病毒安全知识,电脑网络技术,手工杀毒方法,答疑解决笔记

导航

« EXCEL使用绝对引用,避免复制公式变化“usp10.dll”木马病毒(又称猫癣、犇牛、输入法杀手) »

使用regini.exe修改注册表及注册表权限

一、如何得到regini.exe

  在Windows XP安装光盘中,找到I386目录下的regini.ex_文件,用expand.exe命令提取出regini.exe,命令如下:

"%SystemRoot%\System32\EXPAND.EXE" "\\?\CDROM0\I386\REGINI.EX_" "C:\regini.exe"  

然后从C盘下将生成的regini.exe文件复制到你需要的地方。建议:不要从非信任的网站下载regini.exe。

二、简单举例

  先打开regedit.exe,以便观看每步产生的变化,将如下内容复制到记事本中,保存为example01.txt、example02.txt文件,然后用如下命令:

REGINI.EXE example01.txt

REGINI.EXE example02.txt


::::::: example01.txt :::::::::: 不要复制我,我是分割线开始 ::::::::::::::::::::

HKEY_CURRENT_USER\example0

HKEY_CURRENT_USER\example0
"example1" = REG_DWORD 1

HKEY_CURRENT_USER\example0
"example2" = REG_SZ "This is an example!"

HKEY_CURRENT_USER\example0
"example3" = REG_MULTI_SZ "This is the first line!" "This is the second line!" "This is the third line!"

HKEY_CURRENT_USER\example0
"example4" = REG_EXPAND_SZ "This is an example! This is an example! This is an example! This is an example! This is an example!"

::::::: example01.txt :::::::::: 不要复制我,我是分割线结束 ::::::::::::::::::::


::::::: example02.txt :::::::::: 不要复制我,我是分割线开始 ::::::::::::::::::::

HKEY_CURRENT_USER\example0 [2 8 19]

::::::: example02.txt :::::::::: 不要复制我,我是分割线结束 ::::::::::::::::::::


修改第一个脚本,再运行试试:

REGINI.EXE example01.txt

没反应,看来已经起作用了,键值变成只读的了!

三、权限代码表

 1  - Administrators 完全访问
 2  - Administrators 读取访问
 3  - Administrators 读取、写入访问
 4  - Administrators 读取、写入、删除访问

 5  - Creator 完全访问
 6  - Creator 读取、写入访问

 7  - everyone 完全访问
 8  - everyone 读取访问
 9  - everyone 读取、写入访问
 10 - everyone 读取、写入、删除访问

 11 - Power Users 完全访问
 12 - Power Users 读取、写入访问
 13 - Power Users 读取、写入、删除访问

 14 - System Operators 完全访问
 15 - System Operators 读取、写入访问
 16 - System Operators 读取、写入、删除访问

 17 - System 完全访问
 18 - System 读取、写入访问
 19 - System 读取访问

 20 - Administrators 读取、写入、执行访问

 21 - Interactive User 完全访问
 22 - Interactive User 读取、写入访问
 23 - Interactive User 读取、写入、删除访问

四、运用在哪里

  装好系统、杀毒软件后,删除一些服务键、修改一些自启动键、文件关联键的权限等等。但是话又说回来了,既然我们可以轻松的修改权限,那么病毒也可以修改回去,防范的方法是转移regini.exe文件,再利用注册表监测软件。将某个注册表监测软件改个名称,最好再加个壳(不是防杀毒软件,而是防病毒恶意终止),加在服务中,一旦有修改就报警。

五、英文帮助

  这部分是从网站找的,作者不详,仅供参考:

Usage: REGINI [-m machinename | -h hivefile hiveroot | -w Win95 Directory] [-i n] [-o outputWidth] [-b] textFiles...

-m specifies a remote windows NT machine whose registry is to be manipulated.

-h specifies a specify local hive to manipulate.

-w specifies the paths to a windows 95 system.dat and user.dat files

-i n specifies the display indentation multiple. Default is 4

-o outputWidth specifies how wide the output is to be. By default the outputWidth is set to
   the width of the console window if standard output has not been redirected to a file.
   In the latter case, an outputWidth of 240 is used.

-b specifies that REGINI should be backward compatible with older versions of REGINI that
   did not strictly enforce line continuations and quoted strings Specifically, REG_BINARY,
   REG_RESOURCE_LIST and REG_RESOURCE_REQUIREMENTS_LIST data types did not need line
   continuations after the first number that gave the size of the data.
   It just kept looking on following lines until it found enough data values to equal the
   data length or hit invalid input. Quoted strings were only allowed in REG_MULTI_SZ.
   They could not be specified around key or value names, or around values for REG_SZ or
   REG_EXPAND_SZ Finally, the old REGINI did not support the semicolon as an end of line
   comment character.

textFiles is one or more ANSI or Unicode text files with registry data.

The easiest way to understand the format of the input textFile is to use the REGDMP
command with no arguments to dump the current contents of your NT Registry to standard
out. Redirect standard out to a file and this file is acceptable as input to REGINI

Some general rules are:
Semicolon character is an end-of-line comment character, provided it is the first
non-blank character on a line

Backslash character is a line continuation character. All characters from the backslash
up to but not including the first non-blank character of the next line are ignored.
If there is more than one space before the line continuation character, it is replaced
by a single space.

Indentation is used to indicate the tree structure of registry keys. The REGDMP program
uses indentation in multiples of 4. You may use hard tab characters for indentation,
but embedded hard tab characters are converted to a single space regardless of their
position.

Values should come before child keys, as they are associated with the previous key at
or above the value's indentation level.

