- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
- I need to read Hobocopy documentation to make it work in Vista x64
- If you can't copy a file from a mounted VMDK, try mounting and copying as administrator
- Yay -- now I can play with RR
After Harlan posted about an interesting registry entry this morning, I thought of the systeminfo utility. I thought, "I wonder if the systeminfo tool queries the registry for similar information?". So I fired up Process Monitor, set filters for the Registry Event Class and executed systeminfo. Once systeminfo finished, I stopped the capture and searched for systeminfo within Process Monitor. It appears that the systeminfo binary directly queries some registry values and also utilizes WMI. Cool. So I posted a reply to Harlan saying there's some interesting material there. But, I didn't say which entries seemed interesting. Harlan asked me what was interesting, so I went back to look. I found TimeZoneInformation and some network adapter information (both of which were covered by RR plugins). So I tried to find something that wasn't in RR, and I think I did:
Paging File Location
(HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles)
(HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles)
Information: here ... this value is a REG_MULTI_SZ in Vista rather than the REG_BINARY as listed inthe MS article.
Significance to RA: If the page file is not in the default location \pagefile.sys, you'll want to know where it is.
Significance to RA: If the page file is not in the default location \pagefile.sys, you'll want to know where it is.
The systeminfo utility also reports tidbits like patch levels; however, I'm not sure (yet) if this is listed in the registry.
The remainder of this post shows some of my experiences in registry hive acquisition (summary items 2-4)
Until now, I did not think that I had an easy way to get access to registry hives. Before tonight, I tried mounting a vmdk on my desktop with VMware Workstation's drive mapping feature so that I could simply copy the hives, but that failed:
I figured the file was just locked or something -- and a while ago, I stumbled upon a post that mentioned using VSS to copy a file that is in use but I shrugged it off because they didn't have Vista binaries. Well, I just searched and there's an open source project! Its called HoboCopy (enter chuckle about my scripting issue).
So, I downloaded hobocopy for vista x64 and executed it:
I missed the Visual Studio 2008 libraries dependencies (vcredist_x64.exe)... Once those were installed, the hobocopy still wouldn't run under my Jason user... so I opened an elevated shell and hobocopy ran fine.
When I tried to change to virtual drive of the VMDK within my elevated shell, the shell explained:
The system cannot find the drive specified.
PowerShell also explained:
I confirmed that the drive was still accessible in my Jason shell (PowerShell background window). It appears I have a user-specific drive letter? Weird...
I really wanted to get hobocopy to copy the system hive, so I went to mount the vmdk with vmware-mount in the elevated shell, but it didn't exist in my workstation folder! I'm assuming this is because I'm using VMware WS 6.5b2.
So I elevated VMware Workstation, mounted the vmdk and tried to copy the file with hobocopy -- it failed. But, I was able to copy the hive file just fine with copy!
Summary:
Until now, I did not think that I had an easy way to get access to registry hives. Before tonight, I tried mounting a vmdk on my desktop with VMware Workstation's drive mapping feature so that I could simply copy the hives, but that failed:
I figured the file was just locked or something -- and a while ago, I stumbled upon a post that mentioned using VSS to copy a file that is in use but I shrugged it off because they didn't have Vista binaries. Well, I just searched and there's an open source project! Its called HoboCopy (enter chuckle about my scripting issue).
So, I downloaded hobocopy for vista x64 and executed it:
I missed the Visual Studio 2008 libraries dependencies (vcredist_x64.exe)... Once those were installed, the hobocopy still wouldn't run under my Jason user... so I opened an elevated shell and hobocopy ran fine.
When I tried to change to virtual drive of the VMDK within my elevated shell, the shell explained:
The system cannot find the drive specified.
PowerShell also explained:
I confirmed that the drive was still accessible in my Jason shell (PowerShell background window). It appears I have a user-specific drive letter? Weird...
I really wanted to get hobocopy to copy the system hive, so I went to mount the vmdk with vmware-mount in the elevated shell, but it didn't exist in my workstation folder! I'm assuming this is because I'm using VMware WS 6.5b2.
So I elevated VMware Workstation, mounted the vmdk and tried to copy the file with hobocopy -- it failed. But, I was able to copy the hive file just fine with copy!
Summary:
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
- I need to read Hobocopy documentation to make it work in Vista x64
- If you can't copy a file from a mounted VMDK, try mounting and copying as administrator
- Yay -- now I can play with RR
2 comments:
@Jimmy: have you looked into using LiveView?
Jimmy, sounds like progress to me. Let me know how you move beyond 0x7b!
Post a Comment