SecurityXploded.com
Using BackTrack to Fix Windows Registry - www.SecurityXploded.com
 
 
Using BackTrack to Fix Windows Registry
 
 
 
 
See Also
 
 
 
BackTrack : Putting you Back on Track
BackTrack is the most popular Linux live CD distribution focused on penetration testing. It comes loaded with all the top security tools so that you can immediately startup with your work without the need for downloading and installing any of the security tools.



One of the use of BackTrack is to fix Windows problems such as fixing the registry, resetting the user passwords etc. Here I am going to explain how we can use BackTrack to fix the Windows registry.

Often times, we mess up with the registry leaving the system in hanged state. In such situations BackTrack plays major role to put you back on track.
 
 
 
Registry Recovery Operation
To start with, boot your system with BackTrack CD. After booting you have to make sure that your Windows system partition is mounted in read/write mode. If your system partition has NTFS file system then you have to unmount that partition and remount in read/write mode.

Lets assume that your system partition is /dev/hda1 which is currently mounted on to /mnt/hda1. You can use 'mount' command to view the devices and their respective mount points.
 
To unmount this partition use following command
 
umount /mnt/hda1

Now to mount it with read/write access, execute the following command
 
mount -o rw /dev/hda1 /mnt/hda1
 
If the above method does not work then use the following steps specified by Muts from BackTrack.
 
 umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
 
For SATA drives use sda1 instead of hda1 in the above steps. For FAT32 partition, you need not have to do anything as it is already mounted with read/write access.
 
 
 
Using Chntpw tool to Edit Registry
Now go to config folder on your system partition which has all registry hives.
 
# cd /mnt/hda1/windows/system32/config
 
Then type 'chntpw' command to view its help screen. This tool comes with built-in registry editor which can be used to manipulate any part of the registry. To invoke registry editor you have to specify -e option with the name of registry hive file. Entire Windows registry data is stored in couple of hive files. Here is the table below that shows mapping between the hive file and the part of the registry. Based on what part of the registry you are going to modify, you have to select corresponding hive file.
 
Registry Key Name Hive Filename
HKEY_CURRENT_USER NTuser.dat
HKEY_LOCAL_MACHINE\SAM SAM
HKEY_LOCAL_MACHINE\SECURITY SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE
HKEY_LOCAL_MACHINE\SYSTEM SYSTEM
HKEY_USERS\DEFAULT DEFAULT
   
 
Let me explain the complete registry editing operation with an example. Assume that 'Windows Themes service' is preventing normal booting of your system. Now to bring your system back to normal you need disable this service.

The registry key for the Themes service is located here.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes
 
To disable this service, we have to change the 'Start' value (under above mentioned key) to '4'.
Start REG_DWORD 4
 
Now from the above table, its clear that we have to use 'SYSTEM' hive file for editing with 'chntpw'. Type the command as shown below.
# chntpw -e SYSTEM
 
At the new command prompt type ? to see various commands used for registry editing. Most useful commands are dir,cat,cd,ed etc.

Now type 'dir' command to see all the subkeys under the root key. You will see many ControlSet00* keys under this, but where is the CurrentControlSet key. We need this subkey to edit properties of Themes service..!

Well, don't be panic. The answer is hidden in 'Select' subkey. Now enumerate all the values under 'Select' subkey as shown below.
> cd Select
> dir
 
Now the value associated with 'Current' subkey will tell you which is the currently used ControlSet00* key. For example if the 'Current' has value 2 then that means you have to select 'ControlSet002' etc. On my machine the 'Current' has value 1. So I am going to select 'ControlSet001' key.

Know we know which controlset we have to use for our purpose. Now select it and move on to Themes subkey as shown below. Note that we are under Select key. You have to go back to root key to choose the ControlSet key.
 
> cd..
> cd ControlSet001\Services\Themes
Now type 'dir' command to see all the names and their values under this key. We have to just change DWORD value of 'Start' to 4 using the 'ed' command.
 
> ed Start
 
When you are prompted to enter new value, just type 4 and press 'ENTER' to set the new value.To verify use the below shown command.
 
> cat Start
 
Once you have modified all required changes, type 'q' to quit the registry editor and then press 'y' to save your changes. After that restart the system and you should be able to login normally without any problem.
 
Use BackTrack and get back on track...!
 
 
 
References
     1. BackTrack : Linux Live CD Distribution for PenTesting.
     2. Mounting NTFS partition in write mode on BackTrack by Muts.
 
 
 
See Also
 
 
 
 
 
 
 
 
 
 
 
Our Free Gift for You »»
Get Your FREE Gift (worth $49.95)
All-In-One Key Finder Pro
Download Now
Popular Software »»
Asterisk Password Recovery Pro
Download Now
Top 10 Free Downloads »»
Top 10 Pro Softwares »»
How to Recover Passwords »»
Latest Releases »»
Top Research Articles »»
Our Enterprise Company
www.XenArmor.com
Testimonials »»
"I have found 'SecurityXploded' tools to be an invaluable asset..."

James Cadden, East Lansdowne Police, Pennsylvania, USA

Awards »»
Awards for our softwares from leading Download Sites
About SX
Security Tools
Resources
Our Security Group

SecurityXploded - SAFE & SECURE Site Certification

McAfee Site Advisor - SAFE Rating                                     Comodo Secure Seal
SecurityXploded © 2007-2024, All rights reserved. Division of XenArmor Security Pvt Ltd. Sponsored Post  |  Advertise  |  Privacy  |  Terms  |  About  |  Contact