WP8 SYSTEM registry files from FFU

thals1992

Senior Member
Sep 26, 2012
680
237
73
Cincinnati, OH
www.uidnation.com
I found where the system registry files are stored inside the ffus. This is from my Lumia 928 factory ffu.
Code:
\Windows\System32\config - DEFAULT, DRIVERS, FP, ProvisionStore, SAM, SECURITY, SOFTWARE, SYSTEM
\Windows\System32\config\MOUNTMGR - SYSTEM
\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
\EFIESP(Different Partition)\Windows\System32\config\unmodified - BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
BCD, DEFAULT, DRIVERS, NTUSER.DAT, SAM, SECURITY, SOFTWARE, and SYSTEM
All of these files contain regf as the first few characters in hex. Beyond that, the files are mostly garbage looking at them in Notepad++.
I haven't been able to find any registry editors yet that can edit them, including ones built for Windows CE/Mobile or even Win7/8.

Anyone know of something that can display it in a normal fashion? (without needing a WP8 device to attempt to edit it on.)

EDIT: The files from \Windows\System32\config have been zipped for simplicity reasons (for those of you who don't have a ffu handy)
EDIT2 (August 22): The files from the GDR2/Amber update from my phone's rom have been added.

OK, this is a reply to this thread, but apparently I can't post in that forum yet.
So, you've found registry file inside \Windows\System32\config, and this is the way to open and edit it.
No third-party tools needed, just use regedit.exe in your Windows system

1. Run regedit.exe
2. Click on any root key, like HKEY_LOCAL_MACHINE
3. Open File menu, select Load Hive
4. Select a file in your mounted ROM \Windows\System32\config, like SOFTWARE or SYSTEM, open it
5. In the dialog asking for a name, input any text, like WP8Software
6. Registry is now loaded under HKEY_LOCAL_MACHINE\WP8Software, you can edit it.
7. Open File menu, select Unload Hive, then its written back to disk.

reference: http://technet.microsoft.com/en-us/library/cc732157.aspx
 

Attachments

Last edited:

thals1992

Senior Member
Sep 26, 2012
680
237
73
Cincinnati, OH
www.uidnation.com

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,130
0
Dub V
www.sinclairinat0r.com
This is good stuff to know. Something that should be good to note is that while I decompiled the .NET for a few of the Verizon Xaps from the 928 ROM, I discovered some Nokia-specific COM Interop that interfaces with the registry. I'm hoping I can try something out and put up a test program within the next few days and make some registry changes.
 

vivekkalady

Inactive Recognized Developer
Aug 11, 2009
1,432
1,752
153
Trivandrum
Hi

I found a registry key

[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003

this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??

something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
 
Last edited:

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,930
0
Seattle
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,130
0
Dub V
www.sinclairinat0r.com
@snickler: Let me know if you succeed with that. I managed to sideload an app using one of those libraries (after removing nearly all the interesting capabilities...), but immediately got an error about the component not being registered. I didn't try running regsvr or anything, though...
Hmmm, which phone do you have?

Edit: I tried to deploy just a sample app with one of the .winmds referenced, and got the 0x81030120 error

Holy fuzzle.. ANOTHER EDIT: I was able to do it. I had to remove all the damn Capabilities that I added from the Nokia Maps xap though.

I referenced the NokiaRegistryUtils.winmd and just ran this sample code

MessageBox.Show(NokiaRegistryUtils.Registry.IsChinaFirmware().ToString());

It returned "false" as expected.

I'm going to try something else now.

Something to note, in the WMAppManifest.xml, the following needs added after the <Tokens> declaration


<ActivatableClasses>
<InProcessServer>
<Path>NokiaRegistryUtils.dll</Path> <-- or whatever dll you're adding
<ActivatableClass ActivatableClassId="NokiaRegistryUtils.Registry" ThreadingModel="both" />
</InProcessServer>
</ActivatableClasses>
 
Last edited:

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,130
0
Dub V
www.sinclairinat0r.com
Hi

I found a registry key

[HKEY_LOCAL_MACHINE\Software\Microsoft\Office Mobile\SPMC\Action\doc]
"Application"=dword:00000005
"ApplicationCommand"="app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/Default?CmdLine=-url %s"
"Action"=dword:00000003

this is for Microsoft office Word
I think we can open word using the link i guess (app://5B04B775-356B-4AA0-AAF8-6491FFEA5617/)
so is this part useful?
can external commands executable through this part (CmdLine=-url %s) ??

something like this
http://dotnet.dzone.com/articles/windows-phone-7-tip-day-know
Where did you find that key?
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,130
0
Dub V
www.sinclairinat0r.com
Perfect. That's what I'm doing now, but just from my 920 ROM dump. I can access the registry sections that Nokia provides in their app, but I can't from the one you provided me. I'm going to do more tests to see if this is using HKCU rather than HKLM. It could also be that the registry keys have permissions placed on them.
 

vivekkalady

Inactive Recognized Developer
Aug 11, 2009
1,432
1,752
153
Trivandrum
found these things dont know it is of any use
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3]
"DefaultId"="{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1]
"$DLL"="C:\\Windows\\System32\\WINTRUST.DLL"
"CallbackAllocFunction"="SoftpubLoadDefUsageCallData"
"CallbackFreeFunction"="SoftpubFreeDefUsageCallData"
"DefaultId"="{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"
http://support.microsoft.com/kb/287547
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,130
0
Dub V
www.sinclairinat0r.com
found these things dont know it is of any use


http://support.microsoft.com/kb/287547
I did find THIS..

Code:
[HKEY_LOCAL_MACHINE\Software\Microsoft\DeviceReg\Install]
"MaxUnsignedApp"=dword:7FFFFFFF"
That translates to the value of InterOp unlock by default which means we should be able to sideload more than 10 apps at a time.

I also found these within policy xml files

Code:
Microsoft.BaseOS.SecurityModel.policy.xml

    <Capability ElementID="2EF45E94A01864DE3387212D6E73AEA885E709AD0F24FB97FE2E84728CB09D14" AttributeHash="49B8EC80A54998B68D7F65A44A340FD28B535494B7A41D650FD94851E38A6B6B" Id="ID_CAP_DEVELOPERUNLOCK" AppCapSID="S-1-15-3-1024-2489250862-3731101856-757172019-2830005102-2903107461-2549818383-1921265406-345878668" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1443" FriendlyName="Enable bearing chamber to load unsigned modules" Visibility="Internal" />

    <Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
      <CapabilityRules>
        <Rules>
          <RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
        </Rules>
      </CapabilityRules>
    </Capability>

    <Capability ElementID="BAFBED1970753822A266C1985F4A2CA2BA7A97CCE149F874743D00F678643C26" AttributeHash="54A2744DE064E139FD4403623C2AB9F1E130BC5C0786F56C1CE39AC814DC3F03" Id="ID_CAP_DEVELOPERUNLOCK_API" AppCapSID="S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088" SvcCapSID="S-1-5-21-2702878673-795188819-444038987-1450" FriendlyName="Enable setting of registry key protecting developer unlock mode." Visibility="Internal">
      <CapabilityRules>
        <Rules>
          <RegKey ElementID="F0921CC3ADB2FEE5B7DC90F9F2BBDDB6E4D7BFAF9CE189C1585A90CD71E36882" DACL="(A;CI;KRKW;;;S-1-15-3-1024-435026874-574125424-2562811554-2720811615-3432479418-1962428897-4127210868-641492088)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1030)(A;CI;KRKW;;;S-1-5-21-2702878673-795188819-444038987-1450)" Flags="515" Path="HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager" />
        </Rules>
      </CapabilityRules>
    </Capability>
 
Last edited:

thals1992

Senior Member
Sep 26, 2012
680
237
73
Cincinnati, OH
www.uidnation.com
Need a Nokia Device?

I may write a simple app that reads registry from Lumia devices... I think that's going to happen today.
Thats great! If anyone needs a Nokia device to test on, Nokia has Remote Device Access to those who need it. Its a free service to anyone who has a Nokia DEVELOPER account, which is separate but free as well. The devices they mostly have are Lumia 820s, but the have a few others (620, 720, 920 and the 928.) The great thing about them, you can deploy an xap and run the apps. Some of those phones have sims in them and some of them have a "Nokia On-Device Diagnostic Tool". The only drawback, is that the connection can be SLOW.
 
Last edited:

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,930
0
Seattle
Huh, you had to add the InProcServer manually? That may be the problem, then. I'm not sure why they're using COM - it works just fine to simply use the native Win32 APIs (add references to ADVAPI32LEGACY.LIB and/or KERNELBASE.LIB; that's what my NativeAccess library does and it works fine) - but it's good to know that COM is, in fact, usable.
 

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,930
0
Seattle
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.

One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
 

snickler

Retired Forum Moderator / Inactive Recognized Deve
Aug 17, 2010
1,320
1,130
0
Dub V
www.sinclairinat0r.com
Yeah, I already found those policy files. As I've said in other posts, if you can find a way to sideload an app that uses them, we can do a lot more than is currently possible - the internal and private capabilities (and some of the so-called public ones, most of which still won't install) have all kinds of cool potential.

One advantage of the WP8 app model, as opposed to the WP7 model that used ID_CAP_INTEROPSERVICES for everything, is that an app like you're making may well work on other devices. The fact that you got the interop-lock error means that the app did have ID_CAP_INTEROPSERVICES specified, so it may use it for some things, but the registry access is probably not one of them.
The best part is that the Nokia CityLens uses ID_CAP_INTEROPSERVICES, but I can't find anything that references it.

The winmds use System.Runtime.InteropServices though.

The Nokia app I got the RegistryRT from didn't use the INTEROP Capability at all, but I did notice that I had to add that extra stuff in the AppManifest.
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone