使用regini.exe修改注册表
一,如何得到regini.exe
系统本身内置有这个命令了的,如果没有,按下以方法提取出来:
在Windows XP安装光盘中(其他版本的自己试试),找到I386目录下的regini.ex_文件,用expand.exe命令提取出regini.exe,命令如下:
"%SystemRoot%\System32\EXPAND.EXE" "\\?\CDROM0\I386\REGINI.EX_" "C:\regini.exe"
然后从C盘下将生成的regini.exe文件复制到你需要的地方。
建议:不要从非信任的网站下载regini.exe。
二、简单举例
先打开regedit.exe,以便观看每步产生的变化,将如下内容复制到记事本中,保存为example01.txt、example02.txt文件,然后用如下命令:
REGINI.EXE example01.txt
REGINI.EXE example02.txt
::::::: example01.txt :::::::::: 不要复制我,我是分割线开始 ::::::::::::::::::::
HKEY_CURRENT_USER\example0
HKEY_CURRENT_USER\example0
"example1" = REG_DWORD 1
HKEY_CURRENT_USER\example0
"example2" = REG_SZ "This is an example!"
HKEY_CURRENT_USER\example0
"example3" = REG_MULTI_SZ "This is the first line!" "This is the second line!" "This is the third line!"
HKEY_CURRENT_USER\example0
"example4" = REG_EXPAND_SZ "This is an example! This is an example! This is an example! This is an example! This is an example!"
::::::: example01.txt :::::::::: 不要复制我,我是分割线结束 ::::::::::::::::::::
::::::: example02.txt :::::::::: 不要复制我,我是分割线开始 ::::::::::::::::::::
HKEY_CURRENT_USER\example0 [2 8 19]
::::::: example02.txt :::::::::: 不要复制我,我是分割线结束 ::::::::::::::::::::
修改第一个脚本,再运行试试:
REGINI.EXE example01.txt
没反应,看来已经起作用了,键值变成只读的了!
三、权限代码表
1 - Administrators 完全访问
2 - Administrators 读取访问
3 - Administrators 读取、写入访问
4 - Administrators 读取、写入、删除访问
5 - Creator 完全访问
6 - Creator 读取、写入访问
7 - everyone 完全访问
8 - everyone 读取访问
9 - everyone 读取、写入访问
10 - everyone 读取、写入、删除访问
11 - Power Users 完全访问
12 - Power Users 读取、写入访问
13 - Power Users 读取、写入、删除访问
14 - System Operators 完全访问
15 - System Operators 读取、写入访问
16 - System Operators 读取、写入、删除访问
17 - System 完全访问
18 - System 读取、写入访问
19 - System 读取访问
20 - Administrators 读取、写入、执行访问
21 - Interactive User 完全访问
22 - Interactive User 读取、写入访问
23 - Interactive User 读取、写入、删除访问
四、运用在哪里
装好系统、杀毒软件后,删除一些服务键、修改一些自启动键、文件关联键的权限等等。但是话又说回来了,
既然我们可以轻松的修改权限,那么病毒也可以修改回去,防范的方法是转移regini.exe文件,再利用注册表监测软件。
将某个注册表监测软件改个名称,最好再加个壳(不是防杀毒软件,而是防病毒恶意终止),加在服务中,一旦有修改就报警。
五、英文帮助
这部分是从网站找的,作者不详,仅供参考:
Usage: REGINI [-m machinename | -h hivefile hiveroot | -w Win95 Directory] [-i n] [-o outputWidth] [-b] textFiles...
-m specifies a remote windows NT machine whose registry is to be manipulated.
-h specifies a specify local hive to manipulate.
-w specifies the paths to a windows 95 system.dat and user.dat files
-i n specifies the display indentation multiple. Default is 4
-o outputWidth specifies how wide the output is to be. By default the outputWidth is set to
the width of the console window if standard output has not been redirected to a file.
In the latter case, an outputWidth of 240 is used.
