Reset password, edit Windows registry from Ubuntu
In connection with viruses in Windows and the inability to start regedit, I needed the ability to edit the registry from the outside. I found, so far, the only Linux utility chntpw , which was originally designed to reset passwords, and then acquired the function of editing the registry.
Look where he is:
look for ntfs partition and mount:
Editing is done by moving along the branches, for example:
and by editing the keys themselves, for example:
Regedit defaults:
Check the Explorer.exe file for the presence of a double ... it should be correctly located in the
This article was written in addition to the topic of combating viruses and ransomware
Cleaning windows from viruses using Ubuntu
Registry Editing:
1. Boot from the livecd or install a second ubuntu system
2. Install the chntpw utility
sudo aptitude install chntpw3. We connect the windows section
Look where he is:
sudo fdisk -llook for ntfs partition and mount:
$ sudo mkdir /media/windows
$ sudo mount /dev/sda2 /media/windows4. Editing the registry
chntpw -l /media/windows/Windows/system32/config/softwareEditing is done by moving along the branches, for example:
cd Microsoft\Windows NT\CurrentVersion\Winlogonand by editing the keys themselves, for example:
ed ShellPassword reset:
1. Clauses 1-3 of the previous paragraph
4. We look at what user will change the password
chntpw -l /media/windows/Windows/system32/config/SAM5. We reset the password
chntpw /media/windows/Windows/system32/config/SAM -u AdministratorImmediately bring the places in the registry where you can hide entries on the launch of viruses:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\RunRegedit defaults:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe"Check the Explorer.exe file for the presence of a double ... it should be correctly located in the
Windows\ folder Windows\ but not in Windows\System32\...This article was written in addition to the topic of combating viruses and ransomware
Cleaning windows from viruses using Ubuntu
')
Source: https://habr.com/ru/post/94764/
All Articles