Make change in registry _early_ in installation process / prevent XP h

[MerijnB]

Hi all,

I'm looking for a way to avoid that XP has easy to crack passwords, see: http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

To achieve this, I've made an addon which looks like:

[general]
builddate=2010/02/18
description=Prevents Windows from generating easy to crack password hashes
language=English
title=No weak password hashes

[registry_addreg]
HKLM,"SYSTEM\CurrentControlSet\Control\Lsa","lmcompatibilitylevel",0x10001,05
HKLM,"SYSTEM\CurrentControlSet\Control\Lsa","nolmhash",0x10001,01

This works nice, but there is a problem.

After these registry values are set, the passwords still need to be changed before XP 'forgets' the lm hash of the previous password.

So it seems that during installation first the admin account is created with the password set in nlite, and after that this addon is run which changes the registry entries.

So in short: Is there any way to move the adding of these registry entries forward, so they are done before the admin account as defined with nlite is created?

[johnhc]

MerijnB, I do not have an answer for you but it is an interesting question and I will think about it. Since the PWs input via nLite appear in plain text in the ISO and CD, my plan is to start with simple PWs, then change them after install. I suspect this would allow your new hash to be used in the new PW and your real PW would never be laying about in plain text. If you are using auto login set up by nLite, this places your PW into the Registry in plain text. Just using auto login will expose your PW to people that know how to use LSA secrets. Here is a link to the auto login threads. Enjoy, John.

[MerijnB]

Hi johnhc,

I'm my own research I'm doing something similar.

I'm trying to write a small app which I will include as an addon:

[general]
builddate=2010/02/18
description=Prevents Windows from generating easy to crack password hashes
language=English
title=No weak password hashes

[EditFile]
SVCPACK.INF,SetupHotfixesToRun,AddProgram

[AddProgram]
weakpass.exe

This app will do a few things:

- Locate the winnt.sif file on the nlite cd and extract the admin password from it (GuiUnattended -> AdminPassword).

- Make the appropriate registry changes.

- Change the admin password to "temp".

- Change the admin password back to what was read from winnt.sif

This has the advantage that it's quite transparent, you can just enter a password you wish to use in nLite.

I'll post here if I get any further with this.

Can you tell me if the admin password is always visible in the winnt.sif file made by nLite, or for example only if autologin is used?

Thanks for lending some brains

Merijn

[johnhc]

MerijnB, take a look at nLite.inf (will be NLITE.IN_ in your I386 or AMD64 folder). This is where the user account is created and the PW set. There is a call to Net1 command to do this. I do not know about the Administrator account and PW. I use Auto Login and I do see the Admin PW in my Winnt.sif file. I need to do some more looking to learn more. For you, I recommend some testing (hope you are using a virtual system) to see what works and what does not. Have you created a user account and if so, does your hash method deal with its PW OK? If not, perhaps placing your Registry updates into the nLite.inf (above the account creation) file will work. Let us know what you learn and I will also. Enjoy, John.

[MerijnB]

John,

The only thing I see in the nlite.in_ file is this:

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","AutoAdminLogon",0x00000000,1
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","DefaultUserName",0x00000000,"Administrator"
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","DefaultPassword",0x00000000,"password"

Is this what you mean? This seems like it has to do with autologin only, and won't be there if you don't have autologin enabled.

[johnhc]

MerijnB, that is the Auto Login information I told you about in my first reply. The PW is in plain text in the Registry. I have attached a test nLite.inf with the secret data all ???. I define a user account with administrator privileges and auto log it. I also set an Administrator PW (does not show in the .inf). I also attach my Last Session_u.ini with the real stuff obscured. Enjoy, John.

EDIT: I was wondering what your keys did (assumed they implemented the link you provided) and found this.

EDIT: In the Unattended Guide (see below) is this timeline. A single command can be executed at T-39 (long before SVCPACK and cmdlines). This is called DetachedProgram and is described here. This may be too early, but I suggest you give it a test.

Edited February 23, 2010 by johnhc

[MerijnB]

It seems I've cracked it.

Changing the registry before the administrator account as set in nLite is created doesn't seem possible, so I continued with the app which tries to do the trick afterward.

It's not possible to make something which can be used as an addon in nLite, because if you try to change a password (needed for the process) at the moment the addons are run, you get error #1351, which (according to Microsoft) means:

Indicates a domain controller could not be contacted or that objects within the domain are protected and necessary information could not be retrieved.

so that's obviously too early in the installation process.

So this tool should be run using RunOnce in nLite and should do everything automagically. Keep in mind that it only works for the administrator account.

The app can be used freely, I don't think it's worth its own thread, so I attached it to this post. Suggestions and questions are welcome of course!

Thanks for thinking with me.

NoWeakPasswords.zip

[johnhc]

MerijnB, you are welcome. Enjoy, John.

[fdv]

?? huh??

Open HIVESYS.INF

find HKLM,"SYSTEM\CurrentControlSet\Control\Lsa

Add your lines, save, close

Open LAYOUT.INF

Replace all ,_x, with ,, (comma underscore x comma with comma comma)

Save, close

Done

[MerijnB]

?? huh??

