|
Audio Asylum Thread Printer Get a view of an entire thread on one page |
For Sale Ads |
128.70.19.239
In Reply to: RE: cPlay - the open source high-end audio player using ASIO posted by cics on May 05, 2008 at 13:31:58
Hello, everybody! this is a new thing, I hope, and all credits should go first of all to Jack Wong. He is working on a serious project now and he was so kind as to tell me about security and sam hive encryption. Unfortunately I was unable to use his hives, but he helped me to find this program - it's free and very small, but effective. It cannot decrypt SAM but it loads SECURITY as a normal hive, also, after one-two loading and asking all kinds of permissions like you do with default hive (read Rick's post) the SECURITY hive starts visible in normal regedit.
So, download this program, unzip and install on your hdd
http://users.csc.calpoly.edu/~bfriesen/software/hiveloader.shtml
2. Run the program and tell it Load, a dialog appears that allows you to browse and find your cmp security hive, open and assign it a name, like 000. Say load once again again and press REGEDIT button WITHIN HIVELOADER.
3. Edit your security hive like the picture attached.
4. unload it from regedit in the usual manner.
5 Load it into REGEDIT once again and compact with Regopt.
it should become 8 kb
PLEASE NOTE THAT ACCOUNTS ENTRIES ARE EMPTY
all other entries have only one dword in them. Leave them be.
Please, try to tweak this hive IN A SINGLE SESSION, as I had to restore my registry many times before I achieved this, and the order was nonlinear!
Serge.
Follow Ups:
I think this is as far as one can go. It is as far as I can go. I tried many combinations and this is what works
I also found I could delete svchost.dll. Whether this has anything to do with "this" or not I do not know. No need to "suspend" that one any longer!
Tried to delete isass and watchdog but to no avail.
As I posted before one can delete WINTRUST and WATCHDOG from the registry.
The machine is working very well.
If you try this ignore the momentary squeals that you might hear. I heard them upon first re-installing the drive but after a second boot I never heard them again.
Before I finalized this the machine would take longer than usual to load a file. But now it is back to loading quickly. Sometimes it will turn itself off when asking for shutdown and sometimes it hangs after doing the typical cMP bar zipping a few times and just hangs there. Nothing to worry about.
I do think it sounds even better.
Tomorrow more experiments. Wondering if hex editor is the key to minimizing issas and watchdog? They might just need to be there even if they are rendered impotent. I hope so.
Hello, Rick! I have just trimmed down SAM and removed from security all accounts but 1-0-0-1 or whatever is its name. compacted. Sam is 12 kb. Security - 8kb.
About svchost.dll - IT IS A VIRUS - there is no such dll, I have checked it here - the place I look up the info about *.dlls
http://xpdll.nirsoft.net/
Or was it svchost.exe?
I think I will try removing now authorisation and security dlls. As for Watchdog, as it's still in the system, it must be envoked by lsass or even ntloader, so, removing it from the registry may cause it to function at default, and this is smth, we don't need. So, probably we should let it remain "sedated"?
Serge.
it was .exe
Really! I marvel at Your ability to do such things, Rick!
Please, tell me, exactly, do I load SAM under HK_USERS?, and then I will see it in two places?
About svchost - it's unbelievable, yet, it's true...
However, it's svchost.exe that is suspended together with hatefull lsass.exe (but they, yes, they call upon svchost.dll and lsasrv.)
I wonder if you are so tired that you don't listen to the result now?
I know what security deletions would bring, now for SAM...
Serge
P.S. Thank You!
.
I'm having difficulty getting Hiveloader to show contents of sam or security.
So these are the steps
run hiveloader...click load...browse to security...assign name in lower box...then click regedit or load again?
This is a bit confusing for me..so I tried both ways and I can see the name I assigned in hiveloader within regedit but no contents within. What am I doing wrong?
This also happened to me at first. Do as steppe says but I found you may also have to change the permissions in loaded Security hive by checking the lower box in Advanced as Rick described to get its contents to show.
Edits: 02/02/12
SECURITY under HK_LOCAL_MACHINE (you can select it in the same dialog where you browse for your hive, and, according to Rick, you load SAM under HK_USERS).
And then press REGEDIT (note, that regedit itself should be closed and onlu called upon by hiveloader)
Serge.
Edits: 02/02/12
Who knows what I did not do the first time I tried to load into LOCAL MACHINE.
Funny I still use LOCAL USERS when I work with SAM even though I do not have to.
Ted, make sure you allow unlimited permissions for the entire LOCAL MACHINE hive (checking the boxes in ADVANCED while highlighting HKEY_Local_machine, this should allow you access.
The first time (fro some reason) seems to be tricky.
(to quote the DAMNED a late '70's punk/pop band)
Can't wait to give it a try.
Thanks to you and Mr. Wong!
Thanks to you and Mr. Wong, again.
I also found that you can access SAM - you have to place it in HKEY USERS and it will appear. I use ___wer as my cMP files I.D.. Hence samwer.
Like the above. Could not open it up completely and get in the screen.
Now to figure out what to do with it!
no success yet in deleting anything.
Can actually be loaded into both headings.
Since it worked first in local users I have kept going there.
so far
tweaked Security? I think, it should be done, as it allows to delete and empty most of the accounts like 1-0-0-1 something. and SAM is security accounts manager, so when tweaked security "interacts" with sam, trhere's gonna be some inevitable change in the SAM, after which it may become wore pliant..., Just thoughts.
Serge.
This is where I am at the moment.
I was able to delete WATCHDOG and WINTRUST from the regsitry after this.
I tried to delete the watchdog.dll but the machine would not allow that.
Who knows what this has allowed (the registry deletions)?
I finished late and did not have enough time to really listen since it always takes a little while for the machine to settle down after these things.
Was going to see if there is more to remove from SECURITY and yes, they do seem to interact. The rxact entry which you deleted in DECURITY cannot be deleted in SAM. Of course, you can delete it but the machine will get to the default blue screen and a the cursor will show but it will not go on to the cMP screen.
I have the feeling that USERS might be able to be deleted and will try more deletions tonight.
Since the machine did not recognize ADMINISTRATORS when implementing MINLOGON I think we might be able to get rid of the whole thing. Might be we can only delete NAMES.
With SAM I had no problem making additional deletions from the same file.
Compacted the above comes down to 12kB.
Post a Followup:
FAQ |
Post a Message! |
Forgot Password? |
|
||||||||||||||
|
This post is made possible by the generous support of people like you and our sponsors: