Like I mentioned in my previous post, there are a few good registry editors out there, and I wanted to this in two separate posts to give you another very advanced way to work with yours
Today we are going to look at a program to let you do just VERY advanced work in the context of the built in security accounts. As for some previous posts, this one is going to be above average advanced, but information in itself never posed any danger… even though some people and cultures seem to think so
A word of warning before we start is in place, working like in the following example using ‘Registry Workshop’ as in this example or any other registry editor out there will give you access to keys which the system normally denies you access too…for a reason.
What I mean by that is if you are not absolutely sure what you are doing, DO NOT DO IT!!!
Why I am teaching you this is that while working with the registry you are almost guaranteed to hit an ‘Access denied’ from time to time as your user account does not have access to the key.
There is of course the old way of doing it which I will make a short note of last in this post, but this is by far the quickest.
Download and unpack the command line tool to somewhere on your harddrive where you want to run it from.
The above is the output from the tool if you just type RunFromProcess.exe or RunFromProcess-x64.exe on the command line. See readme.txt and RunFromProcess.chm for more information than found below.
There are both a 32-bit and a 64-bit version of the program and in this case it is significant as the 32-bit application will only be able to hook on to 32-bit processes whereas the 64-bit version only hooks on to 64-bit processes.
Rather than confusing you, either
- right-click a free spot on you taskbar and choose ‘Task Manager’ from the context menu - or
- hit [[B]WinKey[/B]]+[B]R[/B], type [B]taskmgr.exe[/B] and hit [[B]Enter[/B]]
That brings up the TaskManager and I have left the cursor in there to show you that you may have to click ‘More details’ before you are able to select the ‘Details’ tab.
As shown in the screenshot, you will see the processes running on your system and the user context they are running under. The username in the above screenshot is ‘Guru’, but as you can see, some of the processes run under other accounts like 'SYSTEM’
Now, the ‘SYSTEM’ account has way better access to the windows registry than the ‘Guru’ account even though it has administrator privileges and so let us start by running the registry editor in the context of the ‘SYSTEM’ account.
The command in my example is like this (I did choose to run it in the context of the [B]winlogon.exe[/B] process as that is always present and runs in the context of the ‘SYSTEM’ account)
[B]C:\Programs\RunFromProcess\RunFromProcess-64.exe admin winlogon.exe C:\Programs\Registry Workshop\RegWorkshopX64.exe[/B]
If there is a space in the path to RunFromProcess-64.exe, please use double quotes on the first part of the command like this: “C:\rather long path\Run From Process\RunFromProcess-64.exe”
Please adjust the command accordingly to match yours (like for my install of ‘Registrar Registry Manager’ it would be ‘C:\Programs\RunFromProcess\RunFromProcess-64.exe admin winlogon.exe C:\Programs\Registrar Registry Manager (64-bit)\rr64.exe’)
Do not try to do this with regedit.exe as it is not at C:\Windows\System32\regedit.exe - only seemingly. Windows is very advanced and you have symbolic and hard links as well as shortcuts, but that’ll have to wait…
Now then, I have left the HKCU node highlighted in the above image and it is because it is very important. HKEY_CURRENT_USER is not your user, it is the SYSTEM account! There is no ‘Desktop’, ‘My Documents’ or any other personal paths present for this user…
Your user is now hidden somewhere in HKEY_USERS\S-1-5-21-???-???-???-100?\ (look at the bottom of this post for more information thereof)
So search for the key/value you do not have access to under your account, make your changes and quit. That is all there is to it.
Sometime it may also be necessary to run a program in the context of of the ‘TRUSTEDINSTALLER’ account as well, and that is just a little bit more challenging as that is not always available as a user in TaskManager, but here is how to do it:
- [[B]WinKey[/B]]+[B]R[/B], type [B]services.msc[/B] and hit [[B]Enter[/B]]
- In the Services console, scroll down to ‘Windows Update’ and start the service.
- Start the program like for the above example C:\Programs\RunFromProcess\RunFromProcess64.exe admin TrustedInstaller.exe C:\Programs\Registry Workshop\RegWorkshopX64.exe
- Do your changes and quit the program. The Windows Update service will stop all by itself after a while and so nothing you need to stop.
The normal way of doing it is to right-click the key you do not have access to and choose ‘Permissions’, take ownership of the key, OK all the way out, choose permission again and add your user with ‘Full Control’, OK all the way out, do your changes.
Now there is a problem with the above procedure if your account does not at all have access to the registry key… The current owner is not shown, and you have just taken ownership from an unknown account… How on earth can you change it back to the correct owner after doing your changes?
Now that is impossible unless you have a lot of knowledge. It could be anything and how would you change it back to the TRUSTEDINSTALLER account? Well I’ll tell you the two most common, but there are more:
TrustedInstaller: [B]NT SERVICE\TrustedInstaller[/B]
System account [B]NT AUTHOROTY\System[/B]
That is enough information if you know what account originally owned the key, but like I mention at the top of this post, my way of working by starting the tool in the context of the owner is way quicker
Lastly, let me repeat the warning, I DO know what I am doing when I do it, failing in that will make sure you fail and when you do so in the context of the ‘SYSTEM’ account, it will have a devastating effect more often than not.
You have been warned, but I promised I would teach you how to work advanced with your computer and this is part of it
Now I think I have prepared you enough for me to continue telling you about traces found on your computer in the context of privacy.
I hope i have managed to tell you something you did not know, but if anything is unclear, please do not hesitate in asking