| |
| |
| Using BackTrack to Fix Windows Registry |
| |
| |
| |
| |
|
|
|
| |
| |
| |
|
BackTrack is
the most popular Linux live CD distribution focused on penetration
testing. It comes loaded with all the top security tools so that you can
immediately startup with your work without the need for downloading and
installing any of the security tools.
One of the use of BackTrack is to fix Windows problems such as fixing
the registry, resetting the user passwords etc. Here I am going to
explain how we can use BackTrack to fix the Windows registry.
Often times, we mess up with the registry leaving the system in
hanged state. In such situations BackTrack plays major role to put you
back on track.
|
| |
| |
| |
|
To start with, boot your system with BackTrack CD. After booting you
have to make sure that your Windows system partition is mounted in
read/write mode. If your system partition has NTFS file system then you
have to unmount that partition and remount in read/write mode.
Lets assume that your system partition is /dev/hda1 which is currently
mounted on to /mnt/hda1. You can use 'mount' command to view the devices
and their respective mount points. |
| |
| To unmount this partition use following command |
| |
| umount /mnt/hda1 |
|
| Now to mount it with read/write access, execute the following command |
| |
| mount -o rw /dev/hda1 /mnt/hda1 |
| |
If the above method does not work then use the
following steps specified by Muts from BackTrack. |
| |
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1 |
| |
| For SATA drives use sda1 instead of hda1 in the above steps. For
FAT32 partition, you need not have to do anything as it is already
mounted with read/write access. |
| |
| |
| |
|
| Now go to config folder on your system partition which has all
registry hives. |
| |
| # cd /mnt/hda1/windows/system32/config |
| |
Then type 'chntpw' command to view its help screen. This tool comes
with built-in registry editor which can be used to manipulate any part
of the registry. To invoke
registry editor you have to specify -e option with the name of registry
hive file. Entire Windows registry data is stored in couple of hive
files. Here is the table below that shows mapping between the hive
file and the part of the registry. Based on what part of the registry
you are going to modify, you have to select corresponding hive file. |
| |
| HKEY_CURRENT_USER |
NTuser.dat |
| HKEY_LOCAL_MACHINE\SAM |
SAM |
| HKEY_LOCAL_MACHINE\SECURITY |
SECURITY |
| HKEY_LOCAL_MACHINE\SOFTWARE |
SOFTWARE |
| HKEY_LOCAL_MACHINE\SYSTEM |
SYSTEM |
| HKEY_USERS\DEFAULT |
DEFAULT |
| |
|
|
|
| |
Let me explain the complete registry editing operation with an
example. Assume that 'Windows Themes service' is preventing normal
booting of your system. Now to bring your system back to normal you need
disable this service.
The registry key for the Themes service is
located here.
|
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes |
| |
To disable this service, we have to change the 'Start' value (under above mentioned key) to
'4'.
|
| Start REG_DWORD 4 |
| |
Now from the above table, its clear that we have to use 'SYSTEM' hive
file for editing with 'chntpw'. Type the command as shown below.
|
| # chntpw -e SYSTEM |
| |
At the new command prompt type ? to see various commands used for
registry editing. Most useful commands are dir,cat,cd,ed etc.
Now type 'dir' command to see all the subkeys under the root key. You will
see many ControlSet00* keys under this, but where is the
CurrentControlSet key. We need this subkey to edit properties of Themes
service..!
Well, don't be panic. The answer is hidden in 'Select' subkey. Now
enumerate all the values under 'Select' subkey as shown below.
|
> cd Select
> dir |
| |
Now the value associated with 'Current' subkey will tell you which is
the currently used ControlSet00* key. For example if the 'Current' has
value 2 then that means you have to select 'ControlSet002' etc. On my
machine the 'Current' has
value 1. So I am going to select 'ControlSet001' key.
Know we know which controlset we have to use for our purpose. Now select
it and move on to Themes subkey as shown below. Note that we are under
Select key. You have to go back to root key to choose the ControlSet
key.
|
| |
> cd..
> cd ControlSet001\Services\Themes
|
Now type 'dir' command to see all the names and their values under this
key. We have to just change DWORD value of 'Start' to 4 using the 'ed'
command.
|
| |
| > ed Start |
| |
When you are prompted to enter new value, just type 4 and press
'ENTER' to set the new value.To verify use the below shown command.
|
| |
| > cat Start |
| |
Once you have modified all required changes, type 'q' to quit the registry
editor and then press 'y' to save your changes. After that restart the
system and you should be able to login normally without any problem.
|
| |
| Use BackTrack and get back on track...!
|
| |
| |
| |
|
|
1. BackTrack
: Linux Live CD Distribution for PenTesting. |
|
2. Mounting
NTFS partition in write mode on BackTrack by Muts. |
| |
| |
| |
|
|
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
