Skip to content

Edit a remote registry through Windbg

I found a way to edit the registry while under a remote Windbg session. !dreg allows you to read the registry, but I had added a corrupt authentication package to the Lsa list in the registry that I had to remove. I found out the hard way that LSASS will load all authentication packages listed, even if you boot in safe mode.

Fortunately, I had set up LSASS to run under ntsd, which was connected to a remote Windbg.

To edit the registry of a remote machine running under a debugger :

  1. Break into the debugger. This step will happen naturally in most snafu Winking smile
  2. Start a shell with the .! command
  3. Fix the registry with the command line reg.exe tool. For example, to restore authentication packages type
    reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Authentication packages" /t REG_MULTI_SZ /d msv1_0
  4. Type exit to quit the shell (hit Enter enough times to get back to Windbg’s prompt)

Then use the g command to resume execution.

As a side note : The windows subsystem is fully loaded before LSASS.exe starts, or at least there is enough of it to launch CMD.exe and REG.exe.

How to debug a Credential Provider locally

Here is a quick and easy way to debug a Credential Provider running on your development machine, without needing to set up a kernel debugging session with two computers. Before you go down this road, let me tell you a little bit about LogonUI.exe behavior (as seen on Windows 7 ultimate SP1 64 bits) set to require CTRL-ALT-DEL to log on.

  • Every time you type CTRL-ATL-DEL, a new LogonUI process is launched.
  • LogonUI will try to load any registered Credential Providers COM objects.
  • You can run any process on the secure desktop

With that knowledge, it is easy to set up a debugging session for your Credential Provider, right on your development machine. Before I continue, be aware that it might affect the stability of your computer temporarily, as the following illustration shows.

6015610

(Continued)

Unlocking another user’s session using Credential Providers

I have been working a little bit lately on a Credential Provider port of my custom GINA. I did some tests, I poked around the API and I whipped together something I could load and play with. The route I first thought of taking is still the right one, but I ran into some unexpected problems.

Microsoft new architecture is better, but the separation it enforces makes it hard to play tricks with the security policy. First, there are no shortcuts with Credential Providers. The documentation is formal :

CredentialProviders are not enforcement mechanisms. They are used to gather and serialize credentials. The Local Authority and Authentication Packages enforce security.

So we have to use an authentication package with the credential provider. Nothing that we didn’t see coming. I have played with authentication packages before, it just a matter of writing one.

Second, LogonUI will not kill another user’s session. I am able to get a credential provider tile on the unlock screen, logon with administrator credentials, but then I get this error message :

This computer is locked. Only the logged on user can unlock the computer.

Which makes some sense: why kill (or unlock) a user’s session if you can just start a new session next to it ? Unfortunatly, it does not help the most common use case my custom GINA users need to solve: many users need to access a single application running in a single session.

But I haven’t given up yet.

I tested on Windows 7 Ultimate 64bits, with or without fast user switching. If you ever able to unlock another user’s session, write a line in the comments. I would love to hear about it.