THE MAIN GOAL OF THIS TOPIC IS TO SHOW AN ABILITY OF WINDOWS REGISTRY EDITING BUT NOT PASSWORD RESETTING ONLY. IT WAS CREATED AFTER READING OF THE FOLLOWING AT THE FORUM, WHERE THE QUESTIONS STILL WITHOUT ANSWERS INFACT:
http://ubuntuforums.org/showthread.php?t=1046931
http://ubuntuforums.org/showthread.php?t=624943
http://ubuntuforums.org/showthread.php?t=955950
http://ubuntuforums.org/showthread.php?t=678747
In connection with the Windows viruses and impossibility to start regedit or Windows in whole, sometimes Windows users need to edit the registry from outside. I've found, so far, the only utility in Linux chntpw, which was originally designed to reset passwords, and then acquired the registry editing ability.
Editing the registry:
1. Boot from a LiveCD or install a second system Ubuntu.
2. Install chntpw utility:
3. Mount Windows partition:Code:sudo apt-get install chntpw
Find the Windows partition:
Assume it is on /dev/sda2. Next step is mounting of the partiotion:Code:$ sudo fdisk -l
4. Registry editingCode:$ sudo mkdir /media/windows $ sudo mount /dev/sda2 /media/windows
Move to registry branch you need, for example:Code:$ chntpw -l /media/windows/Windows/system32/config/software
and edit a key, for example:Code:$ cd Microsoft\Windows NT\CurrentVersion\Winlogon
Password resetting:Code:$ ed Shell
1. See 1-3 of the previous section
4. Find the user whose password will be changed
5. Password resettingCode:$ chntpw -l /media/windows/Windows/system32/config/SAM
Just cite the places in the registry where they can hide a record of running viruses:Code:$ chntpw /media/windows/Windows/system32/config/SAM -u Administrator
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The default values in Regedit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe"
"Userinit" = "C:\WINDOWS\system32\userinit.exe"
Check Explorer.exe file for double presence ... the right place for the file is Windows\ but not Windows\System32\ ...
This post was written to open the theme to combat viruses and sms-extortionists.
Bookmarks