From 4fdddb435a3cb25298ad8906d8057585965b409d Mon Sep 17 00:00:00 2001
From: Daniel <dadevel@disroot.org>
Date: Fri, 27 Oct 2023 12:16:56 +0200
Subject: [PATCH 1/2] start remote registry as unprivileged user in reg.py

Trigger the start of the RemoteRegistry service as unprivileged user by opening the winreg named pipe.
---
 examples/reg.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/examples/reg.py b/examples/reg.py
index 6d6c34ac91..d1c3edee7d 100755
--- a/examples/reg.py
+++ b/examples/reg.py
@@ -41,7 +41,7 @@
 from impacket.examples.utils import parse_target
 from impacket.system_errors import ERROR_NO_MORE_ITEMS
 from impacket.structure import hexdump
-from impacket.smbconnection import SMBConnection
+from impacket.smbconnection import SMBConnection, SessionError
 from impacket.dcerpc.v5.dtypes import READ_CONTROL
 
 
@@ -173,7 +173,8 @@ def run(self, remoteName, remoteHost):
             self.__remoteOps.enableRegistry()
         except Exception as e:
             logging.debug(str(e))
-            logging.warning('Cannot check RemoteRegistry status. Hoping it is started...')
+            logging.warning('Cannot check RemoteRegistry status. Triggering start trough named pipe...')
+            self.triggerWinReg()
             self.__remoteOps.connectWinReg()
 
         try:
@@ -200,6 +201,17 @@ def run(self, remoteName, remoteHost):
             if self.__remoteOps:
                 self.__remoteOps.finish()
 
+    def triggerWinReg(self):
+        # original idea from https://twitter.com/splinter_code/status/1715876413474025704
+        tid = self.__smbConnection.connectTree('IPC$')
+        try:
+            self.__smbConnection.openFile(tid, r'\winreg', 0x12019f, creationOption=0x40, fileAttributes=0x80)
+        except SessionError:
+            # STATUS_PIPE_NOT_AVAILABLE error is expected
+            pass
+        # give remote registry time to start
+        time.sleep(1)
+
     def save(self, dce, keyName):
         hRootKey, subKey = self.__strip_root_key(dce, keyName)
         outputFileName = "%s\%s.save" % (self.__options.outputPath, subKey)

From 56a74846d01c7fb38eb1260f171909302504bed7 Mon Sep 17 00:00:00 2001
From: dadevel <dadevel@disroot.org>
Date: Fri, 27 Oct 2023 14:33:44 +0200
Subject: [PATCH 2/2] enable access to HKEY_USERS trough reg.py

---
 examples/reg.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/examples/reg.py b/examples/reg.py
index d1c3edee7d..e886141f2b 100755
--- a/examples/reg.py
+++ b/examples/reg.py
@@ -425,8 +425,10 @@ def __strip_root_key(self, dce, keyName):
             raise Exception('Error parsing keyName %s' % keyName)
         if rootKey.upper() == 'HKLM':
             ans = rrp.hOpenLocalMachine(dce)
-        elif rootKey.upper() == 'HKU':
+        elif rootKey.upper() == 'HKCU':
             ans = rrp.hOpenCurrentUser(dce)
+        elif rootKey.upper() == 'HKU':
+            ans = rrp.hOpenUsers(dce)
         elif rootKey.upper() == 'HKCR':
             ans = rrp.hOpenClassesRoot(dce)
         else:
@@ -532,7 +534,7 @@ def __parse_lp_data(valueType, valueData):
     query_parser.add_argument('-keyName', action='store', required=True,
                               help='Specifies the full path of the subkey. The '
                                    'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'
-                                   ' HKU, HKCR.')
+                                   ' HKU, HKCU, HKCR.')
     query_parser.add_argument('-v', action='store', metavar="VALUENAME", required=False, help='Specifies the registry '
                            'value name that is to be queried. If omitted, all value names for keyName are returned. ')
     query_parser.add_argument('-ve', action='store_true', default=False, required=False, help='Queries for the default '
@@ -545,7 +547,7 @@ def __parse_lp_data(valueType, valueData):
     add_parser.add_argument('-keyName', action='store', required=True,
                               help='Specifies the full path of the subkey. The '
                                    'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'
-                                   ' HKU, HKCR.')
+                                   ' HKU, HKCU, HKCR.')
     add_parser.add_argument('-v', action='store', metavar="VALUENAME", required=False, help='Specifies the registry '
                            'value name that is to be set.')
     add_parser.add_argument('-vt', action='store', metavar="VALUETYPE", required=False, help='Specifies the registry '
@@ -560,7 +562,7 @@ def __parse_lp_data(valueType, valueData):
     delete_parser.add_argument('-keyName', action='store', required=True,
                               help='Specifies the full path of the subkey. The '
                                    'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'
-                                   ' HKU, HKCR.')
+                                   ' HKU, HKCU, HKCR.')
     delete_parser.add_argument('-v', action='store', metavar="VALUENAME", required=False, help='Specifies the registry '
                            'value name that is to be deleted.')
     delete_parser.add_argument('-va', action='store_true', required=False, help='Delete all values under this key.')
@@ -576,7 +578,7 @@ def __parse_lp_data(valueType, valueData):
     save_parser.add_argument('-keyName', action='store', required=True,
                                help='Specifies the full path of the subkey. The '
                                     'keyName must include a valid root key. Valid root keys for the local computer are: HKLM,'
-                                    ' HKU, HKCR.')
+                                    ' HKU, HKCU, HKCR.')
     save_parser.add_argument('-o', dest='outputPath', action='store', metavar='\\\\192.168.0.2\share', required=True, help='Output UNC path the target system must export the registry saves to')
 
     # A special backup command to save HKLM\SAM, HKLM\SYSTEM and HKLM\SECURITY