Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@katlogic
katlogic committed Aug 13, 2016
1 parent 17c0656 commit 3a5f6ee
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ mal-features introduced in modern windows versions. Currently, it can disable:

* Driver signing, including WHQL-only locked systems (secureboot tablets).
* Protected processes (used for DRM, "WinTcb").
* Read-only registry keys (can flip the bit on/off)
* "Shadowed" registry keys via notification (can suspend and re-enable the notification)
* Read-only, "invulnerable" registry keys some software and even windows itself employs

WinD works similiarly to [other tools](https://github.com/hfiref0x/DSEFix) which disable DSE, but is
designed to be more user friendly and support for more OS/hardware combinations.
Expand Down Expand Up @@ -107,12 +106,13 @@ Windows contains 3 mechanisms to make dealing with registry especially painful:
3. Global hooks. These can be installed only by kernel drivers, and hook directly to registry operation calls.
These are not per-key. Originally designed for AV software, but malware has use for it too.

Note that both methods work at run time, they are not permanent permission within the registry.
Note that all methods work at run time, they are not permanent permission within the registry.
"Protection" like this, unlike permissions, works only within the currently running session.

WindowsD allows you to override and control both methods.

Method 1 example. Parameters `/RD` and `/RE`:
#### Method 1
Parameters `/RD` and `/RE`:

```
> wind64 /RE \Registry\Machine\SYSTEM\CurrentControlSet\Control\Services
Expand All @@ -123,7 +123,8 @@ override it - not even internal kernel APIs.

`/RD` and `/RE` can be issued on any key.

Method 2 example. Parameters `/ND` and `/NE`
#### Method 2
Parameters `/ND` and `/NE`
```
> wind64 /ND \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
```
Expand All @@ -135,10 +136,12 @@ Note that `/NE` can be issued only on key with notifications previously disabled

All registry paths are NT, not the usualy Win32 ones:

`\HKLM\` becomes `\Registry\Machine\`
`\HKCU\` becomes `\Registry\User\`
* `\HKLM\` becomes `\Registry\Machine\`
* `\HKCU\` becomes `\Registry\User\`

Method 3 uses parameters `/CD` and `/CE`. There is no registry path to specify (that is specific
#### Method 3

Uses parameters `/CD` and `/CE`. There is no registry path to specify (that is specific
to the driver which registered the callback), so we can simply disable and re-enable again all
hooks present.

Expand Down

0 comments on commit 3a5f6ee

Please sign in to comment.