Differences between revisions 4 and 5
Revision 4 as of 2006-06-05 03:19:29
Size: 2935
Editor: localhost
Comment:
Revision 5 as of 2008-04-12 17:50:27
Size: 2943
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
This is a ["DCE/RPC"] based protocol used by ["CIFS"] hosts to access the registry across a network.
This dissector is described by an IDL file and is automatically generated by the ["Pidl"] compiler.
This is a [[DCE/RPC]] based protocol used by [[CIFS]] hosts to access the registry across a network.
This dissector is described by an IDL file and is automatically generated by the [[Pidl]] compiler.
Line 13: Line 13:
 * ["DCE/RPC"]: This protocol is implemented ontop of the ["DCE/RPC"] transport. This protocol is often access from the \PIPE\winreg named pipe on IPC$ but can also be reached through a dynamically assigned ["TCP"] port. Accessing this service using ["TCP"] as transport requires the support of the ["EPM"] Endpoint Mapper service.  * [[DCE/RPC]]: This protocol is implemented ontop of the [[DCE/RPC]] transport. This protocol is often access from the \PIPE\winreg named pipe on IPC$ but can also be reached through a dynamically assigned [[TCP]] port. Accessing this service using [[TCP]] as transport requires the support of the [[EPM]] Endpoint Mapper service.
Line 31: Line 31:
 * attachment:SampleCaptures/PROTO.pcap  * [[attachment:SampleCaptures/PROTO.pcap]]
Line 34: Line 34:
A complete list of WINREG display filter fields can be found in the [http://www.wireshark.org/docs/dfref/w/winreg.html display filter reference] A complete list of WINREG display filter fields can be found in the [[http://www.wireshark.org/docs/dfref/w/winreg.html|display filter reference]]
Line 46: Line 46:
 * ["winreg_OpenHKCR"]
 * ["
winreg_OpenHKCU"]
 * ["
winreg_OpenHKLM"]
 * ["
winreg_OpenHKPD"]
 * ["
winreg_OpenHKU"]
 * ["
winreg_CloseKey"]
 * ["
winreg_CreateKey"]
 * ["
winreg_DeleteKey"]
 * ["
winreg_DeleteValue"]
 * ["
winreg_EnumKey"]
 * ["
winreg_EnumValue"]
 * ["
winreg_FlushKey"]
 * ["
winreg_GetKeySecurity"]
 * ["
winreg_LoadKey"]
 * ["
winreg_NotifyChangeKeyValue"]
 * ["
winreg_OpenKey"]
 * ["
winreg_QueryInfoKey"]
 * ["
winreg_QueryValue"]
 * ["
winreg_ReplaceKey"]
 * ["
winreg_RestoreKey"]
 * ["
winreg_SaveKey"]
 * ["
winreg_SetKeySecurity"]
 * ["
winreg_SetValue"]
 * ["
winreg_UnLoadKey"]
 * ["
winreg_InitiateSystemShutdown"]
 * ["
winreg_AbortSystemShutdown"]
 * ["
winreg_GetVersion"]
 * ["
winreg_OpenHKCC"]
 * ["
winreg_OpenHKDD"]
 * ["
winreg_QueryMultipleValues"]
 * ["
winreg_InitiateSystemShutdownEx"]
 * ["
winreg_SaveKeyEx"]
 * ["
winreg_OpenHKPT"]
 * ["
winreg_OpenHKPN"]
 * ["
winreg_QueryMultipleValues2"]
 * [[winreg_OpenHKCR]]
 * [[
winreg_OpenHKCU]]
 * [[
winreg_OpenHKLM]]
 * [[
winreg_OpenHKPD]]
 * [[
winreg_OpenHKU]]
 * [[
winreg_CloseKey]]
 * [[
winreg_CreateKey]]
 * [[
winreg_DeleteKey]]
 * [[
winreg_DeleteValue]]
 * [[
winreg_EnumKey]]
 * [[
winreg_EnumValue]]
 * [[
winreg_FlushKey]]
 * [[
winreg_GetKeySecurity]]
 * [[
winreg_LoadKey]]
 * [[
winreg_NotifyChangeKeyValue]]
 * [[
winreg_OpenKey]]
 * [[
winreg_QueryInfoKey]]
 * [[
winreg_QueryValue]]
 * [[
winreg_ReplaceKey]]
 * [[
winreg_RestoreKey]]
 * [[
winreg_SaveKey]]
 * [[
winreg_SetKeySecurity]]
 * [[
winreg_SetValue]]
 * [[
winreg_UnLoadKey]]
 * [[
winreg_InitiateSystemShutdown]]
 * [[
winreg_AbortSystemShutdown]]
 * [[
winreg_GetVersion]]
 * [[
winreg_OpenHKCC]]
 * [[
winreg_OpenHKDD]]
 * [[
winreg_QueryMultipleValues]]
 * [[
winreg_InitiateSystemShutdownEx]]
 * [[
winreg_SaveKeyEx]]
 * [[
winreg_OpenHKPT]]
 * [[
winreg_OpenHKPN]]
 * [[
winreg_QueryMultipleValues2]]
Line 84: Line 84:
 * [http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_4_0/source/librpc/idl/winreg.idl] IDL definition for the WINREG interface.  * [[http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_4_0/source/librpc/idl/winreg.idl]] IDL definition for the WINREG interface.

Microsoft Windows Remote Registry Service (WINREG)

This is a DCE/RPC based protocol used by CIFS hosts to access the registry across a network. This dissector is described by an IDL file and is automatically generated by the Pidl compiler.

History

This protocol first appeared in Windows NT4 and is used to access the registry across a network.

Protocol dependencies

  • DCE/RPC: This protocol is implemented ontop of the DCE/RPC transport. This protocol is often access from the \PIPE\winreg named pipe on IPC$ but can also be reached through a dynamically assigned TCP port. Accessing this service using TCP as transport requires the support of the EPM Endpoint Mapper service.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The WINREG dissector is partially functional and incomplete awaiting the protocol and its idl file to be fully analyzed.

Preference Settings

There are no preference setting specific to the WINREG protocol.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of WINREG display filter fields can be found in the display filter reference

  • Show only the WINREG based traffic:

     winreg 

Capture Filter

You cannot directly filter WINREG protocols while capturing.

Protocol Functions

The WINREG protocol implements the following functions:

Discussion

WINREG (last edited 2008-04-12 17:50:27 by localhost)