Edit a remote registry through Windbg
I found a way to edit the registry while under a remote Windbg session. !dreg allows you to read the registry, but I had added a corrupt authentication package to the Lsa list in the registry that I had to remove. I found out the hard way that LSASS will load all authentication packages listed, even if you boot in safe mode.
Fortunately, I had set up LSASS to run under ntsd, which was connected to a remote Windbg.
To edit the registry of a remote machine running under a debugger :
-
Break into the debugger. This step will happen naturally in most snafu
-
Start a shell with the .! command
-
Fix the registry with the command line reg.exe tool. For example, to restore authentication packages type
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Authentication packages" /t REG_MULTI_SZ /d msv1_0
- Type exit to quit the shell (hit Enter enough times to get back to Windbg’s prompt)
Then use the g command to resume execution.
As a side note : The windows subsystem is fully loaded before LSASS.exe starts, or at least there is enough of it to launch CMD.exe and REG.exe.