?? regedit.txt
字號:
The Offline NT Password Editor(c) 1997-2000 Petter Nordahl-HagenRegistry Editor Usermanual/docsSee COPYING for copyright & credits.See INSTALL for compile/installation instructions.See README for docs on the passwordpart (or website for bootdisk)Feb 2000: This release features full registry read,but only write to existing values, and only same data length.This is a short demo of the registry editor-part, should give youan idea on how it works.You can navigate the registry almost like a filesystem (only differencebeing that the "files" actually are of a special datatype, instead ofjust a bytestream)>chntpw -hchntpw version 0.98 000215, (c) Petter N Hagenchntpw: change password of a user in a NT SAM file, or invoke registry editor.chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...] -h This message -u <user> Username to change, Administrator is default -l list all users in SAM file -i Interactive. List users (as -l) then ask for username to change -e Registry editor (currently only in-place writesupport) -d Enter buffer debugger instead (hex editor), -t Trace. Show hexdump of structs/segments. (deprecated debug function)See readme file on how to extract/read/write the NT's SAM fileif it's on an NTFS partition!Source/binary freely distributable. See README/COPYING for details(Contains DESlib code (c) Eric Young)NOTE: This program is somewhat hackish! You are on your own! (example edit of NT4 SYSTEM-hive)>chntpw -e systemHive's name (from header): <SYSTEM>File size 991232 [f2000] bytes, containing 215 pages (+ 1 headerpage)Used for data: 12707/663296 blocks/bytes, unused: 89/316960 blocks/bytes.Simple registry editor. ? for help.[1020] > ?Simple registry editor:hive [<n>] - list loaded hives or switch to hive numer n'cd <key> - change keyls | dir [<key>] - show subkeys & values,cat | type <value> - show key valuest [<hexaddr>] - show struct infoed <value> - edit existing value (only same datalength allowed for now)debug - enter buffer hexeditorq - quit[1020] > lls of node at offset 0x1024Node has 4 subkeys and 0 valuesoffs key name[1448] <ControlSet001>[9b828] <ControlSet002>[1078] <Select>[2dcf8] <Setup> (keynames & valuenames may be abbreviated, first match is used!)[1020] > cd Cont[1448] \ControlSet001> lls of node at offset 0x144cNode has 4 subkeys and 0 valuesoffs key name[14a8] <Control>[10e70] <Enum>[10ec8] <Hardware Profiles>[11d40] <Services>[1448] \ControlSet001> cd Ser[11d40] \ControlSet001\Services> lls of node at offset 0x11d44Node has 134 subkeys and 0 valuesoffs key name[215f8] <Abiosdsk>[3e5c8] <Afd>[1e610] <Aha154x>[1e8d8] <Aha174x>[20a18] <aic78xx>[427b0] <Alerter>.....[1f570] <Wd33c93>[26080] <wd90c24a>[25e58] <wdvga>[26288] <weitekp9>[3ef68] <WinSock>[3a450] <WinSock2>[2d618] <WinTrust>[26478] <Xga>[11d40] \ControlSet001\Services> cd Sermouse[23690] \ControlSet001\Services\Sermouse> lls of node at offset 0x23694Node has 1 subkeys and 5 valuesoffs key name[237c8] <Parameters>offs size type value name [value if type DWORD][236ec] 4 REG_DWORD <Type> 1 [0x1][2370c] 4 REG_DWORD <Start> 4 [0x4][2372c] 26 REG_SZ <Group>[2376c] 4 REG_DWORD <ErrorControl> 0 [0x0][237ac] 4 REG_DWORD <Tag> 2 [0x2][23690] \ControlSet001\Services\Sermouse> cat GroupValue <Group> of type REG_SZ, data length 26 [0x1a]Pointer Port[23690] \ControlSet001\Services\Sermouse> ed StartEDIT: <Start> of type REG_DWORD with length 4 [0x4]DWORD: Old value 4 [0x4], enter new value (prepend 0x if hex, empty to keep old value)-> 0DWORD: New value 0 [0x0], [23690] \ControlSet001\Services\Sermouse> (So, now this driver is switched off. Not very smart maybe, but this is how you can disable drivers that crash during boot of NT) [23690] \ControlSet001\Services\Sermouse> cd \ControlSet001\Control\ServiceGroupOrder (Multi-strings are rather awkward to edit. Even so since there's a total length limit to think of in this release)[3050] \ControlSet001\Control\ServiceGroupOrder> ed ListEDIT: <List> of type REG_MULTI_SZ with length 712 [0x2c8][ 0]: System Bus Extender[ 1]: SCSI miniport[ 2]: port[ 3]: Primary disk[ 4]: SCSI class[ 5]: SCSI CDROM class[ 6]: filter[ 7]: boot file system[ 8]: Base[ 9]: Pointer Port[10]: Keyboard Port[11]: Pointer Class[12]: Keyboard Class[13]: Video Init[14]: Video[15]: Video Save[16]: file system[17]: Event log[18]: Streams Drivers[19]: PNP_TDI[20]: NDIS[21]: TDI[22]: NetBIOSGroup[23]: SpoolerGroup[24]: NetDDEGroup[25]: Parallel arbitrator[26]: extended base[27]: RemoteValidation[28]: PCI ConfigurationNow enter new strings, one by one.Enter nothing to keep old,'--n' to quit (filling rest of value with NULLs)'--q' to quit (leaving remaining strings as is)'--' for empty string in this position712 bytes left[ 0]: System Bus Extender-> (note: bytes is actually chars*2, because of unicode)672 bytes left[ 1]: SCSI miniport-> 644 bytes left[ 2]: port-> gate634 bytes left[ 3]: Primary disk-> 608 bytes left[ 4]: SCSI class-> 586 bytes left[ 5]: SCSI CDROM class-> SCSI DVD class556 bytes left[ 6]: filter-> 542 bytes left[ 7]: boot file system-> 508 bytes left[ 8]: Base.... and so on....[24]: NetDDEGroup-> 144 bytes left[25]: Parallel arbitrator-> --q104 bytes left[26]: extended base76 bytes left[27]: RemoteValidation42 bytes left[28]: PCI Configuration[3050] \ControlSet001\Control\ServiceGroupOrder> cd \ControlSet001\Control\SystemResources[f7c0] \ControlSet001\Control\SystemResources> lls of node at offset 0xf7c4Node has 3 subkeys and 0 valuesoffs key name[fee8] <AssignmentOrdering>[6f00] <BusValues>[fbc8] <ReservedResources>[f7c0] \ControlSet001\Control\SystemResources> cd Bu[6f00] (...)\Control\SystemResources\BusValues> lls of node at offset 0x6f04Node has 0 subkeys and 12 valuesoffs size type value name [value if type DWORD][6f74] 8 REG_BINARY <Internal>[6fa4] 8 REG_BINARY <Isa>[f97c] 8 REG_BINARY <Eisa>[f9ac] 8 REG_BINARY <MCA>[f9f4] 8 REG_BINARY <TurboChannel>[fa1c] 8 REG_BINARY <PCI>[fa6c] 8 REG_BINARY <VME>[fa8c] 8 REG_BINARY <NuBus>[fa4c] 8 REG_BINARY <PCMCIA>[faf4] 8 REG_BINARY <CBus>[fabc] 8 REG_BINARY <MPI>[fb64] 8 REG_BINARY <MPSA>[6f00] (...)\Control\SystemResources\BusValues> cat InternalValue <Internal> of type REG_BINARY, data length 8 [0x8]:00000 00 00 00 00 00 00 00 00 ........[6f00] (...)\Control\SystemResources\BusValues> cat MPIValue <MPI> of type REG_BINARY, data length 8 [0x8]:00000 0A 00 00 00 00 00 00 00 ........ (and now for editing of binary or unhandled valuetypes)[6f00] (...)\Control\SystemResources\BusValues> ed InternalEDIT: <Internal> of type REG_BINARY with length 8 [0x8]Buffer debugger. '?' for help..?d [<from>] [<to>] - dump buffer within rangea [<from>] [<to>] - same as d, but without ascii-part (for cut'n'paste): <offset> <hexbyte> [<hexbyte> ...] - change bytesh <from> <to> <hexbyte> [<hexbyte> ...] - hunt (search) for bytesha <hexbyte> [<hexbyte] - Hunt all (whole buffer)s - save & quitq - quit (no save) instead of <hexbyte> etc. you may give 'string to enter/search a string.d:00000 00 00 00 00 00 00 00 00 .........d:00000 00 00 00 00 00 00 00 00 .........:000 45 88 from: 0, wlen: 2.d 0:00000 45 88 00 00 00 00 00 00 E........:00 'hahafrom: 0, wlen: 4.d 0:00000 68 61 68 61 00 00 00 00 haha.... (now, s will save the value, q will throw away the changes).s[6f00] (...)\Control\SystemResources\BusValues> cat InternalValue <Internal> of type REG_BINARY, data length 8 [0x8]:00000 68 61 68 61 00 00 00 00 haha.... (list hives loaded, only one this time)[6f00] (...)\Control\SystemResources\BusValues> hive* D 0 991232 0x000f2000 <system>^ ^ hive# size(dec) size(hex) name| || |--- Hive dirty flag.||--- Current hive, being edited. (hive 2 will change to hive #2 listed and so on..) (now, let's quit)[6f00] (...)\Control\SystemResources\BusValues> qHives that have changed: # Name 0 <system>Write hive files? (y/n) [n] : y 0 <system> - OKend of program?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -