Discussion:
[Wine] Sysinternals autorunsc.exe
dfm9090
2010-06-25 23:10:31 UTC
Permalink
Hi all,

Sysinternals have just released a version of their autoruns command line tool that's capable of scanning an offline windows install for images configured to start automatically (very useful for tracking down malware).

How likely is it that it could be made to run under wine on Ubuntu? I've got to the point where I have my NTFS partition mounted, I then issue the command:

---
$ wine ./autorunsc -z /mnt/ntfs_mount/WINDOWS /mnt/ntfs_mount/Documents\ and\ Settings/
---

...this happens:

---
Sysinternals Autoruns v10.01 - Autostart program viewer
Copyright (C) 2002-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

Autoruns requires Administrator privilege to analyze an offline system
---

I also tried making a symlink to a drive letter in ~/.wine/dosdevices but that didn't seem to make any difference.

My various searches for ways to get around this have come to nought, but I confess, I'm a complete wine novice.

Grateful for your thoughts...
Gert van den Berg
2010-06-25 23:30:56 UTC
Permalink
Post by dfm9090
Hi all,
Sysinternals have just released a version of their autoruns command line tool that's capable of scanning an offline windows install for images configured to start automatically (very useful for tracking down malware).
---
$ wine ./autorunsc -z /mnt/ntfs_mount/WINDOWS /mnt/ntfs_mount/Documents\ and\ Settings/
You probably want to use the Windows path if it is passed as a
parameter to a Windows program....

One way is to use winepath in backticks: (Not sure about the parameters..)
wine ./autorunsc -z `winepath -w /mnt/ntfs_mount/WINDOWS` Administrator
Post by dfm9090
I also tried making a symlink to a drive letter in ~/.wine/dosdevices but that didn't seem to make any difference.
If you do:
cd ~/.wine/dosdevices
ln -s /mnt/nthfs_mount 'd:'

You should be able to use: (I'm not sure if you are using the right
parameter for "userprofile")
wine ./autorunsc -z 'd:\WINDOWS' 'd:\Documents and Settings\'

Running it under wine cmd might be easier...

You can try "wine cmd" or "wineconsole cmd"

Gert
freagan
2010-07-22 06:38:06 UTC
Permalink
Hi all,

I've tried all the Gert van den Berg's proposed solutions but none of them worked for me.
If anyone has worked this out I'd be very happy to hear how.

Thank you for your support.
dimesio
2010-07-22 15:26:26 UTC
Permalink
Post by dfm9090
Sysinternals have just released a version of their autoruns command line tool that's capable of scanning an offline windows install for images configured to start automatically (very useful for tracking down malware).
If this app relies on Windows regedit to examine the registry, it's never going to work in Wine. Wine's regedit is designed to work with Wine's registry, which is stored as a plain text file. It cannot read or write the Windows binary format, and pointing an app running in Wine at a real Windows registry is an extremely bad idea.
freagan
2010-07-26 16:49:52 UTC
Permalink
This app parses an "offline" copy of a Windows Registry File so, in theory, at least for reading registry entries it shouldn't be a problem running it with Wine. I have already used similar tools on linux using Wine, for example "RegRipper". The problem here is that Autoruns.exe give an error "Autoruns requires Administrator privilege to analyze an offline system" when you try to load the "offline" registry file.
Searching with google I understood that this problem can be related to some not implemented API call and that's why it is not possibile to resolve it using simple command line switches. Is it true?

Thanks.
vitamin
2010-07-27 04:00:12 UTC
Permalink
Post by freagan
This app parses an "offline" copy of a Windows Registry File so, in theory, at least for reading registry entries it shouldn't be a problem running it with Wine.
You wrong. Only kernel can load binary hives (windows' registry files). I'm sure this new tool wants to install some kernel drivers to get direct access to registry without actually letting windows do anything with it.

In either case Wine doesn't support any sophisticated kernel drivers. Nor can Wine read Window's binary registry files.
Gert van den Berg
2010-07-27 04:20:33 UTC
Permalink
Post by vitamin
Post by freagan
This app parses an "offline" copy of a Windows Registry File so, in theory, at least for reading registry entries it shouldn't be a problem running it with Wine.
You wrong. Only kernel can load binary hives (windows' registry files). I'm sure this new tool wants to install some kernel drivers to get direct access to registry without actually letting windows do anything with it.
Only for active reistry files? A drivers houldn't be needed for
regiostry files copied from another PC and not actively loaded? Not
sure what exactly this is for though?

The right debug options (not sure which that would be) should give an
idea of what the application is trying to do?
vitamin
2010-07-27 13:52:41 UTC
Permalink
A drivers houldn't be needed for registry files copied from another PC and not actively loaded?
Only kernel can load registry. And obviously if you trying to load registry that overrides your system registry one need some drivers to work around that.

Of course you can open registry hive as a simple file and try to parse it. However this isn't trivial and requires lots of code and exact knowledge of the format. I really doubt that what this new tool does.
Gert van den Berg
2010-07-28 06:32:32 UTC
Permalink
Post by vitamin
A drivers houldn't be needed for registry files copied from another PC and not actively loaded?
Only kernel can load registry. And obviously if you trying to load registry that overrides your system registry one need some drivers to work around that.
Of course you can open registry hive as a simple file and try to parse it. However this isn't trivial and requires lots of code and exact knowledge of the format. I really doubt that what this new tool does.
It is a SysInternals tool from Microsoft... If anything does it, this
is where I would expect to find it... (chntpw have an utility capable
of editing Windows registry from *nix)

Offline mode seem to imply that it is accessing the registry from hive
files not actively loaded in the current Windows registry..

(Autorunsc might be asking something in Windows to parse the file for
it though in offline mode...)

Gert

Continue reading on narkive:
Loading...