Author Acid_Cool_178
Target Windows Registry Part 2
Public Release  July 2001
Dedication All my best online friends !!!
Difficulty Level (1..7) 2 (EASY)
Tools Required Reg Edit
Download it from Nowhere, it comes with Windows :) 

 

Introduction
 

I'm back again with another Windows Registry tutorial.. Now we will cover something that is more for coders and programmers, but basic to understand for newbies too. Understanding windows is always a good side of a hacker and a cracker and the windows Registry is the heaven for one hacker and one cracker... So now we will take care of some keys in the windows registry :)
 

Tutorial
 

As you now so is one *.REG file one registry file and is have some special structure as I did try to explain in the my windows Registry Part 1 and I hope that you dud understand it ;)  The windows registry is mostly pain ASCII text or hex numbers, and every line is ended with one CR/CF combination. 

Here is the contents :)

 

Keys
Values
Strings
Binary values
Types of binary values
DWORDs

Keys

Key names are exported as they are encountered, but need not be in any order.
Subkeys are explicitly named. For example, if you had the key 
HKEY_CLASSES_ROOT\CLSID and it's subkey
HKEY_CLASSES_ROOT\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D} (which represents the ClassID of the Control Panel, by the way), they would be exported as:

[HKEY_CLASSES_ROOT\CLSID]
[HKEY_CLASSES_ROOT\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}]

For a key name to be valid, it must start with one of the root key names:
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG

A key name may only contain printable ASCII characters (that is, characters with values from 32 through 127) and may not contain spaces, backslashes \ or the wildcards * and ?.

Every key name is followed by it's values, starting on the line directly following it. The list of values is terminated with an empty line, and may be empty itself. 

For example:
[key-name]

[second-key-name]
"value1"=something
"value2"=something

[third-key-name]

If a key is specified which does not exist, it is created, along with any parent keys that do not exist. For example, if the key
HKEY_USERS\Jeroen\Test\Subkey is specified, and only the key HKEY_USERS\Jeroen exists, the key HKEY_USERS\Jeroen\Test is also created.

Note that you cannot delete keys or values - you can only add them if they don't already exist, or modify them if they do.

Values
There are three kinds of values in the registry: strings, binary values, and DWORDS. They represent a collection of characters, a collection of bytes, and a 32-bit integer, respectively.

Values consist of a name, enclosed in quotes "", followed by an equal sign = , followed by the value value (there's no other way to put it).

Every key, even if created empty, contains at least one string value - this is the value shown as (Default) in RegEdit. To set it's value, use @ as the value name, and omit the usual quotes around the value name.

Example:
@="This is the default value."

Strings
Strings may be any size. They are represented within quotes "", and contain normal ASCII characters.

The quote " and backslash \ are also allowed in strings - however, they must be represented as \" and \\, respectively. Also, RegEdit can import and export all non-ASCII characters except for linefeed (or newline, ASCII code 10). Should a linefeed end up in a string, RegEdit will export this as a real newline, splitting the string in two lines. When reimporting this string, RegEdit will only read the first line. The moral of the story: don't store linefeeds in strings.

Examples of strings:
"Foo"="Bar"
"FooPath"="C:\\WINDOWS\\System"
"FooMessage"="This/nMessage/nActually/nConsists/nOf/One/nLong/nLine."

Binary values
Binary values are used where strings and DWORDs fail. They can be used to represent any type of data. They are represented as hex:xx,yy,zz where xx,yy and zz are hexadecimal representations of single bytes. They may be any length.

Lengthy binary values can be divided into multiple lines using the C line separator \. For example:
"Bar"=hex:48,00,00,00,01,00,00,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,\
00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,\
0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,0a,00,00,00,00,00,c4,ac,01,\
00

Also take note that this is only allowed with binary values. In particular, you cannot divide strings this way. And yes, this IS pretty stupid.

Although I usually ignore Microsoft, they recommend you shouldn't store more than around two kilobytes of binary data at most, and I agree with them for once.

