[Samba] Remote Windows registry read access from Linux?
Peter Valdemar Mørch
In order to do some inventory and network management of our Windows
machines, we'd really like to be able to extract some bookkeeping info
from them - mostly from the registry. Anybody know how this is possible
from Linux?
(Most of) the information we seek is present in the registry of the
remote windows machine, e.g. installed programs/hotfixes. But the Event
Log, Info about running services, users, shares etc. is also on our
wishlist.
I tried upgrading my samba to 3.0.2a, and editreg(1) says "...currently
only NT4...", and editreg was also not created during my build.
Regardless, from reading editreg(1) it doesn't seem that it would do
what I need anyway, such as accessing a remote registry. rpcclient also
seems very handy - just not quite the tool for my exact job.
I have no need to modify the registry, only extract keys from it.
I suspect that the binary version of the registry on XP is in:
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
And then there is a part for each user. Is that correct? I was thinking
that maybe I could use smbclient to retrieve the actual remote binary
version of the registry and then use some application to decode/dump
that binary file. Has anybody succeeded in that approach? With what
dumper? I seem to have no similar global file on my W2K installation...
- what would that be on W2K? ??On W3K??
I've tried looking at the PDUs that regedit/LANGuard for windows send
with a sniffer, but there are 994/11009 of them in my traces, and making
sense of the decodes seems a daunting task. SMB, CIFS and MS/DCE RPC
keeps re-appearing in those traces, so I thought I'd ask here.
As you can well imagine, I would really hate to have to have a separate
Windows machine in the loop running some Visual Basic / TCP daemon
nastiness just to do this...
Very likely, my ignorance stems from not having any fundamental
knowledge of how Windows remote management works. What is possible and
what are the protocols (RPC?/DCOM?/What else?) . googling reveals lots
of Windows Howto pages, but GUI guides (run regedit.exe, click
here&there) are of very little use here. Can the Windows RPC be used to
run a visual basic script (uploaded with smbclient) on the remote side
to do this? E.g.
Any links to *any* useful Linux information?
Peter
--
Peter Valdemar Mørch
http://www.morch.com
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Peter Valdemar Mørch
> a somewhat heavyweight solution is to run the openssh server from
> cygwin, which will provide you remote shell access.
>
> if you find your way
> around with just the command line, you should be fine. if you need gui
> tools, combine it with the free winvnc server on localhost - you can
> then tunnel into the machine, and the vnc stuff won't
> ever be visible on
> the net in the clear. presto: a zero-budget remote
> administration tool.
>
> the only drawback of the vnc server is that it will not ask the user
> who's logged on before granting access. only the change of color of a
> tiny icon in the taskbar tells the user someone is following their
> session, and i don't want my users feel like they are being spied on.
Hi there,
Thank you for your reply. The beauty of smb/rpc would be that it
wouldn't require any software installed on the remote machines. With a
domain administrator password, we could successfully query all windows
hosts in the network without any problems. We're developing a network
managment application, and have committed ourselves to not requiring any
installation on a pr. client basis, so this is ideal.
I already use VNC (TightVNC - also free!) for many other purposes, and
have used the openssh daemon under cygwin in the past - but by their
nature, they require client software installed. If that is the case, I'm
more inclined to create a daemon/service running on Windows that will
access remote repositories via MS Visual Basic or MS C++... Also we need
to be able to query 100s of machines, so VNC is not really viable.
Thank you for your time in answering me!
But I'm still in the market for a remote repository access solution...
flinchlock
> solution...
I can't help you with a *nix solution (how about perl for reg
access?), but I can point you to a Windows program.
This TINY program (241,664 bytes KIX32.EXE) is simply very easy to
use... just simple code in a text type file.
It can be copied to the NETLOGON share, and then the program can do
whatever you need.
For example, before I retired 1999, I had developed my own home
grown SMS like system for a company where I worked. I managed
6000+ workstations/servers in 125 cities in 5 states.
I had 2000+ lines of code that would query *ALL* machines in my
domain, and put the results in a ".csv" file. This file can then
be imported into your favorite database.
I don't have access to any of the code I wrote, but the "language"
is mostly just a super batch type language.
For example...
------------------------------------------------
; DEMO.KIX
;
; KiXtart demonstration script of registry functions.
;
; 24-Aug-1995
;
; Note : This code sample is provided for demonstration purposes
only.
; Microsoft makes no warranty, either express or implied,
; as to its usability in any given situation.
;
cls ; clear the screen
color w+/n
? "START"
:start
if existkey( "HKEY_CURRENT_USER\KiX32" ) <> "0"
if addkey( "HKEY_CURRENT_USER\KiX32" ) = 0
color g+/n
? "OK, added KiX32 key."
if addkey( "HKEY_CURRENT_USER\KiX32\one" ) = 0 AND
addkey( "HKEY_CURRENT_USER\KiX32\two" ) = 0 AND
addkey( "HKEY_CURRENT_USER\KiX32\three"
? "...and some subkeys..."
if writevalue( "HKEY_CURRENT_USER\KiX32\one" , "value1" ,
"Text" , "REG_SZ" ) AND
writevalue( "HKEY_CURRENT_USER\KiX32\one" , "value2" ,
"line1|line2(with a || in it)|line3|" , "REG_MULTI_SZ" ) AND
writevalue( "HKEY_CURRENT_USER\KiX32\one" , "value3" ,
"0a12defa0b" , "REG_BINARY" ) AND
writevalue( "HKEY_CURRENT_USER\KiX32\one" , "value4" ,
"123456789" , "REG_DWORD" )
? "...and now even some values..."
