Remote Registry Editing

**vynkz** · March 21st, 2005, 07:38 PM

I have disabled remote registry editing on my computer but my friend says he can still access it. We have this thing going in the lab to see how much we can mess with eachother, did i miss something that enabled him to remote regedit my computer?

***morganlefay*** · March 21st, 2005, 07:40 PM

Does he know your admin password or have admin rights to your machine???

MLF

***XTC46*** · March 21st, 2005, 07:46 PM

OR he is lying to throw you off guard. Just a thought. Also, did you disable remote desktop also? and make sure he didnt throw VNC or something like that on your computer?

**rowdy_yates** · March 21st, 2005, 08:02 PM

Hi. Check to make sure you don't have "Terminal Services" enabled. Run services.msc and sort by "Started"

You may find this fellow's web site of use.
http://www.blackviper.com/WinXP/servicecfg.htm

**scratchONtheBOX** · March 21st, 2005, 11:21 PM

We have this thing going in the lab to see how much we can mess with eachother

- Exactly what lab are you talking about? I asked because I first think of it as school lab (don't mess with it if you are not permitted to), although you had mentioned "my computer". Just a thought.

Since this question, if answered would benefit you to learn securing your BoX, (aside from the above-mentioned tips by the AO guys) you can start with HJT (hijackthis - http://www.antionline.com/showthread...hreadid=265467) and check it. You can place the LOG here afterwards to see more details of what's going on with your BoX.

Yo!

**vynkz** · March 22nd, 2005, 01:12 PM

Yes i have terminal services, remote desktop disabled so he wouldn't be able to go in and reenable remote regediting. We also aren't using any third party software so no there's nothing he planted, i was wondering if there was a built in windows utility he used to bypass the "no remote regedit". Cool thanks for the help guys, il try hjackthis tonight.

**ghostmachine** · March 23rd, 2005, 03:41 PM

Originally posted here by vynkz
I have disabled remote registry editing on my computer but my friend says he can still access it. We have this thing going in the lab to see how much we can mess with eachother, did i miss something that enabled him to remote regedit my computer?

there are some keys in the registry that can bypass the remote registry editing feature as described in
http://support.microsoft.com/kb/314837 "Bypassing the Access Restrictions That Are Set on the Registry Key"
Another possible reason is port 135-139,445 are still open..and also RPC service, cos i think remote registry
use RPC, if i am not wrong..

***sec_ware*** · March 25th, 2005, 12:30 AM

Hi

remote registry issue

vynkz, we have an interesting issue here. Just to make it sure:

Remote registry is disabled. There are no remote desktop programs,
like vnc, RDC running, and most likely no backdoor is running.

Do you have a proof that your friend really is able to modify the
registry?

What OS are we talking here about?

remote registry internals

Let me spend a few thoughts on the interal working of the remote
registry, because in larger environments, it might be one method
for administrative purposes. It is good to know, how the service
actually works. This is how I understand it:

Remote registry indeed does use the RPC method for interprocess
communication. RPC can make use of three methods to access a remote
machine: [1]
- Wsock32.dll (TCP Port 135 -> epmap, which is hosted by svchost.exe)
- Netapi32.dll (NetBIOS, which itself uses NetBEUI, TCP/IP, ...)
- named pipes (uses the redirector to establish connections)

However, the RPC portmapper is not necessarily needed: Using named pipes
rather than sockets allows to bypass this identification process, e.g.[2]

Code:

Service   : Remote registry service    
Named pipe: winreg
Interface : 338cd001-2244-31f1-aaaa-900038001003

remote registry security

The remote registry can be locked down, as described by the article[3]
mentioned by ghostmachine. The "bypassing"-method nevertheless is not
a vulnerability. There has been a "recently" vulnerability for NT4.0 to get
around the access protection, however it was needed to have the service
running[4]. In ancient times, there was a possiblity of using null sessions
and named pipes to get access to a remote registry, without actually needing
an explicit remote registry service. But this is not possible anymore,
as far as I know.

Please keep us updated about the issue. Again: What is the OS? Do you
have a proof of his claims?

Cheers.

[1] http://www.microsoft.com/resources/d...et/chptr1.mspx
[2] http://www.hsc.fr/ressources/article...h04s05s03.html
[3] http://support.microsoft.com/kb/314837
[4] http://support.microsoft.com/kb/264684

***SDK*** · March 25th, 2005, 01:50 AM

You can enable any service remotely with Computer Management console if you have administrative access to the remote computer.

**vynkz** · March 25th, 2005, 01:06 PM

Yes, he's not just claiming to have access but he's also occasionally hiding my desktop(dword NoDesktop), hiding my drives(dword NoDrives), etc. We both have separate admin accounts also.

Thread: Remote Registry Editing

Thread Tools

Display

Remote Registry Editing

?

Re: Remote Registry Editing

Posting Permissions