Author Acid_Cool_178
Target Windows Regestry
Public Release  M1rch 2001
Dedication Hellforge and The Cracking Answer
Tools Required Windows NT

 

Introduction
 

I have always wondered on  how the windows registry worked. The reason is that the Windows Registry is telling programs that it's registered or now, and the setting on your windows shell, personally information and security. The Windows Registry have been in windows since the beginning of windows 3.x I don't now about windows 286 but I guess that the Registry were there too.... 

Tutorial
 

Contents

Part 1 Some General Questions 
Part 2 The Windows 2000 registry

 


Part 1 - Some General Questions 

What is the Windows registry ?
Microsoft thinks that the registry is one huge database of information and it truly is, it contains information at almost everything in your windows system. Now you really can be afraid.

But where can I find the windows Registry ?
Well, the Registry have to be saved somewhere and you can find is at you Hard Drive under your Windows directory.

 

Version File(s) Contents
3.1X REG.DAT The Complete windows 3.XX Registry
95 SYSTEM.DAT System-values (HKEY_LOCAL_MACHINE)
USER.DAT User-values (HKEY_USER)
NT SYSTEM32\CONFIG\SAM SAM-part of the registry wich is the NT secutiry
SYSTEM32CONFIG\SOFTWARE Software-Specific part
(HKEY_LOCAL_MACHINE\SOFTWARE)
SYSTEM32\CONFIG\SYSTEM System-Specific part
(HKEY_LOCAL_MACHINE\SYSTEM)
SYSTEM32\%USERNAME%\NTUSER.DAT User-Specific part
(HKEY_CURRENT_USER\{S-1-xxx...})
SYSTEM32\%USERNAME%\NTUSER.MAN Like NTUSER.DAT but MANDATORY-Profile
winnt\system32\config\security The security profile

 

Under the registry so will you find some main roots in there, and as you can see so is the registry also well structured. I have to say the Microsoft did now how it should be and it is made so good structured so there had to be some fights to make this structure. 

What is one KEY?
One key in the registry can be seen as a directory in a file system, it is a directory in the registry

What is one Value?
One Value in the registry can bee seen as the "file" in the system, is is a own file in the registry

What is Data
Data is the content of the Value in the registry, the little peace of the information.

What is a hive ?
A hive is the first thing what you can see in the registry, the first directories

 

Hive File Backup File
HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE   SOFTWARE.LOG
HKEY_LOCAL_MACHINE\SECURITY  SECURITY   SECURITY.LOG
HKEY_LOCAL_MACHINE\SYSTEM   SYSTEM     SYSTEM.LOG
HKEY_CURRENT_USER  USERxxx   
ADMINxxx  
USERxxx.LOG
ADMINxxx.LOG
HKEY_USERS\.DEFAULT    DEFAULT    DEFAULT.LOG

 

Here have you the main hives

 

Hive name Description 3.1 95 NT
HKEY_CLASSES_ROOT Points to the "class" key in the "HKEY_LOCAL_MACHINE" hive, this hive is the only hive in the Windows 3.1 registry Yes Yes Yes
HKEY_CURRENT_USER Information and settings for the current logge in user. Points to the key under "HKEY_USERS" No Yes Yes
HKEY_CURRENT_CONFIG Settings for the currently active hardware profile. Points to "HKEY_LOCAL_MACHINE\CONTROL\CONTROLSETxxx" No Yes Yes
HKEY_USERS Contains all currently active user settings. Since NT is a single user system, there will only be one key (the S-ID of the user active user), and a ".DEAFULT" key (The settings for the CTRL+ALT+DEL enviroment) No Yes Yes
HKEY_LOCALMACHINE All local settings No Yes Yes
HKEY_DYN_DATA The dynamic data like (CPU-usage, Monitor, RAM etc) No Yes No

We will go deeper in the current hives later, it's in another section


Part 2 - The windows 2000 Registry 

Windows 2000 is something like the NT 4.0 registry, just abut updated and fixed on.  

As you now from earlier so is the windows registry well protected and the windows 2000 Professional Registry is hard protected, you can't even copy any of the registry files even as one administrator. Now this is good protection by Microsoft, and I don't yet now how to get around the copy protection and I don't care about that so long as I can view the registry in my registry editor.

