Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Remote Registry Editing

  1. #1
    Join Date
    Jul 2004

    Remote Registry Editing

    I have disabled remote registry editing on my computer but my friend says he can still access it. We have this thing going in the lab to see how much we can mess with eachother, did i miss something that enabled him to remote regedit my computer?

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Does he know your admin password or have admin rights to your machine???

    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Senior Member
    Join Date
    May 2003
    OR he is lying to throw you off guard. Just a thought. Also, did you disable remote desktop also? and make sure he didnt throw VNC or something like that on your computer?
    Everyone is going to die, I am just as good of a reason as any.


  4. #4
    Senior Member
    Join Date
    Dec 2004
    Hi. Check to make sure you don't have "Terminal Services" enabled. Run services.msc and sort by "Started"

    You may find this fellow's web site of use.

  5. #5
    Senior Member
    Join Date
    Jan 2005


    We have this thing going in the lab to see how much we can mess with eachother
    - Exactly what lab are you talking about? I asked because I first think of it as school lab (don't mess with it if you are not permitted to), although you had mentioned "my computer". Just a thought.

    Since this question, if answered would benefit you to learn securing your BoX, (aside from the above-mentioned tips by the AO guys) you can start with HJT (hijackthis - http://www.antionline.com/showthread...hreadid=265467) and check it. You can place the LOG here afterwards to see more details of what's going on with your BoX.

    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)

  6. #6
    Join Date
    Jul 2004
    Yes i have terminal services, remote desktop disabled so he wouldn't be able to go in and reenable remote regediting. We also aren't using any third party software so no there's nothing he planted, i was wondering if there was a built in windows utility he used to bypass the "no remote regedit". Cool thanks for the help guys, il try hjackthis tonight.

  7. #7
    Join Date
    Jun 2004

    Re: Remote Registry Editing

    Originally posted here by vynkz
    I have disabled remote registry editing on my computer but my friend says he can still access it. We have this thing going in the lab to see how much we can mess with eachother, did i miss something that enabled him to remote regedit my computer?
    there are some keys in the registry that can bypass the remote registry editing feature as described in
    http://support.microsoft.com/kb/314837 "Bypassing the Access Restrictions That Are Set on the Registry Key"
    Another possible reason is port 135-139,445 are still open..and also RPC service, cos i think remote registry
    use RPC, if i am not wrong..

  8. #8
    Senior Member
    Join Date
    Mar 2004

    remote registry issue

    vynkz, we have an interesting issue here. Just to make it sure:

    Remote registry is disabled. There are no remote desktop programs,
    like vnc, RDC running, and most likely no backdoor is running.

    Do you have a proof that your friend really is able to modify the

    What OS are we talking here about?

    remote registry internals

    Let me spend a few thoughts on the interal working of the remote
    registry, because in larger environments, it might be one method
    for administrative purposes. It is good to know, how the service
    actually works. This is how I understand it:

    Remote registry indeed does use the RPC method for interprocess
    communication. RPC can make use of three methods to access a remote
    machine: [1]
    - Wsock32.dll (TCP Port 135 -> epmap, which is hosted by svchost.exe)
    - Netapi32.dll (NetBIOS, which itself uses NetBEUI, TCP/IP, ...)
    - named pipes (uses the redirector to establish connections)

    However, the RPC portmapper is not necessarily needed: Using named pipes
    rather than sockets allows to bypass this identification process, e.g.[2]
    Service   : Remote registry service    
    Named pipe: winreg
    Interface : 338cd001-2244-31f1-aaaa-900038001003

    remote registry security

    The remote registry can be locked down, as described by the article[3]
    mentioned by ghostmachine. The "bypassing"-method nevertheless is not
    a vulnerability. There has been a "recently" vulnerability for NT4.0 to get
    around the access protection, however it was needed to have the service
    running[4]. In ancient times, there was a possiblity of using null sessions
    and named pipes to get access to a remote registry, without actually needing
    an explicit remote registry service. But this is not possible anymore,
    as far as I know.

    Please keep us updated about the issue. Again: What is the OS? Do you
    have a proof of his claims?


    [1] http://www.microsoft.com/resources/d...et/chptr1.mspx
    [2] http://www.hsc.fr/ressources/article...h04s05s03.html
    [3] http://support.microsoft.com/kb/314837
    [4] http://support.microsoft.com/kb/264684
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  9. #9
    AO French Antique News Whore
    Join Date
    Aug 2001
    You can enable any service remotely with Computer Management console if you have administrative access to the remote computer.
    -Simon \"SDK\"

  10. #10
    Join Date
    Jul 2004
    Yes, he's not just claiming to have access but he's also occasionally hiding my desktop(dword NoDesktop), hiding my drives(dword NoDrives), etc. We both have separate admin accounts also.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts