HELP: Need to Copy ...
 
Notifications
Clear all

HELP: Need to Copy locked windows files  

Page 1 / 2
  RSS
The-Game
(@the-game)
New Member

Dear Experts,

I'm looking for an open source command line utility to copy pagefile, hiberfil and registry hives from a live system. It would be really grateful if someone can provide a tool which has the capability to perform this activity.

Please note I'm looking only for a command line utility something which can be called using command prompt and also takes few input parameters.

Thanks in advance wink

Quote
Posted : 28/11/2015 6:28 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Command Line Versions of FTK Imager

ReplyQuote
Posted : 28/11/2015 6:37 pm
jaclaz
(@jaclaz)
Community Legend

For Registry (brand new and experimental), free but not Open Source
http//reboot.pro/topic/20848-dumpreg/

For hiberfil (within limits it could work for Registry hives as well) this generic "direct disk access " approach might do nicely (and actually Open Source)
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/
https://github.com/jschicht/RawCopy

(I doubt that it is viable for pagefile.sys ? )

jaclaz

ReplyQuote
Posted : 28/11/2015 9:07 pm
The-Game
(@the-game)
New Member

@Igor_Michailov I was going through FTK cli but failed to find any command line option to extract registry hive from a live system.

@jaclaz RawCopy is not letting me copy swapfile, pagefile and hiberfil. Dumpreg seems to be pretty interesting tool need to test it.

Still I'm stuck on copying swapfile, pagefile and hiberfil. Registry files can be copied using Rawcopy.

Is there any command line tool, command which will help me gather all the files based on extension in my external drive? something like copying C\*.lnk X\Link\

Any kind of help will be appreciated. Thanks in advance.

ReplyQuote
Posted : 29/11/2015 12:37 pm
jaclaz
(@jaclaz)
Community Legend

"is not letting me" is not a description of what actually happens, do you get an error, nothing, the CMD window stuck, what?
Which OS are you trying it on?
Which EXACT command line did you use?

Maybe there is something else (permissions, privileges,*whatever*) that is making Rawcopy fail for hiberfil.

In theory hiberfil is a file generated when hibernation is chosen, so what you find on disk should be accessible (with direct disk access) and "static", i.e. be representing "last time OS was hibernated".

Pagefile is instead likely to be dinamically accessed/changed, so - particularly if it is not set to "fixed size" aka set as "let Windows manage it" it is very possible that even if direct disk access work what you get is not what it was at the time you issued the copy command.

But Volume Shadow Copy should work anyway (and it will obviously be a "snapshot").

Since both are "System files", it is also possible that some other technique (like using MFTRCRD to get their $MFT index and extents) is needed for them. ?

jaclaz

ReplyQuote
Posted : 29/11/2015 4:19 pm
The-Game
(@the-game)
New Member

@jaclaz, The error that I'm getting while executing the command is
"Error NtOpenFile returned 0xC0000043 Opening target file failed, now re-trying with INDX method from parent folder. Error Cannot get IndexNumber of parent folder."

Command used rawcopy64.exe C\pagefile.sys C\Test_Temp\Output\

Live system, windows8 (64bit architecture)

Any help would be appreciated. Thanks in advance. )

ReplyQuote
Posted : 30/11/2015 12:52 pm
jaclaz
(@jaclaz)
Community Legend

It is likely that pagefile.sys is "in use", i.e. "hooked" by a system process.

If this is the case, it is a "special case" and most of the tools mentioned will choke on it and something like an "offline NTFS $MFT and cluster run parser" would be needed to get the extents of the file (which then could be copied through direct disk access).

Joakims often happens around here, maybe he has an idea of a procedure using one of his tools (or maybe he might be able to put together yet another tool) in any case I will let erwan.l (Author of Dumpreg but also of some other disk related tools) know about the issue, he might have the time/will to modify his extents tool for this use.

jaclaz

ReplyQuote
Posted : 30/11/2015 2:48 pm
The-Game
(@the-game)
New Member

@jaclaz Thanks alot for the quick response, Well I tried to export the pagefile.sys using FTK Imager and it was able to do it. Hence need to explore how the tool is able to do it and also if there is any alternative open source command line utility to perform the same activity.

Let see if I get a solution for my problem.

Thanks… )

ReplyQuote
Posted : 30/11/2015 3:58 pm
jaclaz
(@jaclaz)
Community Legend

Well I tried to export the pagefile.sys using FTK Imager and it was able to do it.

Sure ) .

The issue is about finding an alternative, additionally an Open Source one.
This might anyway be of interest to you
http//blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html

jaclaz

ReplyQuote
Posted : 30/11/2015 4:39 pm
erwan.l
(@erwan-l)
New Member

Hi Guys,

I am the author of "DumReg" (mentionned in a previous post) to dump online registry hives as well as "Extents" to copy a file in use using windows IOCTL (FSCTL_GET_RETRIEVAL_POINTERS).

Thus when it comes to copy the pagefile it is a whole new game (see some possible ways here).

Thus I'll be happing to follow that discussion and contribute )

This is my first post over here so I hope this is ok to point to other forums.

Regards,
Erwan

ReplyQuote
Posted : 30/11/2015 8:41 pm
joakims
(@joakims)
Active Member

The bug in RawCopy has been identified, and a fix implemented. Tool will be updated soon.

ReplyQuote
Posted : 01/12/2015 3:44 am
The-Game
(@the-game)
New Member

@joakims Thanks for the update. Will wait for the patch. )

ReplyQuote
Posted : 01/12/2015 11:38 am
jaclaz
(@jaclaz)
Community Legend

The bug in RawCopy has been identified, and a fix implemented. Tool will be updated soon.

Very good ) and exceptionally fast response !

jaclaz

ReplyQuote
Posted : 01/12/2015 2:35 pm
joakims
(@joakims)
Active Member

I just uploaded the new version. Please let me know if it worked for you.

ReplyQuote
Posted : 02/12/2015 11:05 pm
The-Game
(@the-game)
New Member

@joakims

Thanks alot for the quick fix. It was really helpful.

I have another query with regards to Rawcopy, is there any way I can run multiple commands in a single instance by calling the tool only once?

For Example
Is it possible to club all the below mentioned command together and fire a single instance of Rawcopy?

"RawCopy.exe C\pagefile.sys E\output"
"RawCopy.exe C\WINDOWS\system32\config\SYSTEM E\output"
"RawCopy.exe C\swapfile.sys E\output"

ReplyQuote
Posted : 16/12/2015 1:23 pm
Page 1 / 2
Share: