Unit OS12: Scripting Unit OS12: Scripting

(1)

Unit OS12: Scripting Unit OS12: Scripting

12.2. The Registry

(2)

Copyright Notice Copyright Notice

These materials are part of the

These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,

System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E.

developed by David A. Solomon and Mark E.

Russinovich with Andreas Polze Russinovich with Andreas Polze

Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)

environments (and not for commercial use)

(3)

Roadmap for Section 12.2.

Registry Fundamentals Registry Fundamentals

Registry Structure Registry Structure

Registry Limits Registry Limits

Monitoring Registry Activity with Regmon

(4)

Registry Fundamentals Registry Fundamentals

Repository for system/user configuration information Repository for system/user configuration information

Contains information NT requires to boot & configure Contains information NT requires to boot & configure System-wide application settings (e.g. install directory) System-wide application settings (e.g. install directory) Per-user settings (e.g. fonts, window placement, etc.) Per-user settings (e.g. fonts, window placement, etc.)

Called Configuration Manager (CM) in NTOSKRNL Called Configuration Manager (CM) in NTOSKRNL Network accessible (via Remote Registry service) Network accessible (via Remote Registry service)

Provides limited remote configuration, but not management Provides limited remote configuration, but not management

Changing some registry entries causes action, but only if something watching for Changing some registry entries causes action, but only if something watching for changes

changes

WMI provides remote management (described in next section) WMI provides remote management (described in next section)

Also is a window into in-memory (volatile) system information Also is a window into in-memory (volatile) system information

(5)

Registry Interface to Performance Registry Interface to Performance

Counters Counters

Custom application A

Custom application B

Performance tool

Windows Management Instrumentation High-performance provider interface Registry DLL provider

Pdh.dll

Advapi32.dll

RegQueryValueEx

PerfLib

System performance

DLL

Performance extension

DLL

High-performance data provider

object Performance-

monitoring applications

Programming Interfaces

(6)

Viewing and Changing the Registry Viewing and Changing the Registry

Should never have to do this!

Most common Registry parameters can be adjusted using a graphical Most common Registry parameters can be adjusted using a graphical NT utility

NT utility

But, some advanced tuning and configuration options require But, some advanced tuning and configuration options require modifying and/or adding registry data

modifying and/or adding registry data

Registry Editor tools Registry Editor tools

Windows NT4/2000 had 2 tools (Regedt32.exe and Regedit.exe) Windows NT4/2000 had 2 tools (Regedt32.exe and Regedit.exe)

REGEDT32.EXE REGEDT32.EXE

Interprets NT-specific data types, NT permission lists Interprets NT-specific data types, NT permission lists

REGEDIT.EXE REGEDIT.EXE

Doesn’t understand NT-specific data types or security Doesn’t understand NT-specific data types or security But has more thorough find capability

But has more thorough find capability

(7)

Command Line Registry Tools Command Line Registry Tools

Reg.exe (built into XP/2003; also in 2000 Support Tools) Reg.exe (built into XP/2003; also in 2000 Support Tools)

Can compare keys, load/unload hives, add/remove/query keys, and Can compare keys, load/unload hives, add/remove/query keys, and backup/restore (useful since NT Backup can only backup local

backup/restore (useful since NT Backup can only backup local registry hives)

registry hives)

Regini.exe (built in to XP/2003; also in 2000 Resource Kit) - make Regini.exe (built in to XP/2003; also in 2000 Resource Kit) - make registry changes via a script (.INI file)

registry changes via a script (.INI file)

Regdmp (2000 Resource Kit) – dump registry in format that Regini Regdmp (2000 Resource Kit) – dump registry in format that Regini reads

reads

Scanreg.exe (2000 Resource Kit) - flexible registry search tool

(8)

Registry Usage Registry Usage

When is the Registry read?

During boot (to determine which drivers, configure the system) During boot (to determine which drivers, configure the system)

During login (to set user preferences, such as drive letter mappings, During login (to set user preferences, such as drive letter mappings, screen saver, wallpaper, etc.)

screen saver, wallpaper, etc.)

When you start applications (to read app-specific settings and per-user When you start applications (to read app-specific settings and per-user settings)

settings)

When is the Registry modified?

