How to fix Windows registry by using Linux live CD

How to fix Windows registry by using Linux live CD

IT, Others

The Online.net Dedibox SC SATA 2016 Server only provide Serial TTY,which means when we using Rescue mode, can we only use SSH/TTY. It also means we can not use WinPE in this case(because WinPE used by online.net don’t compatible with Serial Forwarding). So What can we do in such awkward position.

In the past few days, I made some mistake when I modify RDP service port. Which final cause RDP service being blocked by firewall. It was a Dedibox SC SATA 2016 Server, so I can’t use iKVM or IDRAC. What can I do? I searched for some way to solve this problem. Then I tried it out.

We need these Tools:

Linux Live CD(I used ubuntu14.04 Rescue CD provide by online.net), ntfs-3g driver, ntfsfix, chntpw.

First of all, I know that all the firewall rules and the RDP port are stored in WINDOWS/System32/config/SYSTEM, certainly some are stored in SYSTEM.alt. but only the SYSTEM file is activated in correct system. So I just need to reset value in this file.

The most simply way is to copy a file (works well in other System) to the same path. But the question is I don’t know if any other value is also work well with this System. So, when other value was changed, it may cause other horrible results. I think this file associated with other settings, so this way seems not so good.

The other way is to compare which value was changed, than reset only that value. We need a linux tool to modify this file.

chntpw(change nt password)is a utility to reset the password of any user that has a valid local account on your Windows system. It provide the function to change the value in Windows registry.

The first step is using mount command to mount Windows filesystem onto linux.(in this case must use -RW mode, so we need ntfs-3g)


#mkdir -p /media/windows
#mount -t ntfs-3g -o rw /dev/sda2 /media/windows

In some you may  see such code. That means the NTFS partition is not safely unmounted.


Error mounting /dev/sda2 at /media/adam/Data: Command-line `mount -t "ntfs" -o "uhelper=udisks2,nodev,nosuid,uid=1000,gid=1000,dmask=0077,fmask=0177" "/dev/sda2" "/media/adam/Data"' exited with non-zero exit status 14: The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Failed to mount '/dev/sda2': Operation not permitted
The NTFS partition is in an unsafe state. Please resume and shutdown
Windows fully (no hibernation or fast restarting), or mount the volume
read-only with the 'ro' mount option.

We can use ntfsfix command to fix it, it was pretty easy.


#ntfsfix /dev/sda2
Mounting volume... OK
Processing of $MFT and $MFTMirr completed successfully.
Checking the alternate boot sector... OK
NTFS volume version is 3.1.
NTFS partition /dev/sda2 was processed successfully.

then we can successfully mount this partition.
We use parameter -e to edit the registry.

chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
 -h          This message
 -u <user>   Username to change, Administrator is default
 -l          list all users in SAM file
 -i          Interactive. List users (as -l) then ask for username to change
 -e          Registry editor. Now with full write support!
 -d          Enter buffer debugger instead (hex editor), 
 -v          Be a little more verbose (for debuging)
 -L          For scripts, write names of changed files to /tmp/changed
 -N          No allocation mode. Only same length overwrites possible (very safe mode)
 -E          No expand mode, do not expand hive file (safe mode)
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!
 
#chntpw -e /media/windows/Windows/System32/config/SYSTEM

to edit value we can use following command:


Simple registry editor:
hive [<n>]             - list loaded hives or switch to hive numer n
cd <key>               - change current key
ls | dir [<key>]       - show subkeys & values,
cat | type <value>     - show key value
dpi <value>            - show decoded DigitalProductId value
hex <value>            - hexdump of value data
ck [<keyname>]         - Show keys class data, if it has any
nk <keyname>           - add key
dk <keyname>           - delete key (must be empty)
ed <value>             - Edit value
nv <type#> <valuename> - Add value
dv <valuename>         - Delete value
delallv                - Delete all values in current key
rdel <keyname>         - Recursively delete key & subkeys
ek <filename> <prefix> <keyname>  - export key to <filename> (Windows .reg file format)
debug                  - enter buffer hexeditor
st [<hexaddr>]         - debug function: show struct info
q                      - quit

We still have to know some simple things about the registry

The Registry Hive , and also the knowledge about ControlSet001,ControlSet002 and CurrentControlSet.

these three controlset are in the(sometimes also another backup set) HKLM\system, usually called ControlSet001, ControlSet002 and CurrentControlSet. These controlset contain operating system configuration information such as service,drivers,system environment values etc.

Typically ControlSet001 is the configuration used by correct system,but when windows startup, the system will make a copy of this file and named CurrentControlSet。then if we make any change, it will directly write into CurrentControlSet, and also override to ControlSet001.

And when OS successful startup, the system will make a copy of ControlSet001 as ControlSet002. So ControlSet002 is actually the “Last Known Good Configuration”

Which controlset select by system is controled by the key “Select”. When offline editing, it will only have ControlSet001, ControlSet002. I edited the ControlSet001.


cd ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp
ed PortNumber
0xd3d

when finished modify, press “q” to save change and quit. now we can unmount the ntfs partition and reboot to Windows, everything will work again

 

Amefs, EFS, Linux
Previous Post
Make some changes to QuickBox
Next Post
About ripping March Comes in like a Lion

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

keyboard_arrow_up