Hi all,
Sysinternals have just released a version of their autoruns command line tool that's capable of scanning an offline windows install for images configured to start automatically (very useful for tracking down malware).
How likely is it that it could be made to run under wine on Ubuntu? I've got to the point where I have my NTFS partition mounted, I then issue the command:
---
$ wine ./autorunsc -z /mnt/ntfs_mount/WINDOWS /mnt/ntfs_mount/Documents\ and\ Settings/
---
...this happens:
---
Sysinternals Autoruns v10.01 - Autostart program viewer
Copyright (C) 2002-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com
Autoruns requires Administrator privilege to analyze an offline system
---
I also tried making a symlink to a drive letter in ~/.wine/dosdevices but that didn't seem to make any difference.
My various searches for ways to get around this have come to nought, but I confess, I'm a complete wine novice.
Grateful for your thoughts...
Sysinternals autorunsc.exe
-
Gert van den Berg
Sysinternals autorunsc.exe
On Sat, Jun 26, 2010 at 01:10, dfm9090 <[email protected]> wrote:
parameter to a Windows program....
One way is to use winepath in backticks: (Not sure about the parameters..)
wine ./autorunsc -z `winepath -w /mnt/ntfs_mount/WINDOWS` Administrator
cd ~/.wine/dosdevices
ln -s /mnt/nthfs_mount 'd:'
You should be able to use: (I'm not sure if you are using the right
parameter for "userprofile")
wine ./autorunsc -z 'd:\WINDOWS' 'd:\Documents and Settings\'
Running it under wine cmd might be easier...
You can try "wine cmd" or "wineconsole cmd"
Gert
You probably want to use the Windows path if it is passed as aHi all,
Sysinternals have just released a version of their autoruns command line tool that's capable of scanning an offline windows install for images configured to start automatically (very useful for tracking down malware).
How likely is it that it could be made to run under wine on Ubuntu? Â I've got to the point where I have my NTFS partition mounted, I then issue the command:
---
$ wine ./autorunsc -z /mnt/ntfs_mount/WINDOWS /mnt/ntfs_mount/Documents\ and\ Settings/
parameter to a Windows program....
One way is to use winepath in backticks: (Not sure about the parameters..)
wine ./autorunsc -z `winepath -w /mnt/ntfs_mount/WINDOWS` Administrator
If you do:I also tried making a symlink to a drive letter in ~/.wine/dosdevices but that didn't seem to make any difference.
cd ~/.wine/dosdevices
ln -s /mnt/nthfs_mount 'd:'
You should be able to use: (I'm not sure if you are using the right
parameter for "userprofile")
wine ./autorunsc -z 'd:\WINDOWS' 'd:\Documents and Settings\'
Running it under wine cmd might be easier...
You can try "wine cmd" or "wineconsole cmd"
Gert
Re: Sysinternals autorunsc.exe
If this app relies on Windows regedit to examine the registry, it's never going to work in Wine. Wine's regedit is designed to work with Wine's registry, which is stored as a plain text file. It cannot read or write the Windows binary format, and pointing an app running in Wine at a real Windows registry is an extremely bad idea.dfm9090 wrote:Sysinternals have just released a version of their autoruns command line tool that's capable of scanning an offline windows install for images configured to start automatically (very useful for tracking down malware).
This app parses an "offline" copy of a Windows Registry File so, in theory, at least for reading registry entries it shouldn't be a problem running it with Wine. I have already used similar tools on linux using Wine, for example "RegRipper". The problem here is that Autoruns.exe give an error "Autoruns requires Administrator privilege to analyze an offline system" when you try to load the "offline" registry file.
Searching with google I understood that this problem can be related to some not implemented API call and that's why it is not possibile to resolve it using simple command line switches. Is it true?
Thanks.
Searching with google I understood that this problem can be related to some not implemented API call and that's why it is not possibile to resolve it using simple command line switches. Is it true?
Thanks.
You wrong. Only kernel can load binary hives (windows' registry files). I'm sure this new tool wants to install some kernel drivers to get direct access to registry without actually letting windows do anything with it.freagan wrote:This app parses an "offline" copy of a Windows Registry File so, in theory, at least for reading registry entries it shouldn't be a problem running it with Wine.
In either case Wine doesn't support any sophisticated kernel drivers. Nor can Wine read Window's binary registry files.
-
Gert van den Berg
Sysinternals autorunsc.exe
On Tue, Jul 27, 2010 at 06:00, vitamin <[email protected]> wrote:
regiostry files copied from another PC and not actively loaded? Not
sure what exactly this is for though?
The right debug options (not sure which that would be) should give an
idea of what the application is trying to do?
Only for active reistry files? A drivers houldn't be needed forfreagan wrote:You wrong. Only kernel can load binary hives (windows' registry files). I'm sure this new tool wants to install some kernel drivers to get direct access to registry without actually letting windows do anything with it.This app parses an "offline" copy of a Windows Registry File so, in theory, at least for reading registry entries it shouldn't be a problem running it with Wine.
regiostry files copied from another PC and not actively loaded? Not
sure what exactly this is for though?
The right debug options (not sure which that would be) should give an
idea of what the application is trying to do?
Re: Sysinternals autorunsc.exe
Only kernel can load registry. And obviously if you trying to load registry that overrides your system registry one need some drivers to work around that.Gert van den Berg wrote:A drivers houldn't be needed for registry files copied from another PC and not actively loaded?
Of course you can open registry hive as a simple file and try to parse it. However this isn't trivial and requires lots of code and exact knowledge of the format. I really doubt that what this new tool does.
-
Gert van den Berg
Sysinternals autorunsc.exe
On Tue, Jul 27, 2010 at 15:52, vitamin <[email protected]> wrote:
is where I would expect to find it... (chntpw have an utility capable
of editing Windows registry from *nix)
Offline mode seem to imply that it is accessing the registry from hive
files not actively loaded in the current Windows registry..
(Autorunsc might be asking something in Windows to parse the file for
it though in offline mode...)
Gert
It is a SysInternals tool from Microsoft... If anything does it, thisGert van den Berg wrote:Only kernel can load registry. And obviously if you trying to load registry that overrides your system registry one need some drivers to work around that.A drivers houldn't be needed for registry files copied from another PC and not actively loaded?
Of course you can open registry hive as a simple file and try to parse it. However this isn't trivial and requires lots of code and exact knowledge of the format. I really doubt that what this new tool does.
is where I would expect to find it... (chntpw have an utility capable
of editing Windows registry from *nix)
Offline mode seem to imply that it is accessing the registry from hive
files not actively loaded in the current Windows registry..
(Autorunsc might be asking something in Windows to parse the file for
it though in offline mode...)
Gert
I thought that accessing an "Offline" registry file is like parsing a copy of a registry file that is not in use or, like you said, actively loaded by the oprating system.
Registry files in Windows are normally located under "C:\WINDOWS\system32\Config" for system hives and "C:\Documents And Settings\Username" for user hives.
I open these files in "offline" mode everyday from Ubuntu using Wine and tools like "MiTeC Windows Registry File Viewer" and "RegRipper", so it is not impossibile to do.
Being able to use Autoruns instead of the above tools would be better for me because it is more appropriate for my purposes.
I don't know what exactly autoruns is trying to do in the operating system when accessing the "offline" registry files, here is the messages that Wine shows in console when Autoruns gives the error:"Autoruns requires Administrator privilege to analyze an offline system"
err:ole:CoGetClassObject class {148bd52a-a2ab-11ce-b11f-00aa00530503} not registered
err:ole:CoGetClassObject no class object {148bd52a-a2ab-11ce-b11f-00aa00530503} could be created for context 0x1
err
SHGetFileInfoW pidl is null!
fixme:advapi:ImpersonateLoggedOnUser ((nil))
fixme:advapi:ImpersonateLoggedOnUser ((nil))
errSHGetFileInfoW pidl is null!
fixme:advapi:ImpersonateLoggedOnUser ((nil))
fixme:advapi:ImpersonateLoggedOnUser ((nil))
fixme:advapi:ImpersonateLoggedOnUser ((nil))
errSHGetFileInfoW pidl is null!
fixme:advapi:ImpersonateLoggedOnUser ((nil))
errSHGetFileInfoW pidl is null!
Thank you in advance for any hint or info.
Registry files in Windows are normally located under "C:\WINDOWS\system32\Config" for system hives and "C:\Documents And Settings\Username" for user hives.
I open these files in "offline" mode everyday from Ubuntu using Wine and tools like "MiTeC Windows Registry File Viewer" and "RegRipper", so it is not impossibile to do.
Being able to use Autoruns instead of the above tools would be better for me because it is more appropriate for my purposes.
I don't know what exactly autoruns is trying to do in the operating system when accessing the "offline" registry files, here is the messages that Wine shows in console when Autoruns gives the error:"Autoruns requires Administrator privilege to analyze an offline system"
err:ole:CoGetClassObject class {148bd52a-a2ab-11ce-b11f-00aa00530503} not registered
err:ole:CoGetClassObject no class object {148bd52a-a2ab-11ce-b11f-00aa00530503} could be created for context 0x1
err
SHGetFileInfoW pidl is null!fixme:advapi:ImpersonateLoggedOnUser ((nil))
fixme:advapi:ImpersonateLoggedOnUser ((nil))
err
SHGetFileInfoW pidl is null!fixme:advapi:ImpersonateLoggedOnUser ((nil))
fixme:advapi:ImpersonateLoggedOnUser ((nil))
fixme:advapi:ImpersonateLoggedOnUser ((nil))
err
SHGetFileInfoW pidl is null!fixme:advapi:ImpersonateLoggedOnUser ((nil))
err
SHGetFileInfoW pidl is null!Thank you in advance for any hint or info.
Re: Sysinternals autorunsc.exe
Has anybody been able to fix this problem?
I have tried all i can find and what you guys suggest but it seems that autoruns uses modules from microsoft themselfs.
Tools such as regripper dont use these modules and therefore can be run using wine (strange because regripper is built on/for Linux).
Regards,
Thijs
I have tried all i can find and what you guys suggest but it seems that autoruns uses modules from microsoft themselfs.
Tools such as regripper dont use these modules and therefore can be run using wine (strange because regripper is built on/for Linux).
Regards,
Thijs
