(Ebook - Computer) Hacking The Windows Registry
(Ebook - Computer) Hacking The Windows Registry
CODE!
Hacking the
Windows Registry
BY KEITH PLEAS
ately: some of them are particular to the USER also maps to a subkey). Keys beneath
It’s a jungle out new Windows shell (first delivered on the root are referenced by building a string
Windows 95 but currently in beta on Win- key by concatenating each node together,
there, but with some dows NT), some work only with NT (also separated by backslashes.
known as “Microsoft’s real operating sys- Each key also contains data stored in
guidance, an intrepid tem”), and some will work for everybody. values: a key may have no values, a de-
So, grab your tools (primarily a copy of fault value, or any number of named val-
developer can unlock RegEdit) and prepare for an exciting round ues in addition to the default. The data in
of hacking the registry. the values may be in a variety of forms,
the secrets of the The registration database, commonly though text and binary data types are by
called the registry, contains a substantial far the most common. While key names
Win32 Registry. amount of data about the computer and and value names are never localized, text
users. It includes computer data such as data often is. Using the Windows
hardware, the OS, and installed applica- 95 RegEdit utility shows you a
tions, and user much compacted view of the regis-
I
f USER, Kernel, and GDI are the heart,
brain, and eyes of Windows, the reg- try including the root keys, several
istry would be the memory—both subkeys, a default (text) value, and a
long and short term. OK, maybe this meta- named (binary) value (see Figure 2).
phor is a bit weak, but the point should be Note that Windows NT has a similar but
obvious: the registry is a critical compo- slightly different structure: it omits HKEY_
nent of a well-functioning system and CURRENT_CONFIG and substitutes a some-
you’re not going to get very far without it. what analogous HKEY_PERFORMANCE_
The registry is lightly documented and DATA for HKEY_DYN_ DATA.
not well understood. Programming it can
be similar to the old neurological tech- SPELUNKING THE REGISTRY
nique of zapping part of the cerebral A variety of common components
cortex with an electrode and see- can be found in the registry,
ing what happens: the patient may information such as their desk- especially if they have anything
remember a baseball game or expe- top settings and customization prefer- to do with OLE. Here are some
rience a war-related flashback. In Windows, ences. The registry stores data in a hierar- examples so you’ll know what you’re look-
you may enable a cool new feature or ren- chically structured tree. Each node in the ing at when you go spelunking with RegEdit.
der your system unbootable. But it’s the tree is called a key. Each key can contain Creatable OLE classes, provided by
thrill of the hunt that makes it so exciting. additional keys called subkeys (see Figure OLE servers, must be in the registry. Each
After a brief introduction to get our ter- 1). Keys are composed of printable char- class is registered separately in the
minology straight, I’ll skip the fundamen- acters and cannot include backslashes HKEY_CLASSES_ROOT\CLSID key under
tals of the registry—MSDN would be an (\) or wildcard characters (* or ?). Sev- its CLSID and must, at minimum, have
ideal place to find this information—and eral predefined keys, represented with enough information for the OLE system to
leap into advanced aspects. uppercase words separated by under- locate and start the server. For example,
Along the way I’ll note a variety of scores, can be accessed using numeric Access registers the Application object
thing you can take advantage of immedi- constants. These keys are always “open,” with the key name on the left and the
so it’s not necessary to use the RegOpen... default value on the right:
Keith Pleas is an independent developer, functions on them. It’s important to note
author, and trainer. He is the author of the that the root key for machine information {B54DCF20-5F9C-101B- Microsoft Access Database
forthcoming book, Visual Basic Tips & HKEY_LOCAL_MACHINE (HKEY_CLASSES_ AF4E 00AA003F0F07}
Tricks, from Addison-Wesley. He can be ROOT and HKEY_CURRENT_CONFIG map InprocHandler32 ole32.dll
reached on Compu-Serve at 71333,3014 (from to subkeys) and the root key for user infor- LocalServer32 C:\MSOFFICE\ACCESS\MSACCESS.EXE
the Internet: [email protected]). mation is HKEY_USERS (HKEY_CURRENT_ ProgID Access.Application.7
22 MARCH 1996 Visual Basic Programmer’s Journal ©1991–1996 Fawcette Technical Publications http://www.windx.com
HACKING THE REGISTRY
{27395F85-0C0C-101B-A3C9-08002B2F49FB}
1.0 Microsoft PictureClip Control
0
win32 C:\WINDOWS\SYSTEM\PICCLP32.OCX
FLAGS 2
HELPDIR C:\VB4
{B54DCF20-5F9C-101B-AF4E-00AA003F0F07}
Retail abcdefghijklmnopqrstuvwxyzabcdefghij
FIGURE 1 Related Entries in the Registry. Expanded (Win95) Runtime abcdefghijklmnopqrstuvwxyzabcdefghij
registry keys depict how root keys map to major subkeys
for current user, classes, and current configuration. VB4 itself uses this technique: when it’s installed it merges the
contents of one of the three REG files (for Standard, Professional,
and Enterprise editions) into the registry.