Example of binary values:
"Foo"=hex:00,de,ca,de,12,34

Types of binary values
Along with 'regular' binary values, there are also some special types of data
which RegEdit represents as special binary values, like this:

"FooBar"=hex(type):xx,xx,xx,xx,...

where type is a number ranging from zero to ten in the current versions of
Windows, as follows:

Type Name 
0 REG_NONE 
1 REG_SZ 
2 REG_EXPAND_SZ
3 REG_BINARY 
4 REG_DWORD, REG_DWORD_LITTLE_ENDIAN
5 REG_DWORD_BIG_ENDIAN
6 REG_LINK
7 REG_MULTI_SZ
8 REG_RESOURCE_LIST
9 REG_FULL_RESOURCE_DESCRIPTOR 
10 REG_RESOURCE_REQUIREMENTS_LIST

0 REG_NONE
REG_NONE means 'no defined value type'. No, I don't know what it's good for - REG_BINARY is already a catch-all type for everything that has no type. Perhaps it's used for values that have no contents, although I can't imagine what THAT would be good for.

1 REG_SZ
A null-terminated string. This is the same as the string type, represented as bytes. For example, these definitions are equal:

"BarFoo"=hex(1):41,42,43,44,00
and
"BarFoo"="ABCD"

See also
Strings

2 REG_EXPAND_SZ
A null-terminated string that contains unexpanded references to environment variables. When an application reads this string from the registry, it can let Windows replace the references with the environment variable value.

For example, the following value

"ForBaa"=hex(2):25,50,41,54,48,25,3b,53,6f,6d,65,74,68,69,6e,67,00

represents the string "%PATH%;Something". When this string is read, the "%PATH%" section can be replaced with the contents of your PATH variable.

3 REG_DWORD, REG_DWORD_LITTLE_ENDIAN
Represents a little-endian DWORD (the common format of Windows DWORDS). In little-endian format, the most significant byte of a word is the high-order byte. See also DWORDS.

4 REG_DWORD_BIG_ENDIAN
Represents a big-endian DWORD (used on Macintoshes, for example). As you can probably guess, in big-endian format, the most significant byte of a word is the low-order byte.

5 REG_LINK
Represents a Unicode symbolic link. No, I don't know what this is, and I probably don't want to know either.

6 REG_MULTI_SZ
A collection of null-terminated strings, null-terminated. For example:

"FarBoo"=hex(7):41,42,43,44,00,45,46,47,48,00,00

Represents two strings: "ABCD" and "EFGH".

7 REG_RESOURCE_LIST
A device driver resource list. Another one in the category "don't know and don't want to know."

8 REG_FULL_RESOURCE_DESCRIPTOR
Undocumented. It's probably ment for Windows itself only, as device driver stuff.

9 REG_RESOURCE_REQUIREMENTS_LIST
Undocumented. It's probably ment for Windows itself only, as device driver stuff.

DWORDs
DWORDs are 32-bit integers represented as dword:xxxxxxxx, where x is a
hexadecimal digit. They're pretty boring, as that's all I can tell about them.

Example of DWORD values:
"Foo"=dword:00decade

 
Final Thoughts
 

I have to have some finally words.... Have them ready damet :)


 
Greetings to...


Special Greetings: 
LaZARuS for he's great tutorials....
+DaFixer for DeDe
The Cracking Answer for not even bugging me for writing or cracking anything, that group roxx!!!! You will get alotta work from me now soon :D

Groups:  HF, ID, TCA, GC, TMG

Individuals, ManKind, Dark Wolf, BiSHoP, Mercution, AlX, Falcon, Marton, Borna Janes, Analyst, Eternal Bliss, NARRoW, Subzonic, DiABLO, Eddie Van Camper, CD_Knight and all the rest that i have forgotten
 

The end.
Any mistakes, corrections, or comments may be mailed to the members individually, or to the group : hellforge@hellforge.org.