使用regini.exe修改注冊表

?

一，如何得到regini.exe

在Windows XP安裝光盤中（其他版本的自己試試），找到I386目錄下的regini.ex_文件，用expand.exe命令提取出regini.exe，命令如下：

"%SystemRoot%\System32\EXPAND.EXE" "\\?\CDROM0\I386\REGINI.EX_" "C:\regini.exe"

然后從C盤下將生成的regini.exe文件復制到你需要的地方。

建議：不要從非信任的網站下載regini.exe。

?

二、簡單舉例

先打開regedit.exe，以便觀看每步產生的變化，將如下內容復制到記事本中，保存為example01.txt、example02.txt文件，然后用如下命令：

REGINI.EXE example01.txt

REGINI.EXE example02.txt

::::::: example01.txt :::::::::: 不要復制我，我是分割線開始 ::::::::::::::::::::

HKEY_CURRENT_USER\example0

HKEY_CURRENT_USER\example0
"example1" = REG_DWORD 1

HKEY_CURRENT_USER\example0
"example2" = REG_SZ "This is an example!"

HKEY_CURRENT_USER\example0
"example3" = REG_MULTI_SZ "This is the first line!" "This is the second line!" "This is the third line!"

HKEY_CURRENT_USER\example0
"example4" = REG_EXPAND_SZ "This is an example! This is an example! This is an example! This is an example! This is an example!"

::::::: example01.txt :::::::::: 不要復制我，我是分割線結束 ::::::::::::::::::::

::::::: example02.txt :::::::::: 不要復制我，我是分割線開始 ::::::::::::::::::::

HKEY_CURRENT_USER\example0 [2 8 19]

::::::: example02.txt :::::::::: 不要復制我，我是分割線結束 ::::::::::::::::::::

修改第一個腳本，再運行試試：

REGINI.EXE example01.txt

沒反應，看來已經起作用了，鍵值變成只讀的了！

?

三、權限代碼表

?1? - Administrators 完全訪問
?2? - Administrators 讀取訪問
?3? - Administrators 讀取、寫入訪問
?4? - Administrators 讀取、寫入、刪除訪問

?5? - Creator 完全訪問
?6? - Creator 讀取、寫入訪問

?7? - everyone 完全訪問
?8? - everyone 讀取訪問
?9? - everyone 讀取、寫入訪問
?10 - everyone 讀取、寫入、刪除訪問

?11 - Power Users 完全訪問
?12 - Power Users 讀取、寫入訪問
?13 - Power Users 讀取、寫入、刪除訪問

?14 - System Operators 完全訪問
?15 - System Operators 讀取、寫入訪問
?16 - System Operators 讀取、寫入、刪除訪問

?17 - System 完全訪問
?18 - System 讀取、寫入訪問
?19 - System 讀取訪問

?20 - Administrators 讀取、寫入、執行訪問

?21 - Interactive User 完全訪問
?22 - Interactive User 讀取、寫入訪問
?23 - Interactive User 讀取、寫入、刪除訪問

?

四、運用在哪里

裝好系統、殺毒軟件后，刪除一些服務鍵、修改一些自啟動鍵、文件關聯鍵的權限等等。但是話又說回來了，

既然我們可以輕松的修改權限，那么病毒也可以修改回去，防范的方法是轉移regini.exe文件，再利用注冊表監測軟件。

將某個注冊表監測軟件改個名稱，最好再加個殼（不是防殺毒軟件，而是防病毒惡意終止），加在服務中，一旦有修改就報警。

?

五、英文幫助

這部分是從網站找的，作者不詳，僅供參考：

Usage: REGINI [-m machinename | -h hivefile hiveroot | -w Win95 Directory] [-i n] [-o outputWidth] [-b] textFiles...

-m specifies a remote windows NT machine whose registry is to be manipulated.

-h specifies a specify local hive to manipulate.

-w specifies the paths to a windows 95 system.dat and user.dat files

-i n specifies the display indentation multiple. Default is 4

-o outputWidth specifies how wide the output is to be. By default the outputWidth is set to
?? the width of the console window if standard output has not been redirected to a file.
?? In the latter case, an outputWidth of 240 is used.

-b specifies that REGINI should be backward compatible with older versions of REGINI that
?? did not strictly enforce line continuations and quoted strings Specifically, REG_BINARY,
?? REG_RESOURCE_LIST and REG_RESOURCE_REQUIREMENTS_LIST data types did not need line
???continuations after the first number that gave the size of the data.
?? It just kept looking on following lines until it found enough data values to equal the
?? data length or hit invalid input. Quoted strings were only allowed in REG_MULTI_SZ.
?? They could not be specified around key or value names, or around values for REG_SZ or
?? REG_EXPAND_SZ Finally, the old REGINI did not support the semicolon as an end of line
?? comment character.

textFiles is one or more ANSI or Unicode text files with registry data.

The easiest way to understand the format of the input textFile is to use the REGDMP
command with no arguments to dump the current contents of your NT Registry to standard
out. Redirect standard out to a file and this file is acceptable as input to REGINI

Some general rules are:
Semicolon character is an end-of-line comment character, provided it is the first
non-blank character on a line

Backslash character is a line continuation character. All characters from the backslash
up to but not including the first non-blank character of the next line are ignored.
If there is more than one space before the line continuation character, it is replaced
by a single space.

Indentation is used to indicate the tree structure of registry keys. The REGDMP program
uses indentation in multiples of 4. You may use hard tab characters for indentation,
but embedded hard tab characters are converted to a single space regardless of their
position.

Values should come before child keys, as they are associated with the previous key at
or above the value's indentation level.

For key names, leading and trailing space characters are ignored and not included in
the key name, unless the key name is surrounded by quotes. Imbedded spaces are part of
a key name.

Key names can be followed by an Access Control List (ACL) which is a series of decimal
numbers, separated by spaces, bracketed by a square brackets (e.g. [8 4 17]).
The valid numbers and their meanings are:

1? - Administrators Full Access
2? - Administrators Read Access
3? - Administrators Read and Write Access
4? - Administrators Read, Write and Delete Access
5? - Creator Full Access
6? - Creator Read and Write Access
7? - World Full Access
8? - World Read Access
9? - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

If there is an equal sign on the same line as a left square bracket then the equal
sign takes precedence, and the line is treated as a registry value. If the text
between the square brackets is the string DELETE with no spaces, then REGINI will
delete the key and any values and keys under it.

For registry values, the syntax is:

value Name = type data

Leading spaces, spaces on either side of the equal sign and spaces between the type
keyword and data are ignored, unless the value name is surrounded by quotes. If the
text to the right of the equal sign is the string DELETE, then REGINI will delete the
value.

The value name may be left off or be specified by an at-sign character which is the
same thing, namely the empty value name. So the following two lines are identical:

= type data
@ = type data

This syntax means that you can't create a value with leading or trailing spaces,
an equal sign or an at-sign in the value name, unless you put the name in quotes.

Valid value types and format of data that follows are:

REG_SZ text
REG_EXPAND_SZ text
REG_MULTI_SZ "string1" "string2" ...
REG_DATE mm/dd/yyyy HH:MM DayOfWeek
REG_DWORD numberDWORD
REG_BINARY numberOfBytes numberDWORD(s)...
REG_NONE (same format as REG_BINARY)
REG_RESOURCE_LIST (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS (same format as REG_BINARY)
REG_RESOURCE_REQUIREMENTS_LIST (same format as REG_BINARY)
REG_FULL_RESOURCE_DESCRIPTOR (same format as REG_BINARY)
REG_QWORD numberQWORD
REG_MULTISZ_FILE fileName
REG_BINARYFILE fileName

If no value type is specified, default is REG_SZ

For REG_SZ and REG_EXPAND_SZ, if you want leading or trailing spaces in the value
text, surround the text with quotes. The value text can contain any number of
imbedded quotes, and REGINI will ignore them, as it only looks at the first and
last character for quote characters.

For REG_MULTI_SZ, each component string is surrounded by quotes. If you want an
imbedded quote character, then double quote it, as in string2 above.

For REG_BINARY, the value data consists of one or more numbers. The default base
for numbers is decimal.
Hexidecimal may be specified by using 0x prefix. The first number is the number
of data bytes, excluding the first number. After the first number must come enough
numbers to fill the value.
Each number represents one DWORD or 4 bytes. So if the first number was 0x5 you
would need two more numbers after that to fill the 5 bytes. The high order 3 bytes
of the second DWORD would be ignored.

Whenever specifying a registry path, either on the command line or in an input file,
the following prefix strings can be used:

HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
USER:

Each of these strings can stand alone as the key name or be followed a backslash
and a subkey path.?
?