Every registry-part have one *.log file so you can trace at someone of they have been into you registry and you will have some damm hard proof to that person, these files lies almost never. And now you is some informed on the security system on the registry.. 

Information about the HKEY_LOCAL_MACHINE\SAM Key

This subtree contains the user and group accounts in the SAM database for the local computer. For a computer that is running NT 4, this subtree also contains security information for the domain. The information contained within the SAM registry key is what appears in the user interface of the User Manager utility, as well as in the lists of users and groups that appear when you make use of the Security menu commands in NT4 explorer.

Information about the HKEY_LOCAL_MACHINE\Security key

This subtree contains security information for the local computer. This includes aspects such as assigning user rights, establishing password policies, and the membership of local groups, which are configurable in User Manager.

What is SAM?
SAM is short for Security Accounts Manager, which is located on the PDC and has information on all user accounts and passwords. Most of the time while the PDC is running, it is being accessed or used.

What do I do with a copy of SAM?
You get passwords. First use a copy of SAMDUMP.EXE to extract the user info out of it. You do not need to import this data into the Registry of your home machine to play with it. You can simply load it up into one of the many applications for cracking passwords, such as L0phtCrack, which is available from: http://www.L0phtCrack.com

Lets go deeper in the registry right now, and how the structure works.

 

The Registry is divided into five separate subtrees. These subtrees are called 

 


 

HKEY_CURRENT_CONFIG

The information contained in this key is to configure settings such as the software and device drivers to load or the display resolution to use. This key has a software and system subkeys, which keep track of configuration information.

 



HKEY_USERS


In windowsNT 3.5x, user profiles were stored locally (by default) in the systemroot\system32\config directory. In NT4.0, they are stored in the systemroot\profiles directory. User-Specific information is kept there, as well as common, system wide user information.

This change in storage location has been brought about to parallel the way in which Windows95 handles its user profiles. In earlier releases of NT, the user profile was stored as a single file - either locally in the \config directory or centrally on a server. In windowsNT 4, the single user profile has been broken up into a number of subdirectories located below the \profiles directory. The reason for this is mainly due to the way in which the Win95 and WinNT4 operating systems use the underlying directory structure to form part of their new user interface.

In this Hive will you fins some Keys like .DEAFULT and if you open it so can you see: 
Control Panel
Console
Console Panel
Environment
Identites
Keyboard Layout
Software
UNICODE Program Groups

As you can see so is these the default setting son this machine for the users and you will find keys to the other users in there. 

 


 

HKEY_CURRENT_USER

This registry key contains the configuration information for the user that is currently logged in. The users folders, screen colors, and control panel settings are stored here. This information is known as a User Profile.

 


 

HKEY_LOCAL_MACHINE 

This key contains configuration information particular to the computer. This information is stored in the systemroot\system32\config directory as persistent operating system files, with the exception of the volatile hardware key.

The information gleaned from this configuration data is used by applications, device drivers, and the WindowsNT 4 operating system. The latter usage determines what system configuration data to use, without respect to the user currently logged on. For this reason the HKEY_LOCAL_MACHINE registry key is of specific importance to administrators who want to support and troubleshoot NT 4.


HKEY_LOCAL_MACHINE is probably the most important key in the registry and it contains five subkeys:


SAM and SECURITY - These keys contain the info such as user rights, user and group info for the domain (or workgroup if there is no domain), and passwords. In the NT hacker game of capture the flag, this is the flag. Bag this and all bets are off.

The keys are binary data only (for security reasons) and are typically not accessible unless you are an Administrator or in the Administrators group. It is easier to copy the data and play with it offline than to work on directly. 

HARDWARE - this is a storage database of throw-away data that describes the hardware components of the computer. Device drivers and applications build this database during boot and update it during runtime (although most of the database is updated during the boot process). When the computer is rebooted, the data is built again from scratch. It is not recommended to directly edit this particular database unless you can read hex easily. 

There are three subkeys under HARDWARE, these are the Description key, the DeviceMap key, and the ResourceMap key. The Description key has describes each hardware resource, the DeviceMap key has data in it specific to individual groups of drivers, and the ResourceMap key tells which driver goes with which resource. 