OLE controls, being specialized in-process OLE servers, must Finally, the registry contains information about remoted OLE
be in the registry. If an OLE control is referenced by an application servers in both their local and remote configurations. Like the other
but is not in the registry, it can autoregister itself if the system can OLE object described here, this VB4-created OLE Automation
locate it by searching along the normal DLL search path. server registers a Clerk class under its own GUID in the
OLE controls are registered as classes and can also be found HKEY_CLASSES_ROOT\CLSID key. Of course, VB4 handles all the
in the HKEY_CLASSES_ROOT\CLSID key by referencing their registration automatically and it’s typically not necessary to modify
CLSID. For example, the PicClip control that ships with VB4 has these entries directly.
the following registry entries: Running the Remote Automation Connection Manager (RacMgr32)
utility included with VB4 Enterprise Edition adds additional keys for
{27395F85-0C0C-101B-A3C9-08002B2F49FB} PicClip Control a remote machine name, RPC protocol, and RPC authentication
Control level. When run locally, this particular class is registered as:
InprocServer32 C:\WINDOWS\SYSTEM\PICCLP32.OCX
Insertable {8435CD47-D6BE-11CE-A842-00AA00688747}
MiscStatus _AuthenticationLevel 2
ProgIDPicClip.PictureClip _NetworkAddress NT
ToolboxBitmap32 C:\WINDOWS\SYSTEM\PICCLP32.OCX, 1 _ProtocolSequence ncacn_ip_tcp
TypeLib {27395F85-0C0C-101B-A3C9-08002B2F49FB} InprocHandler32 OLE32.DLL
Version 1.0 LocalServer32 D:\PROJ\MSJ\CAR RENTAL\RENTAL OBJECTS.EXE
ProgID RentalObjects.Clerk
The Control key is used when dialog boxes like the OLE Insert TypeLib {8435CD4E-D6EB-11CE-A842-00AA00688747}
Object dialog or VB4’s Custom Controls dialog is displayed with
the Controls box checked. InprocServer32 contains the fully When the class is remote, RacMgr32 changes the registration
qualified path to the control. entries to:
ProgID contains the so-called “friendly” name, which can also be
found in a separate key under HKEY_CLASSES_ROOT: this separate {8435CD47-D6BE-11CE-A842-00AA00688747}
key contains a pointer back to the CLSID where all the information for _LocalServer32 D:\PROJ\MSJ\CAR RENTAL\RENTAL OBJECTS.EXE
the control is maintained. The Insertable key behaves similarly to the AuthenticationLevel 2
Control key, though it may be duplicated under the ProgID key for InprocHandler32 OLE32.DLL
backward compatibility with OLE 1.0 servers. InprocServer32 C:\WINDOWS\SYSTEM\autprx32.dll
The type library for a control is indicated in the TypeLib key. NetworkAddress NT
Type libraries are stored separately in the registry under their ProgID RentalObjects.Clerk
own GUIDs in the HKEY_CLASSES_ROOT\TypeLib key. The ProtocolSequence ncacn_ip_tcp
entries for the PicClip control’s type library are: TypeLib {8435CD4E-D6EB-11CE-A842-00AA00688747}
http://www.windx.com ©1991–1996 Fawcette Technical Publications Visual Basic Programmer’s Journal MARCH 1996 23
HACKING THE REGISTRY
Text Value
Keys
Subkeys
Binary Value
Keys to the Windows Registry. The hierarchical structure of the registry consists of keys and subkeys. The associated values
FIGURE 2 for each key can be named (text) or a non-string data type (binary).
Notice how the LocalServer32 key gets renamed (actually, provided for backward compatibility only and shouldn’t be
keys cannot be renamed, so it is destroyed and re-created) and used (the corresponding ...Ex functions, which support named
an additional InprocServer32 key is created. This new key values and access to keys other than HKEY_CLASSES_ROOT,
points to the remote automation proxy on the local machine, should be used instead).
initiating a conversation with the AutMgr utility running on the Rather than torture you with a complete list of the APIs, I’ll
remote machine. point you to a couple of useful samples that highlight their
Of course, you’ll never want to touch these registration entries implementation such as the RegTool sample that ships on the
directly. In addition to using RacMgr32, we can also call the RacReg VB4 disc. The RegTool sample is buried down in the \Tools\
OLE Automation server in code to examine and change server Dataex32\Source\Regtool subdirectory and has a reusable class
settings. To do so add a reference to the RacReg32.DLL, create a with routines for creating, updating, and deleting keys. Unfortu-
RacReg.RegClass object, and use the GetAutoServerSettings func- nately, while it can read both string and numeric (dword) data,
tion and SetAutoServerSettings method. it can only write strings.
Unfortunately, the documentation for these functions is a little A much better example can be found in the file REGVB4.ZIP in the
obscure: it’s only found in the ReadMe file that ships with VB4. But Magazine Library of the VBPJ Forum on CompuServe. Written by
it’s pretty obvious how the RacReg32 server reads/writes the Don Bradner, VBPJ Forum Section Leader of the “32-Bit Bucket,”
registry settings shown in this function prototype: REGVB4 is a handy VB4 version of RegEdit that has well-commented
source code for reading and writing both string and numeric values.
object.SetAutoServerSettings (Remote, [ProgID], [CLSID], _ Several of the registry functions deserve a bit more com-
[ServerName], [Protocol], [Authentication]) ment. While we do not yet have built-in support for a distributed
registry (where part or all of your registry is stored on another
A side benefit of using the RacReg.RegClass object is that machine), the RegConnectRegistry function can be used pro-
Microsoft’s VB group promises that your code will be upwardly grammatically to connect to remote registries and get/set val-
compatible with future versions of VB, which will support true ues from their registries. They can connect only through the
Networked OLE: they’ll do the work of encapsulating the changes root keys (HKEY_LOCAL_MACHINE and HKEY_USERS), but be-
so that you don’t have to change your code. cause of the subkey mappings to HKEY_CURRENT_
USER, HKEY_CLASSES_ROOT, and HKEY_CURRENT_CONFIG
USING REGISTRY FUNCTIONS this isn’t a major limitation.
The Win32 API provides a function group of 26 APIs, many of There are also a few differences between the Win95 and WinNT
them with both “A” (ANSI) and “W” (Wide, or Unicode) ver- implementations of the registry functions. Of course, Win95 knows
sions, for working with the registry. Five of the 26 APIs are nothing about security, so Get/SetKeySecurity aren’t implemented
24 MARCH 1996 Visual Basic Programmer’s Journal ©1991–1996 Fawcette Technical Publications http://www.windx.com
HACKING THE REGISTRY
http://www.windx.com ©1991–1996 Fawcette Technical Publications Visual Basic Programmer’s Journal MARCH 1996 25
http://www.windx.com ©1991–1996 Fawcette Technical Publications Visual Basic Programmer’s Journal MARCH 1996 25
HACKING THE REGISTRY
Adding the Test VB Finder to the Find Menu in Explorer. The registry structure for dynamically added Find items illustrates
FIGURE 4 how simple it is to add items to the menu. A modified Find Menu in the new shell’s Explorer show an entry added by MSN as
well as two custom entries described here. It’s just as easy to add an entry for something like Yahoo for finding files on the Internet.
26 MARCH 1996 Visual Basic Programmer’s Journal ©1991–1996 Fawcette Technical Publications http://www.windx.com
HACKING THE REGISTRY
HKEY_CLASSS_ROOT\. = "txtfile"
http://www.windx.com ©1991–1996 Fawcette Technical Publications Visual Basic Programmer’s Journal MARCH 1996 27
HACKING THE REGISTRY
Declarations and Code for Handling Registry The CoCreateGuid declaration was pretty obvious:
LISTING 2 Change Notification.The cmdRegistry_Click subroutine
creates the event object, passes its handle to the system signalling Declare Function CoCreateGuid Lib _
when the registry changes, and starts the polling timer. Details about "OLE32.DLL" (guid As tGUID) As Long
Registry Change Notification messages are shown in Table 1.
Calling it is dead simple:
Ctrl-Alt-Shift key combination and click on the “No” button. This Dim tmp As tGUID
leaves you in something like the old shell, where pressing Ctrl- lRet = CoCreateGuid(tmp)
Escape brings up the Task Manager, from which you can select
“Run” from the File menu and restart Explorer. Unfortunately, the GUID you end up with is binary. You need
Although the menu item is visible at this point, it won’t a string in this format: “{xxxxxxxx-xxxx-xxxx-xxxx-
actually do anything. To make it work, you must add the CLSID xxxxxxxxxxxx}”. The Win32 API does provide a UuidToString
to the HKEY_CLASSES_ROOT\CLSID key and create a couple of function located in RPCRT4.DLL and the Win32 SDK header files
additional subkeys: the CLSID of the OLE InProc server refer- provides this prototype:
enced by the Find extension, the command line to be executed
by FindExt.DLL, which must be stored under the FindCmd key, UuidToStringA (
and finally the InprocServer32 key with two values. The first, IN UUID __RPC_FAR * Uuid,
which is the default, contains the path (if appropriate) and file OUT unsigned char __RPC_FAR * __RPC_FAR _
name of the FindExt.DLL, which will typically be located in the * StringUuid
\Windows\System subdirectory. );
The second key, “ThreadingModel,” should be set to “Apart-
ment” because the FindExt.DLL uses that mechanism and is, in fact, But, it turns out that this function isn’t callable from VB.
thread safe. The threading model applies only to OLE Servers that However, another function, StringFromGUID2, gets us on the
are loading in process. The steps I’ve outlined are a bit tedious, yet right track using this declaration:
they must be carried out exactly for this to work properly. To ease
the procedure, I wrote a small Finder Installation utility that Declare Function StringFromGUID2 Lib _
automates the whole process (available for download from the "OLE32.DLL" (guid As tGUID, lpszString As _
online services described elsewhere in this article). Byte, lMax As Long) As Long
28 MARCH 1996 Visual Basic Programmer’s Journal ©1991–1996 Fawcette Technical Publications http://www.windx.com
HACKING THE REGISTRY
http://www.windx.com ©1991–1996 Fawcette Technical Publications Visual Basic Programmer’s Journal MARCH 1996 29