HELP: Need to Copy ...
 
Notifications
Clear all

HELP: Need to Copy locked windows files

21 Posts
7 Users
0 Likes
4,042 Views
(@the-game)
Posts: 22
Eminent Member
Topic starter
 

Dear Experts,

I'm looking for an open source command line utility to copy pagefile, hiberfil and registry hives from a live system. It would be really grateful if someone can provide a tool which has the capability to perform this activity.

Please note I'm looking only for a command line utility something which can be called using command prompt and also takes few input parameters.

Thanks in advance wink

 
Posted : 28/11/2015 6:28 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Command Line Versions of FTK Imager

 
Posted : 28/11/2015 6:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For Registry (brand new and experimental), free but not Open Source
http//reboot.pro/topic/20848-dumpreg/

For hiberfil (within limits it could work for Registry hives as well) this generic "direct disk access " approach might do nicely (and actually Open Source)
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/
https://github.com/jschicht/RawCopy

(I doubt that it is viable for pagefile.sys ? )

jaclaz

 
Posted : 28/11/2015 9:07 pm
(@the-game)
Posts: 22
Eminent Member
Topic starter
 

@Igor_Michailov I was going through FTK cli but failed to find any command line option to extract registry hive from a live system.

@jaclaz RawCopy is not letting me copy swapfile, pagefile and hiberfil. Dumpreg seems to be pretty interesting tool need to test it.

Still I'm stuck on copying swapfile, pagefile and hiberfil. Registry files can be copied using Rawcopy.

Is there any command line tool, command which will help me gather all the files based on extension in my external drive? something like copying C\*.lnk X\Link\

Any kind of help will be appreciated. Thanks in advance.

 
Posted : 29/11/2015 12:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

"is not letting me" is not a description of what actually happens, do you get an error, nothing, the CMD window stuck, what?
Which OS are you trying it on?
Which EXACT command line did you use?

Maybe there is something else (permissions, privileges,*whatever*) that is making Rawcopy fail for hiberfil.

In theory hiberfil is a file generated when hibernation is chosen, so what you find on disk should be accessible (with direct disk access) and "static", i.e. be representing "last time OS was hibernated".

Pagefile is instead likely to be dinamically accessed/changed, so - particularly if it is not set to "fixed size" aka set as "let Windows manage it" it is very possible that even if direct disk access work what you get is not what it was at the time you issued the copy command.

But Volume Shadow Copy should work anyway (and it will obviously be a "snapshot").

Since both are "System files", it is also possible that some other technique (like using MFTRCRD to get their $MFT index and extents) is needed for them. ?

jaclaz

 
Posted : 29/11/2015 4:19 pm
(@the-game)
Posts: 22
Eminent Member
Topic starter
 

@jaclaz, The error that I'm getting while executing the command is
"Error NtOpenFile returned 0xC0000043 Opening target file failed, now re-trying with INDX method from parent folder. Error Cannot get IndexNumber of parent folder."

Command used rawcopy64.exe C\pagefile.sys C\Test_Temp\Output\

Live system, windows8 (64bit architecture)

Any help would be appreciated. Thanks in advance. )

 
Posted : 30/11/2015 12:52 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It is likely that pagefile.sys is "in use", i.e. "hooked" by a system process.

If this is the case, it is a "special case" and most of the tools mentioned will choke on it and something like an "offline NTFS $MFT and cluster run parser" would be needed to get the extents of the file (which then could be copied through direct disk access).

Joakims often happens around here, maybe he has an idea of a procedure using one of his tools (or maybe he might be able to put together yet another tool) in any case I will let erwan.l (Author of Dumpreg but also of some other disk related tools) know about the issue, he might have the time/will to modify his extents tool for this use.

jaclaz

 
Posted : 30/11/2015 2:48 pm
(@the-game)
Posts: 22
Eminent Member
Topic starter
 

@jaclaz Thanks alot for the quick response, Well I tried to export the pagefile.sys using FTK Imager and it was able to do it. Hence need to explore how the tool is able to do it and also if there is any alternative open source command line utility to perform the same activity.

Let see if I get a solution for my problem.

Thanks… )

 
Posted : 30/11/2015 3:58 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Well I tried to export the pagefile.sys using FTK Imager and it was able to do it.

Sure ) .

The issue is about finding an alternative, additionally an Open Source one.
This might anyway be of interest to you
http//blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html

jaclaz

 
Posted : 30/11/2015 4:39 pm
(@erwan-l)
Posts: 1
New Member
 

Hi Guys,

I am the author of "DumReg" (mentionned in a previous post) to dump online registry hives as well as "Extents" to copy a file in use using windows IOCTL (FSCTL_GET_RETRIEVAL_POINTERS).

Thus when it comes to copy the pagefile it is a whole new game (see some possible ways here).

Thus I'll be happing to follow that discussion and contribute )

This is my first post over here so I hope this is ok to point to other forums.

Regards,
Erwan

 
Posted : 30/11/2015 8:41 pm
Page 1 / 3
Share: