Yeah, that sounds a bit lame for an intro, but let me explain a little bit. The initial idea to write this blog occurred to me about half a year ago. Back then I had some funny (read: horrible) problems with my laptop. It all started with wanting to defragment a hard drive partition I have been using for quite some time. It was a 40GB NTFS partition with like 1-2GB free space. The Windows XP defrag utility said the free space is not sufficient to carry out the defragmentation. The Windows Vista – I also had Vista installed on another partition - defrag utility however would carry out the process just fine. Bold as I am I thought that Microsoft may actually have improved the program and started the defragmentation.
Guess I shouldn't have been so bold back then. Note to little kids (and everyone else for that matter): Don't EVER defragment a Windows XP NTFS partition with the defrag utility from Windows Vista. Especially not when the Windows XP utility tells you the free space is not sufficiently large for the process, but I don't know if this criteria is enough. And for gods sake I don't feel like trying. So my daring readers you might want to know what actually happened. Let's put it this way: When you get a blue screen upon boot stating UNKNOWN HARD ERROR you know something terribly went wrong.
Know that I installed the system some 2 years before that and kept everything neat and clean, so I didn't feel the need for a reinstall. Fortunately I was able to rescue most of the data on the partition since it was still readable under Vista, though Windows was irrecoverably lost, as a I had to find out the hard way. When I wanted to prepare for reinstall I wanted to get the install CD to get the product key. I had installed a Windows XP Pro I bought for cheap at a students shop, not the XP Home shipped with the laptop. Although I usually don't lose such stuff, I was unable to find it (what was it about exceptions to the rule? Darn it!). That itself wouldn't be a problem if this didn't happen in some holidays. During workdays I'd have been able to retrieve my key from the shop as they register it with the buyer in order to prevent illicit use.
Some googling later I found various ways of recovering the product key of an existing Windows installation, though most of the options weren't for me as they require being able booting into it. So I opted for the „get the encoded CD key from windows registry and calculate the key from it“ option. Thank god there are Windows registry readers / editors for Linux. I chose chntpw. It can easily installed as a package in Ubuntu. Usage is pretty straightforward. I copied the software registry hive from %WINDIR%\system32\config\software to my home directory under Ubuntu. Then I invoked chntpw:
chntpw -e ~/softwareThe program greeted me with some info that the file contains some garbage, probably not the best sign:
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header): <emroot\system32\config\software>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
Page at 0x1f9e000 is not 'hbin', assuming file contains garbage at end
File size 33292288 [1fc0000] bytes, containing 7513 pages (+ 1 headerpage)
Used for data: 582757/32096448 blocks/bytes, unused: 5213/812064 blocks/bytes.
Simple registry editor. ? for help.
Now typing '?' lists available commands. To carry out what I wanted to accomplish, I entered cd Microsoft\Windows NT\CurrentVersion to change to the specified key and then I dumped the data I was looking for via hex DigitalProductId. The tool might be used to retrieve other data from the registry as well. If you are done you can quit by entering 'q'. Note that the prompt has no convenient history feature like you are possibly used to from various shells.
An alternative might have been dumphive, which is also available as Ubuntu package. Dumphive converts a registry hive into RegEdit compatible text format.
The final step in order to recover the product key would be to stop by the DragonDesign website, where the whole process is detailed here. They offer a tool to derive the original product key from parts of the previously dumped DigitalProductId. Note that they offer the tool both as a web and standalone version. Though while I don't want to accuse them to harvest keys for sinister purposes, anyone concerned about security should use the standalone version on a computer which is physically divided from the internet – just in case.
Remember when I said that Windows was irrecoverably lost without actually explaining how I came to that conclusion. Opening the CURRENT_USER registry hive stored in the NTUSER.DAT file in the profile of the respective user with chntpwd reveiled that most of the file was corrupted.
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header): <nstellungen\usr\ntuser.dat>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x4000 is not 'hbin', assuming file contains garbage at end
File size 8388608 [800000] bytes, containing 3 pages (+ 1 headerpage)
Used for data: 266/12192 blocks/bytes, unused: 0/0 blocks/bytes.
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
ERROR: not 'nk' node! (strange?)
Simple registry editor. ? for help.
Looks like this file is corrupted. I lost some program configuration I wanted to backup, but other than that it was mostly a lot of time that I lost due to being a little bit too daring.
Explain a little bit, eh? Possibly this post more than anything explains why I don't get seemingly easy things done quick. Seemingly easy is the catch though, as most things I'll write about here will contain nasty details, pitfalls and the like. I publish my findings in the hope that it might save one or another from making the same mistake or trying harder than necessary to solve a problem.
Enjoy!
No comments:
Post a Comment