When you install applications or drivers When you install applications or drivers

When you change system, user or application settings When you change system, user or application settings

It should not be polled for changes It should not be polled for changes

Interesting to check your systems for “quietness” of Registry Interesting to check your systems for “quietness” of Registry Should use Registry change notification Windows functions Should use Registry change notification Windows functions

Thread sleeps until a change is made to the part of the Registry they are Thread sleeps until a change is made to the part of the Registry they are

(9)

Registry Structure Registry Structure

Registry editors display Registry as an Explorer-like tree view Registry editors display Registry as an Explorer-like tree view

Lab: run Regedit and examine Lab: run Regedit and examine

The Registry is structured like a file system:

Keys are like directories Keys are like directories Values are like files Values are like files

Values have data types – like a file type Values have data types – like a file type Data is like the contents of a file

Data is like the contents of a file

The most common value types (there are 12 total):

REG_DWORD - 32-bit integer REG_DWORD - 32-bit integer REG_SZ - string

REG_SZ - string

REG_MULTISZ – array of strings REG_MULTISZ – array of strings

REG_BINARY – array of bytes to represent arbitrary data REG_BINARY – array of bytes to represent arbitrary data

Registry keys have full NT security Registry keys have full NT security

Allows fine grained control as to who has what access Allows fine grained control as to who has what access

(10)

Logical Registry Structure Logical Registry Structure

Five visible “root” keys organize the data Five visible “root” keys organize the data

Really only two “roots”: HKLM and HKU Really only two “roots”: HKLM and HKU 1.1. HKEY_CLASSES_ROOT (HKCR)HKEY_CLASSES_ROOT (HKCR)

Link to HKLM\Software\Classes - file extension associations, COM class registrations Link to HKLM\Software\Classes - file extension associations, COM class registrations

HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM)

System-global static and dynamic configuration System-global static and dynamic configuration

HKEY_USERS (HKU) HKEY_USERS (HKU)

Root for the loaded (logged on) user profiles Root for the loaded (logged on) user profiles

HKEY_CURRENT_USER (HKCU) HKEY_CURRENT_USER (HKCU)

Link to profile of the user accessing this key Link to profile of the user accessing this key

HKEY_CURRENT_CONFIG (HKCC) HKEY_CURRENT_CONFIG (HKCC)

Link to subset of HKEY_LOCAL_MACHINE - has hardware profile information Link to subset of HKEY_LOCAL_MACHINE - has hardware profile information

Hidden virtual key for performance data Hidden virtual key for performance data

HKEY_PERFORMANCE_DATA HKEY_PERFORMANCE_DATA

(11)

HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE

Five main subkeys for local machine information Five main subkeys for local machine information

HKEY_LOCAL_MACHINE\Hardware HKEY_LOCAL_MACHINE\Hardware

Hardware configuration data, resource usage, etc.

Completely volatile (not saved across boots) Completely volatile (not saved across boots)

HKEY_LOCAL_MACHINE\SAM HKEY_LOCAL_MACHINE\SAM

Local account & groups database (for NT4 domain controllers, served as the Local account & groups database (for NT4 domain controllers, served as the domain account database)

domain account database)

HKEY_LOCAL_MACHINE\Security HKEY_LOCAL_MACHINE\Security

System-wide security policies (for NT4 domain controllers, served as the domain System-wide security policies (for NT4 domain controllers, served as the domain security policy database)

security policy database)

HKEY_LOCAL_MACHINE\Software HKEY_LOCAL_MACHINE\Software

Per-machine software data not critical for booting Per-machine software data not critical for booting

HKEY_LOCAL_MACHINE\System HKEY_LOCAL_MACHINE\System

Controls booting and running the system (config.sys functionality) Controls booting and running the system (config.sys functionality) Available during bootstrap

Available during bootstrap

(12)

HKEY_USERS HKEY_USERS

HKEY_USERS is root for loaded user profile Registry data HKEY_USERS is root for loaded user profile Registry data

This is stored in \Documents and Settings\%USERNAME%\ntuser.dat This is stored in \Documents and Settings\%USERNAME%\ntuser.dat

In NT 4 it was stored in \Winnt\Profiles\%USERNAME%

Note this is just a small part of your user profile, which includes your Note this is just a small part of your user profile, which includes your desktop, start menu, My Documents, etc.

desktop, start menu, My Documents, etc.

A user profile is “loaded”:

When a user logs on interactively When a user logs on interactively

When a service process configured to run under a specific user account When a service process configured to run under a specific user account starts

starts

RUNAS (unless /NOPROFILE specified) RUNAS (unless /NOPROFILE specified)

(13)

User Profiles User Profiles

HKEY_USERS\.Default is NOT the default Registry profile HKEY_USERS\.Default is NOT the default Registry profile

It is the profile for the System account It is the profile for the System account

E.g. Change logon desktop settings are here because Winlogon runs E.g. Change logon desktop settings are here because Winlogon runs under System

under System

The default user Registry profile is in:

\Documents and Settings\Default User\Ntuser.dat

The starting user profile for users logging without a profile The starting user profile for users logging without a profile

This does not show up in the Registry because it is not loaded This does not show up in the Registry because it is not loaded

Note: roaming profiles are left on a system even after you logoff!

Anyone with local administrative privileges can view your documents Anyone with local administrative privileges can view your documents and settings and Registry information

and settings and Registry information Can override with group policies

Can override with group policies

(14)

Registry Physical Structure Registry Physical Structure

Registry consists of a number of files called “hives”

A hive is a piece of registry database stored in its own file A hive is a piece of registry database stored in its own file

System-wide configuration information is in %systemroot%\system32\config System-wide configuration information is in %systemroot%\system32\config User profile (HKEY_CURRENT_USER\...) in \Documents and Settings\

User profile (HKEY_CURRENT_USER\...) in \Documents and Settings\

…\ntuser.dat

User profile is more than just the registry settings User profile is more than just the registry settings

Entire directory under \Documents and Settings (e.g. start menu, My Entire directory under \Documents and Settings (e.g. start menu, My documents, temporary files, etc)

documents, temporary files, etc)

Profile for new users is in \Documents and Settings\Default User Profile for new users is in \Documents and Settings\Default User NTLDR loads System hive, which points to other hives

NTLDR loads System hive, which points to other hives Registry points to loaded hives at:

Registry points to loaded hives at:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist

(15)

Backup Hives Backup Hives

.sav hive files in \Windows\System32\Config are the template hive .sav hive files in \Windows\System32\Config are the template hive files stored by Windows Setup

files stored by Windows Setup

\Windows\Repair has copies of the hives that were made after

\Windows\Repair has copies of the hives that were made after Setup completed

Setup completed

Windows Backup updates them when it backs up “System State”

System Restore restore points (described in the startup/shutdown System Restore restore points (described in the startup/shutdown section) also store copies of registry hives

section) also store copies of registry hives

(16)

Registry Limits Registry Limits

SYSTEM hive was limited to 12MB in Windows 2000 SYSTEM hive was limited to 12MB in Windows 2000

Now limited to 200 MB or # of RAM, whichever is lower Now limited to 200 MB or # of RAM, whichever is lower

Limit is due to fact that entire SYSTEM hive is loaded into memory by Limit is due to fact that entire SYSTEM hive is loaded into memory by NTLDR (discussed in Startup and Shutdown section)

NTLDR (discussed in Startup and Shutdown section)

Total loaded registry hive data was limited to 376MB in Windows 2000 Total loaded registry hive data was limited to 376MB in Windows 2000

This was because registry hives were read into paged pool when loaded This was because registry hives were read into paged pool when loaded

Explains why there was a system registry quota (see Control Panel- Explains why there was a system registry quota (see Control Panel-

>System->Performance Tab - click on Virtual Memory “Change” button)

Limited number of terminal server users Limited number of terminal server users

XP/2003: No limit to loaded registry hive data XP/2003: No limit to loaded registry hive data

Hives are accessed as memory mapped files Hives are accessed as memory mapped files

Views are mapped as necessary Views are mapped as necessary

Registry no longer in paged pool Registry no longer in paged pool

(17)

Registry Reliability & Recovery Registry Reliability & Recovery

Registry mechanism guarantees atomicity Registry mechanism guarantees atomicity

Uses transaction logging to ensure structural integrity Uses transaction logging to ensure structural integrity One .LOG file per registry hive

One .LOG file per registry hive

Automatically used to recover corrupt registry hives other than Automatically used to recover corrupt registry hives other than SYSTEM

SYSTEM

SYSTEM hive corruption recovery:

Prior to Windows XP the system keeps a backup version of System Prior to Windows XP the system keeps a backup version of System called System.Alt

called System.Alt

NtLdr uses System.Alt of System is corrupt NtLdr uses System.Alt of System is corrupt

On Windows XP, Ntldr knows how to apply the registry log files to the On Windows XP, Ntldr knows how to apply the registry log files to the System hive in order to repair it in cases where the system crashed System hive in order to repair it in cases where the system crashed during updates

during updates

On Windows Server 2003 the configuration manager “self-heals” by On Windows Server 2003 the configuration manager “self-heals” by amputating parts of the registry that are corrupt

amputating parts of the registry that are corrupt

(18)

Vista Transactions Vista Transactions

The Vista Registry supports transactions The Vista Registry supports transactions

Allows application file system and Registry changes to be undone Allows application file system and Registry changes to be undone Changes committed only when associated transaction commits Changes committed only when associated transaction commits

Relies on Distributed Transaction Coordinator (DTC) on Vista Server Relies on Distributed Transaction Coordinator (DTC) on Vista Server to enable multi-node transactions

to enable multi-node transactions

Transaction API is with NTFS (TxF) and the Registry Transaction API is with NTFS (TxF) and the Registry

Documented in Vista Beta 1 SDK Documented in Vista Beta 1 SDK

CreateTransaction, SetCurrentTransaction, CommitTransaction, CreateTransaction, SetCurrentTransaction, CommitTransaction, RollbackTransaction

RollbackTransaction

(19)

Configuration Problems Configuration Problems

Missing, corrupted or overly-secure Registry settings often Missing, corrupted or overly-secure Registry settings often

lead to application crashes and errors lead to application crashes and errors

Some applications don’t completely remove registry data at Some applications don’t completely remove registry data at

uninstall uninstall

Regmon may yield the answer…

(20)

How Regmon Works How Regmon Works

Regmon uses a driver to intercept Registry Regmon uses a driver to intercept Registry operations

operations

Up until now Regmon has relied on system Up until now Regmon has relied on system call “hooking” to intercept Registry

call “hooking” to intercept Registry accesses

accesses

Hooking isn’t supported by the kernel Hooking isn’t supported by the kernel As of XP the system call table is write- As of XP the system call table is write- protected by default if a system has <256 protected by default if a system has <256 MB, requiring a trick

MB, requiring a trick

Server 2003 introduces a Registry callback Server 2003 introduces a Registry callback mechanism

mechanism

Driver can see and modify Registry Driver can see and modify Registry behavior

behavior

Latest version of Regmon comes with two Latest version of Regmon comes with two drivers: one for Server 2003 and one for drivers: one for Server 2003 and one for

Application Application

Regmon Regmon

Driver Driver

Regmon Regmon

GUIGUI

Registry Registry Subsystem Subsystem

(21)

How Regmon Works How Regmon Works

Regmon catches all Registry calls that pass through the system Regmon catches all Registry calls that pass through the system service dispatcher

service dispatcher

Does not see direct calls to the native Registry API from kernel-mode Does not see direct calls to the native Registry API from kernel-mode codecode

Regmon has to dynamically obtain system call numbers to index Regmon has to dynamically obtain system call numbers to index into the system service dispatch table

into the system service dispatch table

System call numbers are assigned by scripts in the build process and System call numbers are assigned by scripts in the build process and can change between service packs

can change between service packs

All system call functions start with code like this:

MOVE SYSCALL # -> REGISTER MOVE SYSCALL # -> REGISTER EXECUTE SYSTEM CALL

EXECUTE SYSTEM CALL

Regmon reads the system call numbers out of the functions Regmon reads the system call numbers out of the functions

(22)

Regmon Output Regmon Output

Request: OpenKey, CreateKey, SetValue, QueryValue, CloseKey Request: OpenKey, CreateKey, SetValue, QueryValue, CloseKey Path Path

HKCU=HKEY_CURRENT_USER (per-user settings) HKCU=HKEY_CURRENT_USER (per-user settings) HKLM=HKEY_LOCAL_MACHINE (system wide settings) HKLM=HKEY_LOCAL_MACHINE (system wide settings)

Result – return code from Registry operation Result – return code from Registry operation Other – extended information or results

Other – extended information or results

(23)

Controlling Regmon Controlling Regmon

Start/stop logging (Control/E) Start/stop logging (Control/E)

Clear display (Control/X) Clear display (Control/X)

Regedit jump (opens Registry Editor and jumps directly to key) Regedit jump (opens Registry Editor and jumps directly to key)

Double clicking on a line does this Double clicking on a line does this

Filtering/Highlighting Filtering/Highlighting Find Find

Save to log file

(24)

Regmon Filtering Regmon Filtering

Filtering options:

Process name or registry path (or partial name) Process name or registry path (or partial name) Success/failure, read/write

Success/failure, read/write

(25)

Troubleshooting with Regmon Troubleshooting with Regmon

Two basic

Two basic techniques: techniques:

Go to end of log and look backwards to where problem occurred or is Go to end of log and look backwards to where problem occurred or is evident and focused on the last things done

evident and focused on the last things done Compare a good log with a bad log

Compare a good log with a bad log

Often comparing the Registry activity of a failing process with one that Often comparing the Registry activity of a failing process with one that works may point to the problem

works may point to the problem

Have to first massage log file to remove data that differs run to run Have to first massage log file to remove data that differs run to run

Delete first 3 columns (they are always different: line #, time, process id) Delete first 3 columns (they are always different: line #, time, process id)

Easy to do with Excel by deleting columns Easy to do with Excel by deleting columns

Then compare with FC (built in tool) or Windiff

(Resource Kit) (Resource Kit)

(26)

Troubleshooting with Regmon Troubleshooting with Regmon

Sometimes examining the values read and/or written (in Other Sometimes examining the values read and/or written (in Other column) may show up corrupt or wrong configuration data

column) may show up corrupt or wrong configuration data Sometimes queries to what is

Sometimes queries to what is not there is more interesting than not there is more interesting than what

what is is there there

Identify missing Registry keys Identify missing Registry keys

Search for status “NOTFOUND”

For permission problems, Search for status “ACCESS DENIED For permission problems, Search for status “ACCESS DENIED

””

Note: BUFROVRFLOW is normal Note: BUFROVRFLOW is normal

Applications query a value’s size by passing a 0-length buffer Applications query a value’s size by passing a 0-length buffer

They are returned the length of the data and the overflow error and They are returned the length of the data and the overflow error and then they allocate a correctly-sized buffer and repeat the operation then they allocate a correctly-sized buffer and repeat the operation

(27)

Troubleshooting with Regmon Troubleshooting with Regmon

If you suspect registry data is causing problems, rename the key If you suspect registry data is causing problems, rename the key and re-run the application

and re-run the application

Most applications re-create user settings when run Most applications re-create user settings when run In this way, the data won’t be seen by the application In this way, the data won’t be seen by the application

Can always rename the key back Can always rename the key back

(28)

Regmon Example:

Misleading IE Error Message Misleading IE Error Message

Internet Explorer failed to start with this error:

(29)

Solution: Misleading IE Error Solution: Misleading IE Error

Message Message

Looked backwards from end of Regmon log Looked backwards from end of Regmon log

Saw query of Completed value in Internet Connection Wizard key Saw query of Completed value in Internet Connection Wizard key

Value read was 0 Value read was 0

Value was 1 on other systems Value was 1 on other systems

Solution: Set value to 1 and problem went away

(30)

Example Problem Example Problem

Problem:

User somehow disabled all toolbars and menus in Word User somehow disabled all toolbars and menus in Word No way to open files, change settings etc.

No way to open files, change settings etc.

Solution:

With Regmon, captured startup of Word With Regmon, captured startup of Word

Found location of user-specific settings for Word Found location of user-specific settings for Word Deleted this Registry key

Deleted this Registry key

Re-ran Word, which re-created user settings from scratch Re-ran Word, which re-created user settings from scratch

(31)

Example Problem Example Problem

Internet Explorer hung when started Internet Explorer hung when started

Default internet connection was set, but wasn’t being dialed Default internet connection was set, but wasn’t being dialed

Dialing the connection first manually and

Dialing the connection first manually and then then running IE worked running IE worked

(32)

Solution Solution

Ran Regmon Ran Regmon

Looked backwards from end (at the point IE was hung) Looked backwards from end (at the point IE was hung)

Found references to ATT under a PhoneBook key Found references to ATT under a PhoneBook key Renamed ATT key and problem went away

Renamed ATT key and problem went away

Background information:

User had previously installed the AT&T Dialer program, but had User had previously installed the AT&T Dialer program, but had uninstalled it and created dial up connection manually

uninstalled it and created dial up connection manually

Conclusion: registry junk was left from uninstall Conclusion: registry junk was left from uninstall

Note that uninstalls don’t clean up stuff in currently not loaded user Note that uninstalls don’t clean up stuff in currently not loaded user profiles!

profiles!

(33)

Example: Misleading VBA Error Example: Misleading VBA Error

User got this error installing an application:

Regmon showed permissions problem Regmon showed permissions problem

Solution: Edited permissions Solution: Edited permissions

(34)

Missing Settings Missing Settings

Sometimes queries to what is

Sometimes queries to what is not there is more interesting not there is more interesting than what

than what is is there there

Identify missing Registry keys Identify missing Registry keys

Search for status “NOTFOUND”

May reveal hidden capabilities

(35)

Example: Hidden Capabilities Example: Hidden Capabilities

User tried installing Compaq utility on non-Compaq hardware User tried installing Compaq utility on non-Compaq hardware

Regmon showed hidden key to override:

Solution: created key and install succeeded Solution: created key and install succeeded

(36)

Logging Boot Registry Activity Logging Boot Registry Activity

Regmon has a “log boot” option Regmon has a “log boot” option

Installs its driver to logs Registry activity from boot time to Installs its driver to logs Registry activity from boot time to

\Windows\Regmon.log

Stops logging when you run Regmon Stops logging when you run Regmon

Regmon loads as very first driver so it captures virtually everything Regmon loads as very first driver so it captures virtually everything

Remember that it does not see direct calls to the native Registry API Remember that it does not see direct calls to the native Registry API from kernel-mode code

from kernel-mode code

Lab: Enable boot logging and search resulting log for Winlogon Lab: Enable boot logging and search resulting log for Winlogon debug Registry values

debug Registry values

(37)

Logging Activity in Unprivileged Logging Activity in Unprivileged

Accounts or During Logon/Logoff Accounts or During Logon/Logoff

May need to capture Registry activity in an unprivileged account May need to capture Registry activity in an unprivileged account

e.g. An application may work when run as Administrator, but not as a e.g. An application may work when run as Administrator, but not as a normal user

normal user

Regmon requires the DEBUG and LOAD_DRIVER privileges to execute Regmon requires the DEBUG and LOAD_DRIVER privileges to execute

Or, may need to capture Registry activity during the logon or logoff Or, may need to capture Registry activity during the logon or logoff process

process

E.g. An Explorer shell extension is crashing Explorer during logon E.g. An Explorer shell extension is crashing Explorer during logon

In these cases Regmon needs to remain running after logoff In these cases Regmon needs to remain running after logoff

Only way to have a process not be destroyed at log off is to have it run Only way to have a process not be destroyed at log off is to have it run as a service or as a child of a service process

as a service or as a child of a service process

1.1. For a quick, one-time execution, run with “psexec -i –s -d” For a quick, one-time execution, run with “psexec -i –s -d”

command command

2.2. Install and run Regmon as a service using Srvany tool in Resource Install and run Regmon as a service using Srvany tool in Resource KitKit

Can configure to start at system boot Can configure to start at system boot When you logon Regmon will still be running When you logon Regmon will still be running

(38)