Everhart, Glenn From: Eric E. Osterholm [ra4625@email.sps.mot.com] Sent: Tuesday, May 26, 1998 4:24 PM To: Eric Osterholm Subject: [NTSEC] Re: NT Server -> NT Workstation Registry Hack TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Thanks to everyone for the great information on how to 'hack' NT Server back to NT Workstation. Here's a (somewhat) quick summary of what I have been told, plagiarized from various sources; NTS and NTW are distinguished with the following registry setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions\ProductType This is a string value that is interpreted as follows: Value Interpretation "WinNT" NT Workstation "ServerNT" NT Server "LanmanNT" NT Advanced Server *** DO NOT USE!!! But what of the magical 3.51 "ProductType" registry setting? It's still there, and it still plays the same role in 4.0 that it did in 3.51 in distinguishing between the Server and Workstation modes (see table above). Microsoft has merely added an additional registry setting, and made some effort to prevent the user from changing these settings. The extra setting is: HKEY_LOCAL_MACHINE\System\Setup\SystemPrefix The SystemPrefix value is a binary value which the kernel treats as two DWORDs, of which the only important piece of information seems to be the bit represented by the mask 0x04000000 in the high-order DWORD. If ProductType is "ServerNT" or "LanmanNT", then this bit must be on. If ProductType is "WinNT" then the bit must be off. (any inconsistency results in a blue-screen error at system boot!) The system spawns two worker threads that watch for, and override, changes to the two registry keys. If an attempt is made to change ProductType, the threads changes the settings back (really! you can see this happen if you manually refresh in REGEDT32) and pops up the following warning box: "The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with product type is not permitted." In short- you cannot change both registry values simultaneously, and I haven't been able to disable the security threads. There is a hackers utility (possibly written by someone at ZD labs) out there that will do this for you, but I haven't been able to get my hands on it yet. (Anyone willing to email me with an ftp site where it might reside?) An issue still remains; will this work to 'devolve' any NT 4.0 Server? i.e. PDC, BDC and/or Stand Alone? ***** **** wrote; > > I didn't see a response to this on Bugtrac. I would really like this > info as well! Would you be so kind as to forward me that info when you > get it -- (if it's not posted directly on Bugtrac). > > Thank you. Eric E. Osterholm wrote: > > Does anyone remember the registry hack to take NT Server to NT > Workstation, and vice-versa? > > It's a single key I learned in class a long time ago, but I can't find > my notes, and of course M$ doesn't have a thing about it anywhere, > including TechNet (at least not that I can find). > > Thanks in Advance. ************************************************************************* Eric E. Osterholm EMAIL: NT Systems Administrator VOICE: (512) 342-6018 Motorola MCORE Technology Center FAX: (512) 342-6202 7600-C Capital of Texas Highway PAGER: (800) 970-5778 MD:F51 Austin, Texas 78731 PAGER: *************************************************************************