1 Replies - 529 Views - Last Post: 09 December 2017 - 12:50 PM

#1 Radius Nightly   User is offline

  • D.I.C Regular

Reputation: 39
  • View blog
  • Posts: 321
  • Joined: 07-May 15

Userinit Return "My Data"

Posted 09 December 2017 - 11:44 AM

In my code i have to get Userinit data from registry.
Its located here: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon
Value Name: Userinit
Value Data: userinit.exe,

From regedit it works fine, i can use .reg to merge it, but in my code, hmm...

On Windows 10 it return "My Data".
From code also that Value Name does not exist, so i tried with all possible permissions, no luck.
I also tried to get another value datas from \\Winlogon, such as explorer, and from different random folders all around registry, and everything works fine, but Userinit doesnt.

Test it on XP SP3 in VMW, works fine and return "C:\WINDOWS\system32\userinit.exe,".
Test it on Vista SP1, returns "My Data", and explorer.exe pop up with no title, with message "My Data", with OK button and it have Visual Basic icon (with cubes one).
Test it on Windows 7 SP1, returns "C:\WINDOWS\system32\userinit.exe,".
Test it on Windows 8 SP1, returns "C:\WINDOWS\system32\userinit.exe,".

I was guessing maybe Microsoft restrict access from another applications to Userinit to avoid virus injection or something like that, but i cant find anything on the internet.

Need help with this ASAP.
Thanks.

This post has been edited by Radius Nightly: 09 December 2017 - 11:45 AM


Is This A Good Question/Topic? 0
  • +

Replies To: Userinit Return "My Data"

#2 Radius Nightly   User is offline

  • D.I.C Regular

Reputation: 39
  • View blog
  • Posts: 321
  • Joined: 07-May 15

Re: Userinit Return "My Data"

Posted 09 December 2017 - 12:50 PM

Looks like 64bit Windows calling Userinit from HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon for 32bit applications. have to find way around it.

Its explained here: http://blog.whitehor...e-registry-key/
Workaround is to use .reg file, not so user friendly for me.

Tried modifying applications PE to not expect 32bit machine, didnt help.

Edit:
Found some answer here: https://stackoverflo...an-x64-platform

Edit:
OK, reg.exe bypass this redirection, so i will use it instead...

Thread can be closed.

Edit:
/reg:32 or /reg:64 depending on OS, so i will use this:
reg add "Address" /v ValueName /t Type /d ValueData /reg:64 /f

If someone need for import workaround:
reg import File.REG /reg:64

regedit /s File.REG wont work if its called by 32bit application on 64bit.
And for view data:
reg query "Address" /v ValueName /reg:64

This post has been edited by Radius Nightly: 09 December 2017 - 02:34 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1