Topic: Question to "Remote Regedit" (Read 3486 times)

« **on:** March 12, 2014, 01:10:36 PM »

In Win8.1SE (OS in Ram) with the Runscanner plugin (v55):

"Remote Regedit" shows me in HKLM the registry of the remote system

But in HKCU i see the registry of the Win8.1SE Administrator.

Is it not the case that the /ac switch should load the remote user to HKCU?

fuwi

« **Reply #1 on:** March 12, 2014, 02:54:03 PM »

It works fine here (x86 OS in RAM v. 55)

« **Reply #2 on:** March 12, 2014, 04:19:56 PM »

My build is x64, OS in RAM

fuwi

« **Reply #3 on:** March 13, 2014, 03:52:31 AM »

Runscanner is only a 32 bit application so will show the 32 bit registry and can only be used with 32 bit applications.

« **Reply #4 on:** March 13, 2014, 03:55:40 AM »

Before you ask it uses the free MS detours package to intercept registry calls. The free version does not support 64 bit. MS charges $10000 for the 64 bit version. Hence there will not be a 64 bit version of runscanner. Its use is not recommended on 64 bit os.

« **Reply #5 on:** March 13, 2014, 06:45:17 AM »

Aah, thanks for this interesting information paraglider!

fuwi

« **Reply #6 on:** March 13, 2014, 04:08:30 PM »

Hi Paraglider

Is it fine to use Remote Regedit to edit an offline 64 bit OS registry from a 32 bit PE ?.

« **Reply #7 on:** March 13, 2014, 04:20:34 PM »

Quote from: fuwi on March 12, 2014, 01:10:36 PM

In Win8.1SE (OS in Ram) with the Runscanner plugin (v55):

"Remote Regedit" shows me in HKLM the registry of the remote system
But in HKCU i see the registry of the Win8.1SE Administrator.

Is it not the case that the /ac switch should load the remote user to HKCU?

I made a rebuild with x86 source -> identical to x64 build (registry of the Win8.1SE Administrator in HKCU)

fuwi

« **Reply #8 on:** March 14, 2014, 12:04:27 AM »

If there is one user then /ac will autoselect the user. Otherwise you should be prompted for the current user.

« **Reply #9 on:** March 14, 2014, 12:06:36 AM »

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList in the remote registry is inspected to find the available user hives.

« **Reply #10 on:** March 14, 2014, 12:10:01 AM »

Also needs the /ec parameter to force the dialog. On my win8.1 x64 system I see 3 users in the ProfileList registry key apart from the 3 builtin system users.

« **Reply #11 on:** March 14, 2014, 12:57:15 AM »

Try adding the /ll parameter. It worked for me using 8.1 pe se and loading my 8.1 x64 remote registry.

« **Reply #12 on:** March 14, 2014, 12:58:27 AM »

If /ll is specified then last logged on user will be read from the remote registry and automatically set as HKCU. Acess to the remote SAM hive is required for this to work. Hence runscanner must be run as the SYSTEM user ( SAM subkeys have reigstry permissions set which only permit access by the SYSTEM user). This happens automatically when run from PE. If the current user profile could not be autoselected then the /ec parameter can be specified to force the showing of the select user dialog.

« **Reply #13 on:** March 14, 2014, 12:58:51 AM »

For info:
I tested with 8.1 OS x86/x64, the remote registry HKLM, HKCU is well mounted here.
I have the default settings: Runscanner.exe /t 0 /sd /ac /m+ /y regedit.exe.
in 64 bit PE regedit.exe 32-bit is called.

Quote from: anshad on March 13, 2014, 04:08:30 PM

Is it fine to use Remote Regedit to edit an offline 64 bit OS registry from a 32 bit PE ?.

Whatever the PE or host architecture, remote regedit seems to work fine without concern to edit it.