Windows Registry file edited with two different tools, different results

1

1

I am trying two different tools to edit and remove all nodes from a Windows registry hive:

  • chntpw which was essentially designed to edit password (SAM) files, but now has an interactive shell to edit registry files.

  • hivex which is more up-to-date and primarily intended for general purpose registry editing.

Just to have an idea about differences between these programs, I took my BCD file (which is used by the Windows Boot Manager), and used both of these programs to delete all the nodes.

As expected, the resulting files have the same size but are not identical. When I opened each with either hivex or chntpw, both editors show 0 nodes for both files.

However, when I open hivex's file, a file which supposedly has 0 nodes, I see leftover data from its previous state.

Conversely, chntpw's result does not have any residual data from the nodes.

Now, I am currently educating myself about the registry file format, so I must ask:

If I were to use one, which one should I choose? I obviously want to simulate the behavior of Microsoft's parser/writer most realistically (I want to be able to fool those). So does the leftover data has any significance; would the Windows Boot Manager give any errors if I use hivex to create a faux BCD file?

PS: The question is independent of my primary purpose, which I hope was made clear: I want to fix/create the BCD (Boot Config Data) file without using the official Windows installer. So if you have any advices in that direction, feel free to give.

osolmaz

Posted 2014-03-21T19:21:41.680

Reputation: 203

Question was closed 2014-05-01T04:42:33.087

1the "best" tool for editing an MS registry is MS' registry editing tools. ;) As-is this question is actually hard to determine: Do you want to know WHY they produce different results, or do you actually want to figure out how to edit the BCD? – Ƭᴇcʜιᴇ007 – 2014-03-21T19:25:42.617

I want to know why, and if it has any effects regarding my purpose. Also, I intend to use one of the tools' library to create a standalone program which fixes BCD files, so using regedit is out of question. – osolmaz – 2014-03-21T19:43:47.960

Only the authors of the program can answer why the output is different – Ramhound – 2014-03-21T19:59:09.730

Right, but maybe somebody who understands the format better than me may explain whether this is a problem or not. – osolmaz – 2014-03-21T20:12:30.720

Why not just use bcdedit? – nhinkle – 2014-05-01T04:43:05.757

Answers

2

Hivex is explicitly designed not to remove old data from the file. This is an important goal because the registry hive format is undocumented and no one except MSFT really understand how it works, and we don't want to destroy data in the process of making changes.

Note this does not mean that hivex can't delete nodes. You can delete nodes through the API and those nodes won't be seen by regular Windows registry calls, but no data is scrubbed/removed/truncated from the underlying file.

If you want an empty hive file, I suggest starting with an empty hive file. There is an empty hive file in the hivex source code (called 'minimal') which you can use.

Rich

Posted 2014-03-21T19:21:41.680

Reputation: 136

Asked: 2014-03-21T19:21:41.680

Viewed: 296 times

Active: 2014-03-22T07:27:23.877