Application Compatibility Shim in WinPE / Win8.1SE for registry & file redirection?

Discussion in 'Windows 8' started by generalmx, Mar 17, 2015.

  1. generalmx

    generalmx MDL Novice

    Apr 15, 2014
    I'm working on making a recovery environment complete with AV/Malware scanning automation, and one problem I run into is that they want to scan the active registry & Windows instead of an offline install --- especially free versions (and ones like Combofix). After some research I found one freeware file redirection driver of dubious capability, but then figured out one could use a "shim" from the Application Compatibility Toolkit (ACT) to use the VirtualRegistry and File Redirection Filter already built-in to the Windows Vista and up kernel for UAC. So this works on a full version of Windows, but both WinPE and Win8.1SE seemingly lack the support for ACT databases...

    Anyone ever looked into this at all?

    (Might have to post this on a more WinPE-hacking-oriented forum...)

    Anyway, for those who don't know what a "shim" is, it basically sits in-between applications and what they think they're accessing, so that in the case of the VirtualRegistry, the a configured application thinks it's reading/writing to HKLM\SOFTWARE\Foo (which a standard user can't write to) when it's really writing to HKCU\SomeVirtualRegistryPath\SOFTWARE\Foo (the user's registry). I can use this to load up an offline registry and then re-direct something like ComboFix to think it's looking at HKLM\Foo when it's really looking at HKLM\TempHive\Foo.