Is there any way, how to view registry of Windows PE / Windows RE?

Discussion in 'Windows 8' started by moderate, Dec 2, 2014.

Tags:
  1. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,176
    90
    Hello,

    please is there any way, how to view the registry of WinPE, WinRE etc. WITHOUT booting it?

    Thanks.
     
  2. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,335
    21,281
    340
    #2 s1ave77, Dec 3, 2014
    Last edited by a moderator: Apr 20, 2017
    Hmm ... one can load reg hives of a mounted WIM (Windows) with reg load command:

    Load:
    Code:
    reg load "HKLM\#Soft" "e:\win\mount\windows\system32\config\software"
    #Soft = name under which the software hive is loaded under HKLM
    e:\win\mount = Path to mount folder

    will load mounted:
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    as:
    Code:
    HKEY_LOCAL_MACHINE\#Soft\Microsoft\Windows\CurrentVersion\Policies\System
    Unload:
    Code:
    reg unload "HKLM\#Soft"
    Never tested with default Win PE, but should work likewise :g:.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,857
    2,029
    210
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,335
    21,281
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,176
    90
    #5 moderate, Dec 3, 2014
    Last edited by a moderator: Apr 20, 2017
    (OP)
    Thanks, it looks promissing, however I am interested to look into this key on WinPE:

    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    Will anything like below work?

    Code:
    reg load "HKLM\#Sys" "e:\win\mount\windows\system32\config\systemprofile"
    I didn't checked WinPE dirs yet, the dir "systemprofile" is on my main install, but it looks like there are registry files there. :))

    What I am trying to investigate:

    On WinPE/WinRE x64 and x32 there is:
    Code:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT]
    "AllowRefsFormatOverNonmirrorVolume"=dword:00000001
    which allows to format ReFS under client OS, but I am not interested in this...

    ...I need to look to WinPE/WinRE ARM, there should be the key, which will allow to run desktop unsigned apps on ARM.

    Why?

    As you know, there is "Windows 7 style - Task Manager - the green one" in boot.wim (WinPE/WinRE/WinSEtup) as taskmgr.exe.

    As this file:
    1. Isn't included in OS itself.
    2. Hasn't any digital certificate included in the EXE.
    3. Can't rely on the digital certificates in Secure Boot - the certificate is NOT there (running EXE on main install throws the signature error).
    4. CAN be runned under WinPE

    ...so there should be some setting to override checking...

    A time ago we at MDL discovered MiniNT key in registry, in which those overrides (in mini-windows = WinPE like) are concentrated.

    So now, I just need to read MiniNT key above of WinPE/WinRE ARM.
    WinPE ARM is in W8-1 ADK Addons (which leaked).
    WinRE ARM is in \Windows\System32\Recovery directory of Windows installation.
     
  6. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,335
    21,281
    340
    #6 s1ave77, Dec 3, 2014
    Last edited by a moderator: Apr 20, 2017
    System hive should be:

    Code:
    reg load "HKLM\#Sys" "e:\win\mount\windows\system32\config\system"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,176
    90
    Thanks...

    BTW: I have updated my 5th post in this thread to share the complete information about the goal...
     
  8. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,335
    21,281
    340
    #8 s1ave77, Dec 3, 2014
    Last edited by a moderator: Apr 20, 2017
    OK ... mostly got it. So far i mostly loaded Software and System hive (from install.wim and Win8.1SE boot.wim) that way.

    Iirc NTUSER.DAT, SOFTWARE and SYSTEM can be loaded
    NTUSER.DAT:
    Code:
    reg load "HKLM\#Sys" "e:\mount\Users\Administrator\NTUSER.DAT"
    SYSTEM/SOFTWARE:
    Code:
    reg load "HKLM\#Sys" "e:\mount\Windows\System32\config\SOFTWARE"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...