SYSTEM - This key contains basic operating stuff like what happens at startup, what device drivers are loaded, what services are in use, etc. These are split into ControlSets which have unique system configurations (some bootable, some not), with each ControlSet containing service data and OS components for that ControlSet. Ever had to boot from the "Last Known Good" configuration because something got hosed? That is a ControlSet stored here. 

SOFTWARE - This key has info on software loaded locally. File associations, OLE info, and some miscellaneous configuration data is located here. 
The second most important main key is HKEY_USERS. It contains a subkey for each local user who accesses the system, either locally or remotely. If the server is a part of a domain and logs in across the network, their subkey is not stored here, but on a Domain Controller. Things such as Desktop settings and user profiles are stored here. 
The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT, contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE respectively. HKEY_CURRENT_USER contains exactly would you would expect a copy of the subkey from HKEY_USERS of the currently logged in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE, specifically from the SOFTWARE subkey. File associations, OLE configuration and dependency information. 



 

HKEY_CLASSES_ROOT

The information stored here is used to open the correct application when a file is opened by using Explorer and for Object Linking and Embedding. It is actually a window that reflects information from the HKEY_LOCAL_MACHINE\Software subkey.

 



A user profile is now contained within the NtUser.dat (and NtUser.dat.log) files, as well as the following subdirectories:

Application Data: This is a place to store application data specific to this particular user.
Desktop: Placing an icon or a shortcut into this folder causes the that icon or shortcut to appear on the desktop of the user.
Favorites: Provides a user with a personalized storage place for files, shortcuts and other information.
NetHood: Maintains a list of personlized network connections.
Personal: Keeps track of personal documents for a particular user.
PrintHood: Similar to NetHood folder, PrintHood keeps track of printers rather than network connections.
Recent: Contains information of recently used data.
SendTo: Provides a centralized store of shortcuts and output devices.
Start Menu: Contains configuration information for the users menu items.
Templates: Storage location for document templates.

 


 

The Following table lists the major Registry hives and some subkeys and the DEFAULT access permissions assigned:

\\ denotes a major hive        \denotes a subkey of the prior major hive

 

\\HKEY_LOCAL_MACHINE
		Admin-Full Control
		Everyone-Read Access
		System-Full Control
 \HARDWARE
		Admin-Full Control
		Everyone-Read Access
		System-Full Control
 \SAM
		Admin-Full Control
		Everyone-Read Access
		System-Full Control
 \SECURITY
		Admin-Special (Write DAC, Read Control)
		System-Full Control
 \SOFTWARE
		Admin-Full Control
		Creator Owner-Full Control
		Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)
		System-Full Control
 \SYSTEM
		Admin-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)
		Everyone-Read Access
		System-Full Control
\\HKEY_CURRENT_USER
		Admin-Full Control
		Current User-Full Control
		System-Full Control
\\HKEY_USERS
		Admin-Full Control
		Current User-Full Control
		System-Full Control
\\HKET_CLASSES_ROOT
		Admin-Full Control
		Creator Owner-Full Control
		Everyone-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)
		System-Full Control
\\HKEY_CURRENT CONFIG
		Admin-Full Control
		Creator Owner-Full Control
		Everyone-Read Access
		System-Full Control
 

As you can see so is the Windows Registry very structured and protected. But It's still not 100% secure, there is some hackers, crackers and coders out there and helping you on breaking this structure.

 

 
Final Thoughts
 

Well, this is my first essay and I have studied the registry and gathered so much information and I could find. I have read some tutorials right now and is abut tired of registry reading. But I will come up with another essay now soon, more about the windows registry that I haven't uncovered... Be prepared. 


 
Greetings to...


Special Greetings: 
LaZARuS for he's great tutorials....
+DaFixer for DeDe
The Cracking Answer for not even bugging me for writing or cracking anything, that group roxx!!!! You will get alotta work from me now soon :D

Groups:  HF, ID, TCA, GC, TMG

Individuals, ManKind, Dark Wolf, BiSHoP, Mercution, AlX, Falcon, Marton, Borna Janes, Analyst, Eternal Bliss, NARRoW, Subzonic, DiABLO, Eddie Van Camper, CD_Knight and all the rest that i have forgotten
 

The end.
Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.