-b specifies that REGINI should be backward compatible with older versions of REGINI that
did not strictly enforce line continuations and quoted strings Specifically, REG_BINARY,
REG_RESOURCE_LIST and REG_RESOURCE_REQUIREMENTS_LIST data types did not need line
continuations after the first number that gave the size of the data.
It just kept looking on following lines until it found enough data values to equal the
data length or hit invalid input. Quoted strings were only allowed in REG_MULTI_SZ.
They could not be specified around key or value names, or around values for REG_SZ or
REG_EXPAND_SZ Finally, the old REGINI did not support the semicolon as an end of line
comment character.
textFiles is one or more ANSI or Unicode text files with registry data.
The easiest way to understand the format of the input textFile is to use the REGDMP
command with no arguments to dump the current contents of your NT Registry to standard
out. Redirect standard out to a file and this file is acceptable as input to REGINI
Some general rules are:
Semicolon character is an end-of-line comment character, provided it is the first
non-blank character on a line
Backslash character is a line continuation character. All characters from the backslash
up to but not including the first non-blank character of the next line are ignored.
If there is more than one space before the line continuation character, it is replaced
by a single space.
Indentation is used to indicate the tree structure of registry keys. The REGDMP program
uses indentation in multiples of 4. You may use hard tab characters for indentation,
but embedded hard tab characters are converted to a single space regardless of their
position.
Values should come before child keys, as they are associated with the previous key at
or above the value's indentation level.
For key names, leading and trailing space characters are ignored and not included in
the key name, unless the key name is surrounded by quotes. Imbedded spaces are part of
a key name.
Key names can be followed by an Access Control List (ACL) which is a series of decimal
numbers, separated by spaces, bracketed by a square brackets (e.g. [8 4 17]).
The valid numbers and their meanings are:
1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access
If there is an equal sign on the same line as a left square bracket then the equal
sign takes precedence, and the line is treated as a registry value. If the text
between the square brackets is the string Delete with no spaces, then REGINI will
delete the key and any values and keys under it.
For registry values, the syntax is:
value Name = type data
Leading spaces, spaces on either side of the equal sign and spaces between the type
keyword and data are ignored, unless the value name is surrounded by quotes. If the
text to the right of the equal sign is the string Delete, then REGINI will delete the
value.
The value name may be left off or be specified by an at-sign character which is the
same thing, namely the empty value name. So the following two lines are identical:
= type data
@ = type data
This syntax means that you can't create a value with leading or trailing spaces,
an equal sign or an at-sign in the value name, unless you put the name in quotes.
Valid value types and format of data that follows are:
REG_SZ text
REG_EXPAND_SZ text
REG_MULTI_SZ "string1" "string2" ...
REG_DATE mm/dd/yyyy HH:MM DayOfWeek
REG_DWORD numberDWORD
REG_BINARY numberOfBytes numberDWORD(s)...
REG_NONE (same format as REG_BINARY)
REG_RESOURCE_LIST (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS_LIST (same format as REG_BINARY)
REG_FULL_RESOURCE_DESCRIPTOR (same format as REG_BINARY)
REG_QWORD numberQWORD
REG_MULTISZ_FILE fileName
REG_BINARYFILE fileName
If no value type is specified, default is REG_SZ
For REG_SZ and REG_EXPAND_SZ, if you want leading or trailing spaces in the value
text, surround the text with quotes. The value text can contain any number of
imbedded quotes, and REGINI will ignore them, as it only looks at the first and
last character for quote characters.
For REG_MULTI_SZ, each component string is surrounded by quotes. If you want an
imbedded quote character, then double quote it, as in string2 above.
For REG_BINARY, the value data consists of one or more numbers. The default base
for numbers is decimal.
Hexidecimal may be specified by using 0x prefix. The first number is the number
of data bytes, excluding the first number. After the first number must come enough
numbers to fill the value.
Each number represents one DWORD or 4 bytes. So if the first number was 0x5 you
would need two more numbers after that to fill the 5 bytes. The high order 3 bytes
of the second DWORD would be ignored.
Whenever specifying a registry path, either on the command line or in an input file,
the following prefix strings can be used:
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
USER:
Each of these strings can stand alone as the key name or be followed a backslash
and a subkey path.
