Windows Registry Tricks and some Processing Treats

Yes, October is behind us and the pumpkins are being ground up for pie.

However, I really scored a few awesome finds on the Net this week while I was continuing my hunt for a solution to my PE 2.0/Vista project headaches.

Alas, despite a plea for assistance in loading a preferred driver in VistaPE over in the Boot Land forums, no one has yet dared take up the challenge.  Either it’s too hard for even the pros to deal with, or it is noobie question they don’t want to waste their time on.

Exciting Progress!  At Last…

Luckily the D-Man has been brainstorming at work as well and on Friday proposed a trick that I had toyed with, but didn’t allow to fully bake in my brain and follow through to its conclusion.  I had all the tools, just didn’t put the pieces together in just the right way. Initial testing of a method based on his recommendation was very favorable.  I have a bit more work to do before calling it a success and posting the brilliant and remarkably flexible custom hardware/driver building solution for all VistaPE builders, but looks like I’m buying D-Man’s lunch pretty soon. Looks like our dual-core brain-processing array has paid off on this particular issue.

But I am getting ahead of myself.  You have to wait a bit longer for those posts.

In a troubleshooting low-point, I was feeling like I had no choice but to scrap the whole VistaPE boot build environment model and return to a simple WAIK Windows PE 2.0 boot disk with the specialized and injected PGP WDE drivers alone.  I had already proofed it would work technically on all our systems, but the interface of WinPE 2.0 is (initially) pure Command Line Interface (CLI).  If you know your CLI commands and custom-load the disk with extra GUI tools/utilities in the building process, you can still find and launch them; it’s just not very sexy.  And yes, I like sexy tech.

So since I already have crafted a pretty advanced auto-run menu and utilities package for the Windows “auto-play” side of the disk, I wondered if there was a way I could just have the Win PE 2.0 boot disk side call and auto-run the menu-system.  It wouldn’t be quite as sexy (more like lipstick and hot-pink heels on pig) as librarian-sexy VistaPE is, but still would be better than a pure CLI box.

I knew that Win PE 2.0 is all based on a WIM file. And I knew that WIM files and their contents could be manipulated.

Could I build a standard WAIK Win PE 2.0 boot disk and modify the registry to add a custom auto-start key?  That would meet my need to load-up and execute the custom auto-menu utility picker.

Sure enough, you can modify the registry of a WIM file.

WIM Registry Editing

• Edit the registry on a mounted WIM – Off Campus blog.  Michael Greene post a great basic walkthrough on just how to do it.  Granted, you really need to be familiar with ImageX and registry work, but if you know the basics of both, you should get the gist of the process pretty quickly.

For some added background, I also offer this find:

• How to edit the registry offline using BartPE boot CD ? – Ramesh’s site contains a few more helpful foundational elements on the process as well as additional pictures and though it doesn’t apply specifically to mounted WIM file Registry editing, it does show the process of attaching to an offline Registry Hive, which still applies.

Fortunately, before I spent too much time in this retro-lounge, D-Man burst in with his lead and I left this exploration uncompleted.

• Windows Registry – Wikipedia provides some great information for quick lookup of facts and locations of Hive files.

Finally, you shouldn’t begin to muck around without a good understanding of the Windows Registry structure and functions.  To do that you could buy and read the Microsoft Windows Internals (4th Edition) as I am now doing on the side, or you could just download a free chapter from that same book offered by Microsoft.  Amazingly it happens to focus on the Registry! Windows Internals Chapter 4 (direct PDF file link).

Just be careful you don’t nuke your system in the process.

Blue Gold from Alex Ionescu

To be released in February 09 will be Microsoft Windows Internals (5th Edition) which will cover Vista and Sever 2008 this time.  Mark Russinovich and David Solomon will be the lead authors again, but contributing to this edition will be newcomer Alex Ionescu.

I happened to stumble upon Alex’s blog this weekend and found a number of amazingly great posts on Windows Vista processes and internal goodies.  He hasn’t posted for a while, but I imagine he has been busy with editing the new book.  It ends up being a good thing as it is taking me a while to read through and get my brain around his wonderfully detailed posts.

Here’s a sample of recent ones:

• MemInfo: Peer Inside Memory Manager Behavior on Windows Vista and Server 2008

• ScTagQuery: Mapping Service Hosting Threads With Their Owner Service

• Inside Session 0 Isolation and the UI Detection Service - Part 1

• Inside Session 0 Isolation and the UI Detection Service - Part 2

• Some Vista Tips & Tricks

• Building the Lego Millennium Falcon: A Lesson in Security?

Hope this helps and leads to wonderfully wasted time in pursuit of Windows Internals understanding.

Cheers!

--Claus V.