? "Please check the result with REGEDT32."
? ? "End of demo : press <anykey> to delete the key
again."
get $x
$result = deltree("HKEY_CURRENT_USER\KiX32")
goto end
else
? "Hmm, WriteValue failed with returncode : " + @error
endif
else
? "Hmm, AddKey failed with returncode : " + @error
endif
else
? "Hmm, AddKey failed with returncode : " + @error
end
endif
else
? "Huh ?. Key already exists ?!?."
? "Do you want me to delete it (Y/N) ?."
:loop
GET $Input
if $Input = "Y"
if Deltree( "HKEY_CURRENT_USER\KiX32" )= 0
? "OK, Key deleted......"
goto start
else
? "Hmmm, somehow the delete failed : " + $RC
exit
endif
else
if $Input = "N"
? "OK, then I'll just quit."
goto end
else
goto loop ; wrong key, try again
endif
endif
endif
:end
color w+/n
? ? "END"
color w/n
------------------------------------
HTH
Mike
--
SuSE 9.0 Pro (2.4.21-192-default) with samba-2.2.8a-107
RRuegner
you can merge reg setting at netlogon
with regedit /s regfile
for example
a rollout for tightvnc remote control
REM@echo off
REM default login script robo...@gmx.de
REM install printers
rundll32 printui.dll,PrintUIEntry /dn /n "\\smbpdc\bjc2000" /q
rundll32 printui.dll,PrintUIEntry /in /n "\\smbpdc\bjc2000"
rundll32 printui.dll,PrintUIEntry /dn /n "\\smbpdc\pdfwriter" /q
rundll32 printui.dll,PrintUIEntry /in /n "\\smbpdc\pdfwriter"
REM sync time
net time \\smbpdc /set /yes
REM general shares
net use v: \\smbpdc\pdf
net use w: \\smbpdc\files1
net use x: \\smbpdc\files2
net use y: \\smbpdc\files3
REM -------------------------------------INSTALLER--------------------------
-----------------------
REM This will install the VNC files from Y:\install to C:\rcontrol
REM we use this path to hide from users and do not conflict with an exist
tightvnc setup
REM If WinVNC.exe is not there we will assume that the system needs all the
files
IF NOT EXIST C:\rcontrol\WinVNC.EXE goto TVNCINSTALL
REM if winvnc.exe exist in our setup dir make sure that our reg settings
gets merged
IF EXIST C:\rcontrol\WinVNC.EXE goto TVNCREGINSTALL
exit
REM This section copies the VNC files, installs the VNC service and runs
REM TVNC the first time
:TVNCINSTALL
Rem copy the needed files to a tmp dir on the client psexec wants to start
from there
xcopy y:\install \\%COMPUTERNAME%\c$\tmp\ /y
REM next tvnc will installed silent without any entry in the program folders
psexec \\%COMPUTERNAME% c:\tmp\tightvnc-1.2.9-setup.exe /SP- /VERYSILENT
/DIR="c:\rcontrol" /NOICONS
REM our reg file gets merged
psexec \\%COMPUTERNAME% c:\tmp\regedit /s c:\tmp\tightvnc.reg
REM next line is to kill another vnc server which may run
psexec \\%COMPUTERNAME% c:\rcontrol\winvnc.exe -remove
REM now the vnc service is privided
psexec \\%COMPUTERNAME% c:\rcontrol\winvnc.exe -install
REM the service get started
psservice \\%COMPUTERNAME% start winvnc
REM we delete all files in the tmp dir
del \\%COMPUTERNAME%\c$\tmp /q
REM make sure our reg gets merged anyway
:TVNCREGINSTALL
psservice \\%COMPUTERNAME% stop winvnc
regedit /s tightvnc.reg
psservice \\%COMPUTERNAME% start winvnc
fr...@localhost.localdomain
Wondering if anyone else has run into this:
I've found a problem where if I use ADS security it works fine for a
while then all of a sudden I can't get access to shares and I have to run
kinit again ? If I switch to DOMAIN securiy it works fine. Is the server
having trouble renewing kerberos tickets ?
I'm using Samba 3.0.2rc2
Here's my smb.conf
# Global parameters
[global]
workgroup = TPA
realm = TPA.COM.AU
server string = Samba Server
security = DOMAIN
password server = *
encrypt passwords = yes
log level = 2
log file = /var/log/samba/samba.log
max log size = 25000
deadtime = 15
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=819
2
printcap name = cups
preferred master = No
domain master = No
dns proxy = No
wins server = 172.20.20.240
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
invalid users = root, @wheel
printer admin = root, '@TPA+Domain Users'
Regards,
Frank
Peter Valdemar Mørch
> Any links to *any* useful Linux information?
After ending my investigation, it looks like it indeed is possible. It
seems samba-tng has remote repository access, though I didn't try it.
Check out e.g.
"REGEDIT Commands" under
http://www.samba-tng.org/docs/tng/htmldocs/rpcclient.8.html
Seems to do what I wanted, right?
I decided I really needed WMI access for it to be really useful. And WMI
access isn't possible from Linux. At least nobody seems to know how to
do it.
Just wanted to make my investigation results available for anybody else
on the same quest.
Also, it seems repository access was once possible with samba itself!
Look in:
source/rpcclient/cmd_reg.c
and see the commented-out code...
I posted a thread (also) about this called "Windows WMI (over DCE/RPC)
with Samba?" on the samba-technical mailing list.