Open HIVESYS.INF

find HKLM,"SYSTEM\CurrentControlSet\Control\Lsa

Add your lines, save, close

Open LAYOUT.INF

Replace all ,_x, with ,, (comma underscore x comma with comma comma)

Save, close

Done

I was looking for a way to do this up front at first, but didn't find it, interesting information.

I understand HIVESYS.INF, but can you please explain why the changes in LAYOUT.INF?

Furthermore I'm mostly looking for something which can be done from an nLite setup, without making manual changes in the middle of the process, not sure if this could be automated in.

Thanks for info!

[fdv]

I understand HIVESYS.INF, but can you please explain why the changes in LAYOUT.INF?

See all of those lines with byte counts in LAYOUT that have an _x on the same line?

That is Windows saying "Hey, install process, if you see a line with an _x in it, check the byte count against the one listed here. If it does not match, abort the installation."

So you merrily change the byte counts for HIVE files to change them... but the LAYOUT line itself has a _x, so to make things easy and totally eliminate all of the self-checking, simply delete every single _x in all of the file lines in the entire file by replacing ,_x, with comma comma.

Nuhi made nLite so that it would delete files in TXTSETUP, presumably for a faster installation. But oddly, nLite never modifies LAYOUT. To make your install go really fast, you can copy the file list from TXTSETUP right into LAYOUT. That way, LAYOUT won't waste a lot of time copying files that TXTSETUP doesn't even use.

The best way to explain this is to download my fileset and compare TXTSETUP and LAYOUT. As long as the _x and byte counts are gone, Windows treats the files the same -- it's just that LAYOUT copies from media to one directory on the HDD, and TXTSETUP copies from this one directory to final destination on the same HDD.

Editing HIVE files is the best way to put tweaks into your base install permanently. For example, why not fix the time zones permanently? They're in HIVESFT. What's the point of leaving all of that incorrect information? (Rhetorical, not asking anyone in particular). Sure, you can slipstream a timezone hotfix, but all you're doing is writing wrong data, then overwriting it with correct data. Same with everything else -- colors, icon spacing, file associations, network settings, service settings (manual, autostart, etc, you can even remove them, like indexing for example), and tons of preferences -- all of that is in the HIVE files. There is a wealth of data in these things that very few people seem interested in (speaking generally, not at you). nLite does edit these files to some degree, but does not scrub them completely. Check out HIVECLS, for example... the amount of junk related to windowscodecs.dll alone will shock you. It's a HUGE chunk of the file. Not an issue if you always use the proprietary Microsoft Photo format or do not care about registry size (and in XP, it's not really an issue like it was in 2000), but something that you could probably do without.

[Patosan]

Editing HIVE files is the best way to put tweaks into your base install permanently.

fdv, is there a reference you can point me to in order to do some changes ?

Edited February 27, 2010 by Patosan

[Martin H]

The hive files are just reg-entries in INF format...

Just check out FDV's WinXP-SP3 fileset as a refrence...

http://www.vorck.com/windows/index.html

[fdv]

Yep. More specifically, since you just want the files and probably don't need all the information: grab here

Buried therein you will find many dozens of settings. Not necessarily commented -- sorry!! But some are. And of course some are easy to spot. Open HIVEDEF for example and search for "ActiveWndTrkTimeout" and you will see a huge block of reg edits. The files are most notable for what they rip out... a lot of obsolete stuff and media crap. See also AXANT5.INF for many tweaks. I am making changes all the time these days. I just added but did not yet upload a tweak to have explorer always in view details mode because I got so sick of changing it. Anyway. 95% of the tweaks are well known, and just slipped into the HIVEs. There are some gems that are not very well known but I usually do try to post my findings in the right threads. The problem is that in my HIVE files I am trying to repair XP by getting it back to how Windows NT is supposed to be, so it has fixes like using CTRL ALT DEL for logon rather than... whatever the heck that other account pictures thing is. So you'd have to find that tweak and comment it out to change it, or run a second tweak later in the install process to undo it. (Which is what nLite's tweaks essentially do -- many of those values you see start out in the HIVE files and the nlite tweak INF simply changes them.)

I suppose you could simply try renaming your HIVE files and trying mine to see how you like the result I guess.

[Patosan]

Yep. More specifically, since you just want the files and probably don't need all the information: grab here

I suppose you could simply try renaming your HIVE files and trying mine to see how you like the result I guess.

I definitely will do that, yet for the exact momment my reason for asking is a relatively simple one, I feel. I want to change the "install language" from 0411 to 0c09 (Japanese to Australian). In the registry it's at :

MACHINE\SYSTEM\ControlSet001\Control\NIs\Language (last key)

In HIVESYS.inf there is :

HKLM,"SYSTEM\CurrentControlSet\Control\Nls\Language","InstallLanguage",0x00000002,"%INSTALL_LANGUAGE%"

But how do I make a change and is it correct since it has CurrentControlSet NOT ControlSet001 ?

Also do I just make the one change or must I alter something else too ?