http://www.purwakarta.org

Edit Register Windows Menggunakan GNU Linux Ubuntu Live CD/Knoppix

April 15th, 2009

Untuk yang ingin melihat atau mengedit register di Micr. Windows dari linux bisa menggunakan aplikasi chntpw. Chntpw sangat berguna jika tiba-tiba windows anda terserang virus/trojan yang merubah value key di register, contohnya windows tidak bisa login (value key userinit dirubah virus), folder options – control panel hilang, dan lainnya.

Linux yang saya gunakan Ubuntu 8.04.1 dengan kernel 2.6.24-21-generic (dapat juga menggunakan Linux Live CD).

• Install chntpw

root@thinkpad:/home/faiz# apt-get update
root@thinkpad:/home/faiz# apt-get install chntpw

…
The following NEW packages will be installed:
chntpw
0 upgraded, 1 newly installed, 0 to remove and 169 not upgraded.
Need to get 132kB of archives.
After this operation, 332kB of additional disk space will be used.
Get:1 http://id.archive.ubuntu.com hardy/multiverse chntpw 0.99.3-1 [132kB]
Fetched 132kB in 28s (4612B/s)
Selecting previously deselected package chntpw.
(Reading database … 127374 files and directories currently installed.)
Unpacking chntpw (from …/chntpw_0.99.3-1_i386.deb) …
Setting up chntpw (0.99.3-1) …

• Mount partisi windows

Partisi C:/ di /dev/sda1 dengan mount point di /media/disk
#mount /dev/sda1 /media/disk

• Edit Register

Tabel Register

Register Key	File
HKEY_CURRENT_CONFIG	SYSTEM
HKEY_CURRENT_USER	Ntuser.dat (Document)
HKEY_LOCAL_MACHINE\SAM	SAM
HKEY_LOCAL_MACHINE\SECURITY	SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE	SOFTWARE
HKEY_USERS\DEFAULT	DEFAULT

Lokasi file Register Window di C://systemroot(windows)/system32/config/
Lokasi file Register User C://Documents and Settings/$User/NTUSER.dat

Misal :
Untuk mengaktifkan folder options yang terdisable, hapus key NoFolderOptions di Register.

Register: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

maka kita gunakan file ntuser.dat (/media/disk/Documents and Settings/faiz/ntuser.dat)

root@thinkpad:/home/faiz# cd /media/disk/Documents\ and\ Settings/faiz/
root@thinkpad:/media/disk/Documents and Settings/faiz# chntpw -e NTUSER.DAT

chntpw version 0.99.3 040818, (c) Petter N Hagen
Hive’s name (from header): <ts and Settings\faiz\ntuser.dat>
ROOT KEY at offset: 0×001020 * Subkey indexing type is: 666c <lf>
Page at 0×71c000 is not ‘hbin’, assuming file contains garbage at end
File size 7602176 [740000] bytes, containing 1157 pages (+ 1 headerpage)
Used for data: 117952/7344064 blocks/bytes, unused: 6588/69536 blocks/bytes.
Simple registry editor. ? for help.

[1020] > cd Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

untuk menghapus key gunakan perintah ‘dv’
[33e28] (…)\Windows\CurrentVersion\Policies\Explorer> dv NoFolderOptions

untuk melihat isi key ‘nya gunakan perintah ‘cat’
[33e28] (…)\Windows\CurrentVersion\Policies\Explorer>cat ClearRecentDocsOnExit

Value <ClearRecentDocsOnExit> of type REG_BINARY, data length 4 [0x4]
:00000 01 00 00 00 ….

untuk mengubah key gunakan perintah ‘ed’
[8d8420] (…)\Windows NT\CurrentVersion\Winlogon> ed Userinit

EDIT: <Userinit> of type REG_SZ with length 68 [0x44]
[ 0]: C:\WINDOWS\system32\userinit.exe,

Now enter new strings, one by one.
Enter nothing to keep old.
[ 0]: C:\WINDOWS\system32\userinit.exe,
-> D:\WINDOWS\system32\userinit.exe,
newkv->len: 68

[8d8420] (…)\Windows NT\CurrentVersion\Winlogon> cat Userinit

Value <Userinit> of type REG_SZ, data length 68 [0x44]
D:\WINDOWS\system32\userinit.exe,

Jika telah selesai ketikkan “q” dan konfirmasi “y” untuk menyimpan perubahan.

[33e28] (…)\Windows\CurrentVersion\Policies\Explorer> q

Hives that have changed:
# Name
0 <NTUSER.DAT>
Write hive files? (y/n) [n] : y
0 <NTUSER.DAT> – OK

Jangan lupa unmount partisi windows tadi kemudian restart.

Semoga Bermanfaat.

Ref : Internet

Entry Filed under: Tutorial