一,如何得到regini.exe
系统本身内置有这个命令了的,如果没有,按下以方法提取出来:
在Windows XP安装光盘中(其他版本的自己试试),找到I386目录下的regini.ex_文件,用expand.exe命令提取出regini.exe,命令如下:
"%SystemRoot%\System32\EXPAND.EXE" "\\?\CDROM0\I386\REGINI.EX_" "C:\regini.exe"
然后从C盘下将生成的regini.exe文件复制到你需要的地方。
建议:不要从非信任的网站下载regini.exe。
二、简单举例
先打开regedit.exe,以便观看每步产生的变化,将如下内容复制到记事本中,保存为example01.txt、example02.txt文件,然后用如下命令:
REGINI.EXE example01.txt
REGINI.EXE example02.txt
::::::: example01.txt :::::::::: 不要复制我,我是分割线开始 ::::::::::::::::::::
HKEY_CURRENT_USER\example0
HKEY_CURRENT_USER\example0
"example1" = REG_DWORD 1
HKEY_CURRENT_USER\example0
"example2" = REG_SZ "This is an example!"
HKEY_CURRENT_USER\example0
"example3" = REG_MULTI_SZ "This is the first line!" "This is the second line!" "This is the third line!"
HKEY_CURRENT_USER\example0
"example4" = REG_EXPAND_SZ "This is an example! This is an example! This is an example! This is an example! This is an example!"
::::::: example01.txt :::::::::: 不要复制我,我是分割线结束 ::::::::::::::::::::
::::::: example02.txt :::::::::: 不要复制我,我是分割线开始 ::::::::::::::::::::
HKEY_CURRENT_USER\example0 [2 8 19]
::::::: example02.txt :::::::::: 不要复制我,我是分割线结束 ::::::::::::::::::::
修改第一个脚本,再运行试试:
REGINI.EXE example01.txt
没反应,看来已经起作用了,键值变成只读的了!
三、权限代码表
1 - Administrators 完全访问
2 - Administrators 读取访问
3 - Administrators 读取、写入访问
4 - Administrators 读取、写入、删除访问
5 - Creator 完全访问
6 - Creator 读取、写入访问
7 - everyone 完全访问
8 - everyone 读取访问
9 - everyone 读取、写入访问
10 - everyone 读取、写入、删除访问
11 - Power Users 完全访问
12 - Power Users 读取、写入访问
13 - Power Users 读取、写入、删除访问
14 - System Operators 完全访问
15 - System Operators 读取、写入访问
16 - System Operators 读取、写入、删除访问
17 - System 完全访问
18 - System 读取、写入访问
19 - System 读取访问
20 - Administrators 读取、写入、执行访问
21 - Interactive User 完全访问
22 - Interactive User 读取、写入访问
23 - Interactive User 读取、写入、删除访问
四、运用在哪里
装好系统、杀毒软件后,删除一些服务键、修改一些自启动键、文件关联键的权限等等。但是话又说回来了,
既然我们可以轻松的修改权限,那么病毒也可以修改回去,防范的方法是转移regini.exe文件,再利用注册表监测软件。
将某个注册表监测软件改个名称,最好再加个壳(不是防杀毒软件,而是防病毒恶意终止),加在服务中,一旦有修改就报警。
五、英文帮助
这部分是从网站找的,作者不详,仅供参考:
Usage: REGINI [-m machinename | -h hivefile hiveroot | -w Win95 Directory] [-i n] [-o outputWidth] [-b] textFiles...
-m specifies a remote windows NT machine whose registry is to be manipulated.
-h specifies a specify local hive to manipulate.
-w specifies the paths to a windows 95 system.dat and user.dat files
-i n specifies the display indentation multiple. Default is 4
-o outputWidth specifies how wide the output is to be. By default the outputWidth is set to
the width of the console window if standard output has not been redirected to a file.
In the latter case, an outputWidth of 240 is used.
-b specifies that REGINI should be backward compatible with older versions of REGINI that
did not strictly enforce line continuations and quoted strings Specifically, REG_BINARY,
REG_RESOURCE_LIST and REG_RESOURCE_REQUIREMENTS_LIST data types did not need line
continuations after the first number that gave the size of the data.
