Fév 032018

A native app is an app that will be launched as soon as the kernel initialization is completed.

It will be launched (in user mode) by the session manager (smss.exe) thru the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute(run at every boot) or HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\setupexecute(run once only).

A native app can only use NT API functions (ntdll.dll) and not the Windows API functions.

Possible usages :
nativereg createkey \Registry\Machine\SYSTEM\Setup key1
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test0 8 REG_RND_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test1 toto REG_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test2 112233AABBCC REG_BINARY
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test3 666 REG_DWORD
nativereg deletevalue \Registry\Machine\SYSTEM\Setup\key1 test1
nativereg deletekey \Registry\Machine\SYSTEM\Setup\key1

The tool is 32 bits (a 64 bits may come later).
It works on XP and up.

Discussion here.


Sep 142013

Native shell is a program for experiments with a Native API mode of Windows. Native mode is a mode, where chkdsk starts at the boot time before login screen appears. It is used by chkdsk utility to check and correct errors in the system partition. The Native mode itself is a blue screen (it is blue in Windows XP, another color in other versions of Windows), which appears before the Windows login screen. See the image (click the picture to zoom it):

Windows XP Native mode. Native shell application is running. 
Windows XP Native mode. Native shell application is running.

The program is a shell (a command line interface). It can perform some basic operations with Windows files and directories. Program runs before starting of main Windows components, so we have access to the entire file system and registry without many restrictions. All operations are implemented through the Native API (ntdll.dll).

 Posted by at 13 h 37 min  Tagged with: