They might be wrong or dangerous. They might be inefficient. If you try them yourself, it might cause damage or irreparable loss. I take no responsibility for anything you do based on my examples or the information that I provide here.

In this series we’ll look at some real world examples of disastrous situations salvaged and made better again.

Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Caution
Do not edit the registry directly unless you have no alternative. These techniques bypasses standard safeguards, allowing settings that can degrade performance, damage your system, or even require you to reinstall Windows. If you must edit the registry directly, back it up first.

Most of the time you can use standard registry editing tools on a Windows computer that cannot boot into Windows.


If you are able to boot the machine into Safe Mode with Command Prompt then you can use the reg command
Reg Command
http://technet.microsoft.com/en-us/library/bb490984.aspx

Recovery Console Command prompt on Windows Vista / 7
You can run regedit.exe.
You can also use the reg.exe command.

Windows 8 Startup Repair Command Prompt
You can run regedit.exe.
You can also use the reg.exe command.



I’m sure that there are other ways. Computers are always full of new surprises when it comes to breaking them.

Then there is Windows XP
Recovery Console Command prompt in Windows XP has no reg or regedit command.

Using chntpw as a Windows registry editor

Anyone who repairs consumer computers on a regular basis comes across this scenario sooner or later.

Client has a Windows XP computer with a problem that can be easily repaired from the XP Recovery Console. You proceed to boot into XP Recovery Console and ask the client “Is there an administrator password to this machine?” and they respond with something like “I don’t think so…”.

You proceed to choose the Windows install listed in the Recovery Console and it asks you for an administrator password so you press enter as if there is no password and up pops “The password is not valid”

This is how I first came to know the program chntpw (which I presume stands for Change NT Password). It allows you to modify the Windows registry from a Live Linux CD and change the password.

It doesn’t just give you the ability to change that part of the registry. It can view and edit other parts that can help you get a damaged machine to boot such as from a partial removal of malware that can cause an orphaned or erroneous registry value that crashes the Windows boot process.

Before we look at some examples, I just want to be sure that you saw the disclaimers.

Caution
Do not edit the registry directly unless you have no alternative. These techniques bypasses standard safeguards, allowing settings that can degrade performance, damage your system, or even require you to reinstall Windows. If you must edit the registry directly, back it up first.

For our examples, we will use a PartitionMagic Live CD to boot the Windows machine into Linux and use the tools that are available on it to view/edit the Windows registry on the machine.
You can find the iso file for creating a PartedMagic boot CD here
http://partedmagic.com/doku.php?id=downloads

In real life situations, I only reach this point when it is the last thing to try before a repair-reinstall which can take a considerable amount of time and is fraught with potential pitfalls.
As I open the terminal in Linux and start typing chntpw commands I feel a little like Commisioner Gordon picking up the BatPhone and calling Gotham City’s last hope for salvation.


This means that…
  • The machine won’t boot into Windows XP safe mode or normal mode.
  • A System Restore is not an option or does not work.
  • The Last Known Good Configuration option does not work.




chntpw is a console based tool that is included with the PartitionMagic Live CD that has a built-in registry editor which can be used to manipulate the Windows registry. To invoke the registry editor you have to specify the -e option with the name of registry hive file.

Boot the Windows machine with the PartitionMagic boot CD.
The button on the PartedMagic desktop in the lower left corner behaves like the START button on an XP desktop so we’ll call it START when we refer to it.

Mount the disk that contains the registry hives.
START>SYSTEM TOOLS>MOUNT-GTK
Click the mount button next to the drive that contains the Windows install that we will be working on. In our example it is sda1 so this will mount it as /media/sda1

open a terminal window
START>ACCESSORIES>LXTERMINAL
Go to the directory containing the registry hives (remember it is case sensitive)
cd /media/sda1/WINDOWS/system32/config



Make a backup of the hive file that you will be editing

Registry Key NameHive Filename
HKEY_CURRENT_USERNTuser.dat
HKEY_LOCAL_MACHINE\SAMSAM
HKEY_LOCAL_MACHINE\SECURITYSECURITY
HKEY_LOCAL_MACHINE\SOFTWARESOFTWARE
HKEY_LOCAL_MACHINE\SYSTEMSYSTEM
HKEY_USERS\DEFAULTDEFAULT


We’re going to play with the software hive so lets make a backup copy of it before we do anything.

cp software software.mybak

Now we can edit it with chntpw

chntpw -e software

We are now in the simple registry editor. Typing ? shows the options available to us.



To navigate to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run

type (Case sensitive and use forward slashes)

cd Microsoft\Windows\CurrentVersion\Run

and type ls to list the values in the key

Lets add a value that will cause Windows Calculator (calc.exe) to run when a user logs in.
Type
nv ?

to see a list of the values for the different types.



For our value we can type

nv 1 test

now if we type

ls

we see our new value listed

Now to edit the contents of the value we type

ed test

and we are asked to enter our string which in our case is

c:\windows\system32\calc.exe

Then you can see the new value by typing

cat test



Press q to exit the program and it gives you the option to save the changes that you made.

Now when you reboot into Windows, the calculator program will open when a user logs in.



This is a very sensitive technique and you should do one change at a time and reboot to make sure everything is working. If not, restore your backup by copying it (so you have it still if there is another mishap) and try again. I have had to do this before.

I have never used chntpw with Windows XP 64-bit but I have successfully used it with Windows XP 32-bit, Windows 7 64-bit and Windows 8 Consumer Preview 64-bit.

Leave a Response