It just kept looking on following lines until it found enough data values to equal the
data length or hit invalid input. Quoted strings were only allowed in REG_MULTI_SZ.
They could not be specified around key or value names, or around values for REG_SZ or
REG_EXPAND_SZ Finally, the old REGINI did not support the semicolon as an end of line
comment character.
textFiles is one or more ANSI or Unicode text files with registry data.
The easiest way to understand the format of the input textFile is to use the REGDMP
command with no arguments to dump the current contents of your NT Registry to standard
out. Redirect standard out to a file and this file is acceptable as input to REGINI
Some general rules are:
Semicolon character is an end-of-line comment character, provided it is the first
non-blank character on a line
Backslash character is a line continuation character. All characters from the backslash
up to but not including the first non-blank character of the next line are ignored.
If there is more than one space before the line continuation character, it is replaced
by a single space.
Indentation is used to indicate the tree structure of registry keys. The REGDMP program
uses indentation in multiples of 4. You may use hard tab characters for indentation,
but embedded hard tab characters are converted to a single space regardless of their
position.
Values should come before child keys, as they are associated with the previous key at
or above the value's indentation level.
For key names, leading and trailing space characters are ignored and not included in
the key name, unless the key name is surrounded by quotes. Imbedded spaces are part of
a key name.
Key names can be followed by an Access Control List (ACL) which is a series of decimal
numbers, separated by spaces, bracketed by a square brackets (e.g. [8 4 17]).
The valid numbers and their meanings are:
1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access
If there is an equal sign on the same line as a left square bracket then the equal
sign takes precedence, and the line is treated as a registry value. If the text
between the square brackets is the string Delete with no spaces, then REGINI will
delete the key and any values and keys under it.
For registry values, the syntax is:
value Name = type data
Leading spaces, spaces on either side of the equal sign and spaces between the type
keyword and data are ignored, unless the value name is surrounded by quotes. If the
text to the right of the equal sign is the string Delete, then REGINI will delete the
value.
The value name may be left off or be specified by an at-sign character which is the
same thing, namely the empty value name. So the following two lines are identical:
= type data
@ = type data
This syntax means that you can't create a value with leading or trailing spaces,
an equal sign or an at-sign in the value name, unless you put the name in quotes.
Valid value types and format of data that follows are:
REG_SZ text
REG_EXPAND_SZ text
REG_MULTI_SZ "string1" "string2" ...
REG_DATE mm/dd/yyyy HH:MM DayOfWeek
REG_DWORD numberDWORD
REG_BINARY numberOfBytes numberDWORD(s)...
REG_NONE (same format as REG_BINARY)
REG_RESOURCE_LIST (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS_LIST (same format as REG_BINARY)
REG_FULL_RESOURCE_DESCRIPTOR (same format as REG_BINARY)
REG_QWORD numberQWORD
REG_MULTISZ_FILE fileName
REG_BINARYFILE fileName
If no value type is specified, default is REG_SZ
For REG_SZ and REG_EXPAND_SZ, if you want leading or trailing spaces in the value
text, surround the text with quotes. The value text can contain any number of
imbedded quotes, and REGINI will ignore them, as it only looks at the first and
last character for quote characters.
For REG_MULTI_SZ, each component string is surrounded by quotes. If you want an
imbedded quote character, then double quote it, as in string2 above.
For REG_BINARY, the value data consists of one or more numbers. The default base
for numbers is decimal.
Hexidecimal may be specified by using 0x prefix. The first number is the number
of data bytes, excluding the first number. After the first number must come enough
numbers to fill the value.
Each number represents one DWORD or 4 bytes. So if the first number was 0x5 you
would need two more numbers after that to fill the 5 bytes. The high order 3 bytes
of the second DWORD would be ignored.
Whenever specifying a registry path, either on the command line or in an input file,
the following prefix strings can be used:
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
USER:
Each of these strings can stand alone as the key name or be followed a backslash
and a subkey path.