Thursday, July 10, 2008

Registry Analysis #1

Summary:
  1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
  2. I need to read Hobocopy documentation to make it work in Vista x64
  3. If you can't copy a file from a mounted VMDK, try mounting and copying as administrator
  4. Yay -- now I can play with RR

After Harlan posted about an interesting registry entry this morning, I thought of the systeminfo utility. I thought, "I wonder if the systeminfo tool queries the registry for similar information?". So I fired up Process Monitor, set filters for the Registry Event Class and executed systeminfo. Once systeminfo finished, I stopped the capture and searched for systeminfo within Process Monitor. It appears that the systeminfo binary directly queries some registry values and also utilizes WMI. Cool. So I posted a reply to Harlan saying there's some interesting material there. But, I didn't say which entries seemed interesting. Harlan asked me what was interesting, so I went back to look. I found TimeZoneInformation and some network adapter information (both of which were covered by RR plugins). So I tried to find something that wasn't in RR, and I think I did:

Paging File Location
(HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles)
Information: here ... this value is a REG_MULTI_SZ in Vista rather than the REG_BINARY as listed inthe MS article.
Significance to RA: If the page file is not in the default location \pagefile.sys, you'll want to know where it is.

The systeminfo utility also reports tidbits like patch levels; however, I'm not sure (yet) if this is listed in the registry.







The remainder of this post shows some of my experiences in registry hive acquisition (summary items 2-4)

Until now, I did not think that I had an easy way to get access to registry hives. Before tonight, I tried mounting a vmdk on my desktop with VMware Workstation's drive mapping feature so that I could simply copy the hives, but that failed:




I figured the file was just locked or something -- and a while ago, I stumbled upon a post that mentioned using VSS to copy a file that is in use but I shrugged it off because they didn't have Vista binaries. Well, I just searched and there's an open source project! Its called HoboCopy (enter chuckle about my scripting issue).

So, I downloaded hobocopy for vista x64 and executed it:


I missed the Visual Studio 2008 libraries dependencies (vcredist_x64.exe)... Once those were installed, the hobocopy still wouldn't run under my Jason user... so I opened an elevated shell and hobocopy ran fine.

When I tried to change to virtual drive of the VMDK within my elevated shell, the shell explained:

The system cannot find the drive specified.

PowerShell also explained:


I confirmed that the drive was still accessible in my Jason shell (PowerShell background window). It appears I have a user-specific drive letter? Weird...

I really wanted to get hobocopy to copy the system hive, so I went to mount the vmdk with vmware-mount in the elevated shell, but it didn't exist in my workstation folder! I'm assuming this is because I'm using VMware WS 6.5b2.

So I elevated VMware Workstation, mounted the vmdk and tried to copy the file with hobocopy -- it failed. But, I was able to copy the hive file just fine with copy!

Summary:
  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
  • I need to read Hobocopy documentation to make it work in Vista x64
  • If you can't copy a file from a mounted VMDK, try mounting and copying as administrator
  • Yay -- now I can play with RR

4 comments:

JustAskWeg said...

I've been having quite a bit of difficulty with a Vista VM that won't boot to the desktop. It's based on an image of a drive from another system, hence the difficulty. I've had to repeatedly mount the vmdk and replace cetain drivers and edit the registry. The registry edits went fine. I could not, however, rename drivers in the \system32\drivers path, or copy new drivers over the old ones (with the same names).

Thus far, I've worked around that problem by copying my new drivers to the mounted image's root. Then, I boot with the Vista installation DVD and go to the command prompt to rename, replace, etc.

My host is XP. I can see why the drivers on my host would be protected, but I think that I could have my way with those on a mounted vmdk. The premissions and attributes are in order.

Jason Koppe said...

@Jimmy: have you looked into using LiveView?

JustAskWeg said...

Thanks, Jason. I use a tool named Virtual Forensic Computing (VFC). http://www.md5.uk.com/?page=VFC. It's not free, but I've found that it works on some images when LiveView does not. I've done some testing for VCF's publisher, particularly on Vista images, which are more problematic. Actually, I just build most of my VMs "by hand" from my dd images.

I have a particularly troublesome one at the moment. I've been playing with drivers, the registry, and system files off and on for a week. At first I could get only to Windows Recovery Screen. I've progressed to the point where the drivers load and I now have a BSOD 0x7b, if you can call that progress!

Jason Koppe said...

Jimmy, sounds like progress to me. Let me know how you move beyond 0x7b!