Jump to content

Inject Reg entries into Win 8.1 Reg from WinPE

Colin

By Colin
in Windows PE

 Share

Recommended Posts

Colin

Colin

Posted
Posted (edited)

Hi,

 

hoping someone can help me out.

 

I need to inject a reg entry into the windows 8.1 HKEY_LOCAL_MACHINE RunOnce registry tree from within a WinPE 5.0 environment. So far I have the following as part of a command file;

 

REG LOAD HKLM\TEMP c:\windows\system32\config\software (To load the correct hive into a temporary subkey)

REG ADD HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v Act /t REG_SZ /d "%Drive%\Activate.cmd" /f (to add the reg entry)

REG UNLOAD HKLM\TEMP (to unload the hive from the subkey)

 

Where %Drive& is the USB drive letter ... this all works .. but .. When checking the reg entry (using REG EXPORT to a file)  is shows up as

 

[HKEY_LOCAL_MACHINE\TEMP\software\microsoft\windows\currentversion\runonce]

"Act"="D:\\Activate.cmd"

 

Entry has two \\ instead of a single \ and does not execute the command file upon booting into Windows 8.1

 

Where have I gone wrong?

 

Cheers in advance for any help.

Edited by Colin

jaclaz

jaclaz

Posted
Posted

Backslashes are a "strange" thing (and particularly when used in a variable and then put in the Registry).

 

Are you sure that running

SET Drive

returns:

Drive=D:

and not:

Drive=D:\

 

Or simply try to use:

REG ADD HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v Act /t REG_SZ /d "%Drive%Activate.cmd" /f

 

As a side-side note, personally I would rather use an Offline Registry editor from a PE:

http://reboot.pro/topic/11312-offline-registry/

http://erwan.labalec.fr/other/

 

jaclaz

Colin

Colin

Posted
  • Author
Posted

Backslashes are a "strange" thing (and particularly when used in a variable and then put in the Registry).

 

Are you sure that running

SET Drive

returns:

Drive=D:

and not:

Drive=D:\

 

Or simply try to use:

REG ADD HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v Act /t REG_SZ /d "%Drive%Activate.cmd" /f

 

As a side-side note, personally I would rather use an Offline Registry editor from a PE:

http://reboot.pro/topic/11312-offline-registry/

http://erwan.labalec.fr/other/

 

jaclaz

Hi, thanks for your reply.

 

Drive does only contain D: and not D:\ ... Strange thing when I run a REG QUERY on the added entry it comes up as -

 

Act   REG_SZ   D:\Activate.cmd

 

which is correct, now I have to figure out why the Activate.cmd is not running on booting into windows. The only thing I can think of is that I am not loading the correct hive in the REG LOAD HKLM\TEMP c:\windows\system32\config\software command

jaclaz

jaclaz

Posted
Posted

The only thing I can think of is that I am not loading the correct hive in the REG LOAD HKLM\TEMP c:\windows\system32\config\software command

 

Not a bad guess. :no:

Why don't you check loading the hive in a GUI Registry editor in the PE?

 

At first sight, if you mount the SOFTWARE hive to a TEMP hive the path to the "right" key will be: 

HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

because:

HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

should result in the booted windows as:

HKLM\SOFTWARE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

:unsure:

 

(and BTW another reason to use the offline Registry editing)

 

jaclaz

Colin

Colin

Posted
  • Author
Posted

 

The only thing I can think of is that I am not loading the correct hive in the REG LOAD HKLM\TEMP c:\windows\system32\config\software command

 

Not a bad guess. :no:

Why don't you check loading the hive in a GUI Registry editor in the PE?

 

At first sight, if you mount the SOFTWARE hive to a TEMP hive the path to the "right" key will be: 

HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

because:

HKLM\TEMP\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

should result in the booted windows as:

HKLM\SOFTWARE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

:unsure:

 

(and BTW another reason to use the offline Registry editing)

 

jaclaz

 

Absolutely spot on, I didn't need \SOFTWARE in the REG ADD command.

 

Drop that out and it works perfectly :)

 

thank you.

  • 2 weeks later...
kmaheshkumar

kmaheshkumar

Posted
Posted

one month back i tested PE for first time 

while booted from PE C:\ is for PE Windows drive and D:\ is for actual C:\ while we booted normally 

(correct me if i am wrong)

 

if i am right then colin is loading wrong hive

Colin

Colin

Posted
  • Author
Posted

one month back i tested PE for first time 

while booted from PE C:\ is for PE Windows drive and D:\ is for actual C:\ while we booted normally 

(correct me if i am wrong)

 

if i am right then colin is loading wrong hive

 

Hi,

 

WinPE normally sets it's drive to X: when booted, C: remains the windows drive throughout the process ... I have tried the above solution and it works exactly as I required. I get a command file run once at boot time that changes the location of WinRE to the recovery partition instead of the one contained within windows itself.

 

Col

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...