Remote Registry Editing
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Remote Registry Editing

  1. #1
    Member
    Join Date
    Jul 2004
    Posts
    46

    Remote Registry Editing

    I have disabled remote registry editing on my computer but my friend says he can still access it. We have this thing going in the lab to see how much we can mess with eachother, did i miss something that enabled him to remote regedit my computer?

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Does he know your admin password or have admin rights to your machine???


    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    OR he is lying to throw you off guard. Just a thought. Also, did you disable remote desktop also? and make sure he didnt throw VNC or something like that on your computer?
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Hi. Check to make sure you don't have "Terminal Services" enabled. Run services.msc and sort by "Started"

    You may find this fellow's web site of use.
    http://www.blackviper.com/WinXP/servicecfg.htm


  5. #5
    Senior Member
    Join Date
    Jan 2005
    Posts
    217

    ?

    We have this thing going in the lab to see how much we can mess with eachother
    - Exactly what lab are you talking about? I asked because I first think of it as school lab (don't mess with it if you are not permitted to), although you had mentioned "my computer". Just a thought.

    Since this question, if answered would benefit you to learn securing your BoX, (aside from the above-mentioned tips by the AO guys) you can start with HJT (hijackthis - http://www.antionline.com/showthread...hreadid=265467) and check it. You can place the LOG here afterwards to see more details of what's going on with your BoX.

    Yo!
    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)
    http://www.geocities.com/sebeneleben/SOTBMulti.gif

  6. #6
    Member
    Join Date
    Jul 2004
    Posts
    46
    Yes i have terminal services, remote desktop disabled so he wouldn't be able to go in and reenable remote regediting. We also aren't using any third party software so no there's nothing he planted, i was wondering if there was a built in windows utility he used to bypass the "no remote regedit". Cool thanks for the help guys, il try hjackthis tonight.

  7. #7
    Member
    Join Date
    Jun 2004
    Posts
    77

    Re: Remote Registry Editing

    Originally posted here by vynkz
    I have disabled remote registry editing on my computer but my friend says he can still access it. We have this thing going in the lab to see how much we can mess with eachother, did i miss something that enabled him to remote regedit my computer?
    there are some keys in the registry that can bypass the remote registry editing feature as described in
    http://support.microsoft.com/kb/314837 "Bypassing the Access Restrictions That Are Set on the Registry Key"
    Another possible reason is port 135-139,445 are still open..and also RPC service, cos i think remote registry
    use RPC, if i am not wrong..

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi


    remote registry issue


    vynkz, we have an interesting issue here. Just to make it sure:

    Remote registry is disabled. There are no remote desktop programs,
    like vnc, RDC running, and most likely no backdoor is running.

    Do you have a proof that your friend really is able to modify the
    registry?

    What OS are we talking here about?


    remote registry internals


    Let me spend a few thoughts on the interal working of the remote
    registry, because in larger environments, it might be one method
    for administrative purposes. It is good to know, how the service
    actually works. This is how I understand it:


    Remote registry indeed does use the RPC method for interprocess
    communication. RPC can make use of three methods to access a remote
    machine: [1]
    - Wsock32.dll (TCP Port 135 -> epmap, which is hosted by svchost.exe)
    - Netapi32.dll (NetBIOS, which itself uses NetBEUI, TCP/IP, ...)
    - named pipes (uses the redirector to establish connections)


    However, the RPC portmapper is not necessarily needed: Using named pipes
    rather than sockets allows to bypass this identification process, e.g.[2]
    Code:
    Service   : Remote registry service    
    Named pipe: winreg
    Interface : 338cd001-2244-31f1-aaaa-900038001003

    remote registry security


    The remote registry can be locked down, as described by the article[3]
    mentioned by ghostmachine. The "bypassing"-method nevertheless is not
    a vulnerability. There has been a "recently" vulnerability for NT4.0 to get
    around the access protection, however it was needed to have the service
    running[4]. In ancient times, there was a possiblity of using null sessions
    and named pipes to get access to a remote registry, without actually needing
    an explicit remote registry service. But this is not possible anymore,
    as far as I know.



    Please keep us updated about the issue. Again: What is the OS? Do you
    have a proof of his claims?


    Cheers.




    [1] http://www.microsoft.com/resources/d...et/chptr1.mspx
    [2] http://www.hsc.fr/ressources/article...h04s05s03.html
    [3] http://support.microsoft.com/kb/314837
    [4] http://support.microsoft.com/kb/264684
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  9. #9
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    You can enable any service remotely with Computer Management console if you have administrative access to the remote computer.
    -Simon \"SDK\"

  10. #10
    Member
    Join Date
    Jul 2004
    Posts
    46
    Yes, he's not just claiming to have access but he's also occasionally hiding my desktop(dword NoDesktop), hiding my drives(dword NoDrives), etc. We both have separate admin accounts also.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •