Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider how CurrentControlSet and ControlSet### are defined #401

Open
joachimmetz opened this issue Sep 29, 2020 · 8 comments
Open

Consider how CurrentControlSet and ControlSet### are defined #401

joachimmetz opened this issue Sep 29, 2020 · 8 comments

Comments

@joachimmetz
Copy link
Member

joachimmetz commented Sep 29, 2020
edited
Loading

Determine how to properly define CurrentControlSet for Windows NT and 9x/Me Registry Files.

  • In Windows 9x/Me CurrentControlSet is a "real" key
  • In Windows NT CurrentControlSet is a virtual key

https://github.com/libyal/winreg-kb/blob/master/docs/sources/system-keys/Current-control-set.md

Maybe define %ControlSets% or %AllControlSets% for all "real" ControlSet### and/or CurrentControlSet keys?
@joachimmetz joachimmetz changed the title Consider how CurrentControlSet is defined Consider how CurrentControlSet and ControlSet### are defined Sep 29, 2020
@joachimmetz joachimmetz mentioned this issue Oct 2, 2020
Open
@joachimmetz
Copy link
Member Author

What if a Windows NT SYSTEM file contains a CurrentControlSet key?

@cugu
Copy link
Contributor

cugu commented Oct 4, 2020

%%current_control_set%% is already defined. This could be extended for pre-NT systems:

name: WindowsRegistryCurrentControlSets
sources:
- type: REGISTRY_VALUE
  attributes: {key_value_pairs: [{key: 'HKEY_LOCAL_MACHINE\System\Select', value: 'Current'}]}
- type: REGISTRY_KEY
  attributes: {keys: ['HKEY_LOCAL_MACHINE\System\CurrentControlSet']}
provides: [current_control_set]

If all ControlSets should be considered a %%control_set%% could be defined as:

name: WindowsRegistryControlSets
sources:
- type: REGISTRY_KEY
  attributes:
    keys: 
      - 'HKEY_LOCAL_MACHINE\System\ControlSet*'
      - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet'
provides: [control_set]

To differentiate between different Windows versions conditions ( e.g. conditions: [os_major_version >= 5]) could be used.

@joachimmetz joachimmetz mentioned this issue Dec 29, 2020
Open
@the-exodus
Copy link

Isn't this actually a non-issue? On a running system the registry path will be the same, and if it's not running it doesn't make sense to talk about a "current set."

Collecting the list of control sets to %control_sets% works on both platforms too.

@joachimmetz
Copy link
Member Author

On a running system the registry path will be the same, and if it's not running it doesn't make sense to talk about a "current set."

'HKEY_LOCAL_MACHINE\System\CurrentControlSet' can exist as an offline key

Collecting the list of control sets to %control_sets% works on both platforms too.

but what if your tool wants the current one (offline or online)?

@the-exodus
Copy link

Yeah the key can exist, but i think most of it's children are dynamic, so it's not very useful offline. Or was it a symlink? I'd investigate, but not even sure I still have a w98 cd to install from.

Still, it wouldn't make sense to include the current profile when performing an offline collection, since it's inherently a runtime concept. In that situation it probably makes more sense to collect the "Last boot" dword and access that controlset instead. Or am I misunderstanding you?

@joachimmetz
Copy link
Member Author

Still, it wouldn't make sense to include the current profile when performing an offline collection, since it's inherently a runtime concept.

Why? what if you are trying to determine the last known system configuration?

In that situation it probably makes more sense to collect the "Last boot" dword and access that controlset instead.

An implementation can consider using other values to determine current control set. But that does not answer my question, how do you define if you want your implementation to reconstruct current control set versus just iterating all control sets?

@the-exodus
Copy link

Why? what if you are trying to determine the last known system configuration?

I actually answered this one right below the question :)

In that situation it probably makes more sense to collect the "Last boot" dword and access that controlset instead.

An implementation can consider using other values to determine current control set. But that does not answer my question, how do you define if you want your implementation to reconstruct current control set versus just iterating all control sets?

Not entirely sure I understand how you mean, but one way to cover all bases would be to collect the values under HKLM\System\Select and provide them as %controlset.current%, %controlset.default% etc. Can't quite remember if the select-key existed in the 90s, it's possible they actually implemented it by linking CurrentControlSet to the one in use while keeping "last good" in another, and then flipping them on reboot or something. But I have some recollection of there being a key similar to Select ¯_(ツ)_/¯

@joachimmetz
Copy link
Member Author

To determine the virtual Windows NT CurrentControlSet key (https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Current-control-set.html)

provide them as %controlset.current%, %controlset.default%

that could be an option to define them

But I have some recollection of there being a key similar to Select

From what I can tell from Windows 9x/Me Registry file samples I've observed, CurrentControlSet is a "real" key. As far as I know Windows NT uses a "virtual" key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cugu @joachimmetz @the-exodus