Great! Helpful and thanks!
-----?ʼ?ԭ??-----
???: xxxxx@lists.osr.com [mailto:xxxxx@lists.
osr.com] ??? raj_r
???ʱ??: July 28, 2012 04:21
?ռ???: Kernel Debugging Interest List
???: Re: [windbg] Windbg command !reg
well you can dump them in old windbg too just a bit convoluted recursive
parsing is reqd
suppose you have a “FAMOUS AUTORUNS KEY” that starts a famous *ware
in target pc you can query it with reg.exe which would get you below
C:\>reg query hklm\software\microsoft\windows\currentversion\run\ /v
myregtest_f or_osr_question
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\
myregtest_for_osr_question REG_SZ c:\windows\system32\calc.exe
C:\>
in host pc you can use !reg command like this
kd> !reg findkcb
kd> \registry\machine\software\microsoft\windows\currentversion\run
Found KCB = e1b95468 ::
\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
kd> !reg kcb e1b95468
Key :
\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
RefCount : 1
Flags : CompressedName,
ExtFlags :
Parent : 0xe19ab0f8
KeyHive : 0xe16e85f0
KeyCell : 0x82fc60 [cell index]
TotalLevels : 7
DelayedCloseIndex: 2048
MaxNameLen : 0x0
MaxValueNameLen : 0x34
MaxValueDataLen : 0x46
LastWriteTime : 0x 1cd6c31:0x80f18b30
KeyBodyListHead : 0xe1b34744 0xe1b34744
SubKeyCount : 0
ValueCache.Count : 2
ValueList : 0x787ee0
ValueList[0] = 0xe170b75c [cellindex]
ValueList[1] = 0x0118fcd0
KCBLock : 0xe1b95468
KeyLock : 0xe1b95468
grab hiveaddr and cellindex from above
kd> !reg cellindex 0xe16e85f0 0x82fc60
Map = e16d0000 Type = 0 Table = 4 Block = 2f Offset = c60
MapTable = e16d9000
BlockAddress = c5d30000
pcell: c5d30c64
use the knode that was provided by cellindex
kd> !reg valuelist 0xe16e85f0 c5d30c64
Dumping ValueList of Key :
[Idx] [ValAddr] [ValueName]
[0] c5dd9c24 VPCUserServices
[1] c6690cd4 myregtest_for_osr_question
Use ‘!reg kvalue ’ to dump the value
kd> !reg kvalue c6690cd4
Signature: CM_KEY_VALUE_SIGNATURE (kv)
Name : myregtest_for_osr_question {compressed}
DataLength: 3a
Data : 118fd08 [cell index]
Type : 1
parse the cellindex again
kd> !reg cellindex 0xe16e85f0 118fd08
Map = e16d0000 Type = 0 Table = 8 Block = 18f Offset = d08
MapTable = e17f6000
BlockAddress = c6690000
pcell: c6690d0c
the value you need is below from the knode of second cellindex output
kd> du c6690d0c
c6690d0c “c:\windows\system32\calc.exe”
kd> g
hope it helps
On 7/25/12, Moore.Zhang wrote:
> I found the new version Windbg 6.2.8400 has some new parameters which
> can dump the value:
>
> ======================================================================
> ======
> ===============
> 0: kd> !reg q \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\services
> [SubKeyAddr] [SubKeyName]
> 9b817694 .NET CLR Data
>
> 0: kd> !reg keyinfo 8c41c008 9b817694
> [SubKeyAddr] [SubKeyName]
> 9b8176f4 Linkage
> 9b8176f4 Linkage
>
> 0: kd> !reg keyinfo 8c41c008 9b8176f4
> KeyPath \REGISTRY\MACHINE\SYSTEM\ControlSet001\services.NET CLR
> Data\Linkage
> [ValueType] [ValueName] [ValueData]
> REG_SZ Export
> 2e,00,4e,00,45,00,54,00,20,00,43,00,4c,00,52,00,20,00,44,00,61,00,74,0
> 0,61,0
> 0,00,00,00,00
> ======================================================================
> ======
> ===============
>
> -----?ʼ?ԭ??-----
> ???: Moore.Zhang [mailto:xxxxx@gmail.com]
> ???ʱ??: July 25, 2012 21:36
> ?ռ???: ‘Kernel Debugging Interest List’
> ???: [windbg] Windbg command !reg
>
> Any one has used the !reg command in Kdexts.dll to read target
> machine’s registry? I find this command today and try to read reg
> value. But there’s something I don’t know how to do.
>
> It has a parameter of ‘kvalue’ with a address of value. But I can’t
> find any place I can get the ‘address’. I first use the ‘hivelist’
> parameter to list the hives, and then use parameter ‘openkeys’ to list
> all the sub keys in a hive. But all those listed info doesn’t contains
> value address. Anyone has such experience? Thanks!
>
>
> 1: kd> !reg hivelist
>
> ----------------------------------------------------------------------
> ------
> ---------------------------------
> | HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile
> Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName
> ----------------------------------------------------------------------
> ------
> ---------------------------------
> | 8c40c370 | 1000 | 8c40c3ec | 0 | 00000000 |
0
> | 0 | 0| 8c40e000 |
> | 8c41c008 | 1393000 | 8c426000 | 1d000 | 8c41c1c0 |
0
> | 0 | 0| 8c41d000 | SYSTEM
> | 8c4477c8 | 14000 | 8c447844 | 4000 | 8c447980 |
0
> | 0 | 0| 8c450000 |
> ----------------------------------------------------------------------
> ------
> ---------------------------------
>
> 1: kd> !reg openkeys 8c40c370
>
> Hive: \REGISTRY
> ======================================================================
> ======
> ===============
> Index 15: d936a631 kcb=8c41b008 cell=00000020 f=002c0000 \REGISTRY
> Index 18: bd68092e kcb=8c41b0a8 cell=00000120 f=00200000
> \REGISTRY\MACHINE
>
> 0x2 keys found
> ======================================================================
> ======
> ===============
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer