Saturday, February 13, 2010

Working with registry

Working with registry....
Opening the registry editor

This is step number one, just opening the editor to view the registry.

This is easy, just click on the start button and then on run. Once run is open, type in regedit and click OK.

Navigating the registry

Once you have regedit open, it is fairly easy to get where you want to.

Now you see the "folders" HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG

First lets get some basic terminology down. These five main "folders" are calles hives, and their subfolders are called keys.

Click on the + next to HKEY_CURRENT_USER to expand the hive.

Now if you wanted to open HKEY_CURRENT_USER\Software\Microsoft, click the + next to Software, then the + next to Microsoft.

This is how you can get to any place within the registry.

Exporting registry keys

This should be done to any and all registry keys before changing them.

It will give you an easy way of changing back any changes that you make editing the registry.

Right click the key that you want to export, and select Export.

Then give it a name so you remember what it is. I use the name of the key as an example.

Importing registry files

Now that you have exported keys to change back your changes, you need to know how to import them into the registry.

Usually a double-click on a registry file will merge it for you unless you have changed the default action, then you have to right-click the file and select Merge.

Changing existing values

You now know how to navigate to different keys in the registry and how to back up these keys before you make changes to them.

Logically next you need to know how to make these changes.

There are three main types of registry values that you will deal with: STRINGS, DWORDS, and BINARY values.
There are others, but these are 99% of what you will deal with doing normal editing.

To change an existing STRING value, just double click it and enter in the new value data.

To change an existing DWORD value you have two options, hexadecimal and decimal. Be sure you know what type the value should be, 200 hexadecimal is 256 decimal, c8 is hexadecimal for 200 decimal, for example.

To change binary values it is a little more complicated because they are written in hex.

The applicable values are entered in 2's and have the format 00 01 02 - 0F - FF and each have a different value associated with them.

Having to change a binary value from something other than 01 to 00 or 00 to 01 is pretty rare.

Adding new values

Adding values is very similar to changing them with the exception that you have to name the value.

Right click in the left-hand-side of the registry editor and select New > String (or whatever value type you want to add) and then name it what you need.

Then you change its value by doing the same method as if it was an existing value.

Adding new keys

Along with adding values, this is most helpful if you are trying to add group policy values through the registry.
Most of the keys that are needed for them are not there by default.

So, you need to add a key under HKEY_CURRENT_USER\Software\Policies\Microsoft, how?

Easily, just right-click on HKEY_CURRENT_USER\Software\Policies\Microsoft in the folder tree, and then New > Key

Now you need to change the name of the key to the desired name.

Deleting keys and values

The first thing that must be realized when deleting keys or values is that there is no 'Recycle Bin' for the registry, once its gone its gone.

To delete keys or values, just right-click them and select delete. Also keep in mind that deleting a key also deletes all subkeys of that key.

Writing registry files

Now you can automate the manual entry and deletion of registry values and keys with .reg files. Use notepad or wordpad to write registry files, you just save them with a .reg extension.

The first line in the registry file for XP or 2000 has to be:

Windows Registry Editor Version 5.00


NOTE: For windows 98, ME, NT 4.0, [also works with XP and 2k] replace with:

REGEDIT4

Put a line in between Windows Registry Editor 5.00 and the next entry.

Now you have to declare the key that you want to change values in by writing it in brackets.

This will also create the key if the one declared doesn't exist:

[HKEY_CURRENT_USER\Key\Subkey]

Now the next line will either create the string "String 1" equal to "Value 1" if "String 1" doesn't exist,
or change the value of the string "String 1" to "Value 1" if it does:

"String 1"="Value 1"


The (default) value is a string and you use the "at" symbol for this.

@="Default 1"

To change or create dword values, you must know the value in hexadecimal, for that is how they are written.

The next line will create the dword "Dword 1" equal to a decimal 20, by setting it equal to dword:00000014,
or if "Dword 1" already exists, it will change it's value to a decimal 20.

Just remember dword:00000010 is actually decimal 16, dword:0000000a is decimal 10

"Dword 1"=dword:00000014

Now binary values. This line will create or change a binary value "Binary 1" equal to 01 AA 05 55.

"Binary 1"=hex:01,AA,05,55

So this is the reg file to add a string, default, dword, and binary value to HKEY_CURRENT_USER\Key\Subkey:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Key\Subkey]
"String 1"="Value 1"
@="Default 1"
"Dword 1"=dword:00000014
"Binary 1"=hex:01,AA,05,55

Now how to delete values or keys with regfiles.

If you want to delete a key just put a minus sign in front of it in the file:

[red[-HKEY_CURRENT_USER\Key\Subkey]

If you want to delete a value, it doesn't matter what kind, set the value equal to a minus.

"String 1"=-

@=-

"Dword 1"=-

"Binary 1"=-

So if you wanted to add a dword "Dword 1" that equals 1,
and delete the value "String 1" in HKEY_CURRENT_USER\Key\Subkey1 and delete the HKEY_CURRENT_USER\Key\Subkey2, the file would look like:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Key\Subkey1]
"Dword 1"=dword:00000001
"String 1"=-

[-HKEY_CURRENT_USER\Key\Subkey2]

The final thing to learn is how to comment the files,
add a semiclon in front of any line and it will be ignored:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Key\Subkey1]
;This changes the dword to equal 1
"Dword 1"=dword:00000001
;This deletes the string value
"String 1"=-

;This deletes the key Subkey2
[-HKEY_CURRENT_USER\Key\Subkey2]

This should help you navigate and hack through the registry with atleast a partial map to guide you.

No comments:

Post a Comment