For key names, leading and trailing space characters are ignored and not included in
the key name, unless the key name is surrounded by quotes. Imbedded spaces are part of
a key name.

Key names can be followed by an Access Control List (ACL) which is a series of decimal
numbers, separated by spaces, bracketed by a square brackets (e.g. [8 4 17]).
The valid numbers and their meanings are:

1  - Administrators Full Access
2  - Administrators Read Access
3  - Administrators Read and Write Access
4  - Administrators Read, Write and Delete Access
5  - Creator Full Access
6  - Creator Read and Write Access
7  - World Full Access
8  - World Read Access
9  - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

If there is an equal sign on the same line as a left square bracket then the equal
sign takes precedence, and the line is treated as a registry value. If the text
between the square brackets is the string DELETE with no spaces, then REGINI will
delete the key and any values and keys under it.

For registry values, the syntax is:

value Name = type data

Leading spaces, spaces on either side of the equal sign and spaces between the type
keyword and data are ignored, unless the value name is surrounded by quotes. If the
text to the right of the equal sign is the string DELETE, then REGINI will delete the
value.

The value name may be left off or be specified by an at-sign character which is the
same thing, namely the empty value name. So the following two lines are identical:

= type data
@ = type data

This syntax means that you can't create a value with leading or trailing spaces,
an equal sign or an at-sign in the value name, unless you put the name in quotes.

Valid value types and format of data that follows are:

REG_SZ text
REG_EXPAND_SZ text
REG_MULTI_SZ "string1" "string2" ...
REG_DATE mm/dd/yyyy HH:MM DayOfWeek
REG_DWORD numberDWORD
REG_BINARY numberOfBytes numberDWORD(s)...
REG_NONE (same format as REG_BINARY)
REG_RESOURCE_LIST (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS_LIST (same format as REG_BINARY)
REG_FULL_RESOURCE_DESCRIPTOR (same format as REG_BINARY)
REG_QWORD numberQWORD
REG_MULTISZ_FILE fileName
REG_BINARYFILE fileName

If no value type is specified, default is REG_SZ

For REG_SZ and REG_EXPAND_SZ, if you want leading or trailing spaces in the value
text, surround the text with quotes. The value text can contain any number of
imbedded quotes, and REGINI will ignore them, as it only looks at the first and
last character for quote characters.

For REG_MULTI_SZ, each component string is surrounded by quotes. If you want an
imbedded quote character, then double quote it, as in string2 above.

For REG_BINARY, the value data consists of one or more numbers. The default base
for numbers is decimal.
Hexidecimal may be specified by using 0x prefix. The first number is the number
of data bytes, excluding the first number. After the first number must come enough
numbers to fill the value.
Each number represents one DWORD or 4 bytes. So if the first number was 0x5 you
would need two more numbers after that to fill the 5 bytes. The high order 3 bytes
of the second DWORD would be ignored.

Whenever specifying a registry path, either on the command line or in an input file,
the following prefix strings can be used:

HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
USER:

Each of these strings can stand alone as the key name or be followed a backslash
and a subkey path.

REGINI: No textFile specified

以上转载于:http://www.blogjava.net/needjava/archive/2007/07/25/132382.html

另一篇:使用命令修改注册表键值及权限

在对电脑安全配置或杀毒过程中,你可能需要对注册表的某些项进行权限的修改,以便进行管理,如对注册表中的启动项授予只读权限,这样可以避免病毒的感染随开机自动启动。

regini命令就是这样一个专门修改键值以及权限的命令。
regini命令格式为:
regini regini.ini
这个命令需要一个ini文件,其中regini.ini的格式为:

注册表项 [更改的权限]
注册表键数值=键值
例如:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
test = c:\windows\system32\test.exe
该ini用来在run中添加一个test的启动值。

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [17 20]
该ini分别设置 Administrators组及System用户对注册表
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
拥有完全访问权限

以下是对应的权限代码 (略,同上)

需要注意的是,regini修改的权限,不能使用regedit中的权限选项来修改。
同时regini使用的键值的数值类型,不能是注册表导出的而是示的类型,如dword,以下是可用的类型:
REG_SZ 标准字符串
REG_EXPAND_SZ 一个包含未扩展环境变量的字符串
REG_MULTI_SZ 多字符串
REG_DATE 日期
REG_DWORD 32位整数
REG_BINARY 二进制数据
REG_NONE 无类型数值,类似于REG_BINARY
REG_RESOURCE_LIST 设备驱动资源列表,类似于REG_BINARY
REG_RESOURCE_REQUIREMENTS 类似于REG_BINARY
REG_RESOURCE_REQUIREMENTS_LIST 类似于REG_BINARY
REG_FULL_RESOURCE_DESCRIPTOR 类似于REG_BINARY
REG_QWORD 四字节数据
REG_MULTISZ_FILE 文件名
REG_BINARYFILE 二进制文件名
不指定类型的情况下,默认类型为REG_SZ.
例如,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run [1]
"test1"= REG_DWORD 1
"test2"= REG_DWORD 4
"test3"= "hello"
这将会在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run增加三项,并将run的权限设定为administrator完全控制即可!

以上转载于“新手无毒”


>> 除非说明均为原创,如转载请注明来源于http://www.stormcn.cn/post/240.html

发表评论(无须注册,所有评论在审核通过后显示):

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

  • 微信订阅号
    微信订阅

最新发表

最新评论及回复

本站出现的所有广告均不代表本人及本站观点立场 | 关于我 | 网站地图 | 联系邮箱 | 返回顶部
Copyright 2008-2020 www.stormcn.cn. All Rights Reserved. Powered By Z-Blog. 闽ICP备09000343号

闽公网安备 35010202000133号