How to modify a computer's offline registry from WINPE?

windows regedit winpe

588

Load the necessary registry hives:

in Registry Editor (regedit), select either HKEY_LOCAL_MACHINE or HKEY_USERS, then click File → Load Hive, open the hive file, and input a temporary name for it;
in command line, use reg load HKLM\temp-name path-to-hive
or reg load HKU\temp‑name path-to-hive.

The hive files are located in:

most of HKEY_LOCAL_MACHINE corresponds to files in %SystemRoot%\system32\config:
- HKLM\SAM – file SAM
- HKLM\SECURITY – file SECURITY
- HKLM\Software – file software
- HKLM\SYSTEM – file system
- the special "system" user's registry (e.g. login screen, etc.) – file default
each user's personal registry (i.e. their HKEY_CURRENT_USER) is located in file NTUSER.DAT in their profile directory (e.g. C:\Users\grawity\NTUSER.DAT);
- however, HKCU\Software\Classes is stored in the file AppData\Local\Microsoft\Windows\UsrClass.dat.

A list of currently loaded hives is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.

588

sanguine

Updated on September 18, 2022

Comments

sanguine almost 2 years
I'd like to create a key logger that would listen for the keys 'w' 'a' 's' 'd' and whenever it detects these keys, adds them to a list. So far I have this code
```
from pynput.keyboard import *
keys_pressed=[]
def on_press(key):
        print(key)

def on_release(key):
    if key==Key.esc:
        return False

with Listener(on_press=on_press,on_release=on_release) as listener:
    listener.join()
```
How could I check if a specific key is pressed, and add it to the keys_pressed list?
Haplo over 9 years

what about HKEY_CLASSES_ROOT ? Can't we load it ?
Haplo over 9 years

I found that HKCR is actually classes key under software hive.
FarO over 8 years

You don't mention HKEY_USERS that contains default values for all users. I read it corresponds to NTUSER.dat, but not the one in the user directory. Is it correct?
user1686 over 8 years

@OlafM: Not quite. HKEY_USERS doesn't have any information by itself, all it has is sub-hives for each user. For example, HKU\S-1-5-21-…-1103 corresponds to C:\Users\grawity\ntuser.dat, and HKU\.default corresponds to C:\Windows\System32\config\DEFAULT. (Note that .default is not the default user and does not contain "default values for all users". It's actually the "system" user.)
sanguine almost 4 years

Hey! Thank you! I used this code and it worked fine: prnt.sc/u6h0ai However I get another error when I press a special key like spacebar, how would I fix that? The error is: prnt.sc/u6h0j0
NoeXWolf almost 4 years

It's because when the key pressed is not a letter, it's a Key object and not a KeyCode and only KeyCode object has char field. With my solution it should work fine, or before checking the char you can check if it's a KeyCode and not a Key
sanguine almost 4 years

How could I iterate over the list? It gives me this error: TypeError: 'KeyCode' object is not iterable. I know I can turn it into a string, but is there any other way, other than turning into a string?
NoeXWolf almost 4 years

I'm not sure to understand, can you please provide your code ?