http://www.purwakarta.org

Untuk yang ingin melihat atau mengedit register di Micr. Windows dari linux bisa menggunakan aplikasi chntpw. Chntpw sangat berguna jika tiba-tiba windows anda terserang virus/trojan yang merubah value key di register, contohnya windows tidak bisa login (value key userinit dirubah virus), folder options – control panel hilang, dan lainnya.

Linux yang saya gunakan Ubuntu 8.04.1 dengan kernel 2.6.24-21-generic (dapat juga menggunakan Linux Live CD).

• Install chntpw

root@thinkpad:/home/faiz# apt-get update
root@thinkpad:/home/faiz# apt-get install chntpw

…
The following NEW packages will be installed:

chntpw

0 upgraded, 1 newly installed, 0 to remove and 169 not upgraded.

Need to get 132kB of archives.

After this operation, 332kB of additional disk space will be used.

Get:1 http://id.archive.ubuntu.com hardy/multiverse chntpw 0.99.3-1 [132kB]

Fetched 132kB in 28s (4612B/s)

Selecting previously deselected package chntpw.

(Reading database … 127374 files and directories currently installed.)

Unpacking chntpw (from …/chntpw_0.99.3-1_i386.deb) …

Setting up chntpw (0.99.3-1) …

• Mount partisi windows

Partisi C:/ di /dev/sda1 dengan mount point di /media/disk
#mount /dev/sda1 /media/disk

• Edit Register

Tabel Register

Register Key	File
HKEY_CURRENT_CONFIG	SYSTEM
HKEY_CURRENT_USER	Ntuser.dat (Document)
HKEY_LOCAL_MACHINESAM	SAM
HKEY_LOCAL_MACHINESECURITY	SECURITY
HKEY_LOCAL_MACHINESOFTWARE	SOFTWARE
HKEY_USERSDEFAULT	DEFAULT

Lokasi file Register Window di C://systemroot(windows)/system32/config/
Lokasi file Register User C://Documents and Settings/$User/NTUSER.dat

Misal :
Untuk mengaktifkan folder options yang terdisable, hapus key NoFolderOptions di Register.

Register: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

maka kita gunakan file ntuser.dat (/media/disk/Documents and Settings/faiz/ntuser.dat)

root@thinkpad:/home/faiz# cd /media/disk/Documents and Settings/faiz/
root@thinkpad:/media/disk/Documents and Settings/faiz# chntpw -e NTUSER.DAT

chntpw version 0.99.3 040818, © Petter N Hagen
Hive’s name (from header): <ts and Settingsfaizntuser.dat>

ROOT KEY at offset: 0×001020 * Subkey indexing type is: 666c <lf>

Page at 0x71c000 is not ‘hbin’, assuming file contains garbage at end

File size 7602176 [740000] bytes, containing 1157 pages (+ 1 headerpage)

Used for data: 117952/7344064 blocks/bytes, unused: 6588/69536 blocks/bytes.

Simple registry editor. ? for help.

[1020] > cd SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

untuk menghapus key gunakan perintah ‘dv’
[33e28] (…)WindowsCurrentVersionPoliciesExplorer> dv NoFolderOptions

untuk melihat isi key ‘nya gunakan perintah ‘cat’
[33e28] (…)WindowsCurrentVersionPoliciesExplorer>cat ClearRecentDocsOnExit

Value <ClearRecentDocsOnExit> of type REG_BINARY, data length 4 [0x4]
:00000 01 00 00 00 ….

untuk mengubah key gunakan perintah ‘ed’
[8d8420] (…)Windows NTCurrentVersionWinlogon> ed Userinit

EDIT: <Userinit> of type REG_SZ with length 68 [0x44]
[ 0]: C:WINDOWSsystem32userinit.exe,

Now enter new strings, one by one.
Enter nothing to keep old.

[ 0]: C:WINDOWSsystem32userinit.exe,

-> D:WINDOWSsystem32userinit.exe,

newkv->len: 68

[8d8420] (…)Windows NTCurrentVersionWinlogon> cat Userinit

Value <Userinit> of type REG_SZ, data length 68 [0x44]
D:WINDOWSsystem32userinit.exe,

Jika telah selesai ketikkan �q� dan konfirmasi �y� untuk menyimpan perubahan.

[33e28] (…)WindowsCurrentVersionPoliciesExplorer> q

Hives that have changed:
# Name

0 <NTUSER.DAT>

Write hive files? (y/n) [n] : y

0 <NTUSER.DAT> – OK

Jangan lupa unmount partisi windows tadi kemudian restart.

Semoga Bermanfaat.

Ref : Internet