You are here

[Solved] Using registry virtualization to bypass admin privilege requirements

6 posts / 0 new
Last post
Last seen: 2 months 1 day ago
Joined: 2014-12-31 09:15
[Solved] Using registry virtualization to bypass admin privilege requirements

I am hoping someone can help me improve a portable app I am creating.

I am trying to create a portable application loader for a game called Emperor: Battle for Dune. My biggest issue ATM is that the game relies on some registry entries that are written to HKLM (in fact, the game crashes on start if one particular key value isn't present). Writing to this hive requires admin privileges in Vista and later (if UAC is enabled) and so I have to run my PAL with admin privileges to make this work.

The PAL I have created is currently working exactly how it should. I am wondering though if I can improve things by setting up my PAL so that it doesn't need admin privileges to run the game (installing it can require admin privileges though). The idea I came up with was to have my PAL read and write registry values to the virtual store (HKCU\Software\Classes\VirtualStore\MACHINE\), install some dummy registry keys in HKLM (by install, I mean I double-clicked on the registry file with these dummy keys and added the keys to the registry) and thus, the game would read the values in the virtual store and I don't need admin privileges to run it.

Unfortunately, I've tested my idea and it isn't working. I'm convinced that the game isn't using the virtual store at all. With the dummy registry values, the game crashes on start. With the dummy values replaced with the correct values, the game starts but shows other evidence of not using the virtual store (eg. graphics setting are set to low quality rather than the highest settings defined in the registry).

Is what I am asking for possible? If so, can anyone help me get it working?

Here is my appinfo launcher.ini:




;HKLM\SOFTWARE\Wow6432Node\Westwood\Emperor\FolderPath=REG_SZ:%PAL:AppDir%\Start Menu\Westwood\Emperor - Battle For Dune
HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Westwood\Emperor\FolderPath=REG_SZ:%PAL:AppDir%\Start Menu\Westwood\Emperor - Battle For Dune



Here is the registry file I am using with the Virtual Store values and keys:

Windows Registry Editor Version 5.00

"FolderPath"="E:\\Games\\EA\\EmpPort\\App\\Start Menu\\Westwood\\Emperor - Battle For Dune"





"Persona"=" - - "
"Server"=" - - "




Finally, this is the dummy registry file I'm using to try make the game read values from the virtual store:

Windows Registry Editor Version 5.00










YoursTruly's picture
Last seen: 2 years 3 months ago
Joined: 2015-08-07 07:58


well in generall its possible.
You have three possible ways and none of them are easy:

1. decompile the programm and change the registry calls to some file
2. hook into process to simulate registry as file
3. by pass registry calls

1. This way is not easy since you need a good decompiler and recompile the game also you can use the assembler way but for most games and programs this way is even not legal. Except its your own Application.

2. Technically more easy than 1.) but will be considered as virus by most Anti-Virus programs and I am not sure if it will avoid question for admin rights

3.) This will be the most common way but is not really possible for portable use. You can read the discussion:


Last seen: 2 months 1 day ago
Joined: 2014-12-31 09:15
Solution discovered

I recently decided to examine the feasibility of decompiling the game's EXE to make changes to it. Unfortunately, decompilers are not very good ATM (or at least the free ones I tried). I did discover that disassembling an EXE is much easier and definitely possible. I then posted a question on Stack Exchange to see if anyone could point me in the right direction:

To my pleasant surprise, I discovered that it isn't as difficult as I thought. As stated in the answers to my question, forcing a program to use a different registry hive simply involves loading the EXE into a disassembler, searching the assembly code for RegCreateKey and RegOpenKey then changing the first parameter of these commands from 0x80000002 to 0x80000001.

Furthermore, the changes can be done using a hex editor so you technically don't even need a disassembler at all. I still used one though to make sure I wasn't damaging legitimate HKLM hive access as well as finding the addresses of the parameters I did need to change.

Last seen: 1 year 4 months ago
Joined: 2018-06-28 07:13
More detailed explanations?

I'm sorry for asking on an old thread, but will you give a more detailed explanations? Which disassembler program do you use? And if I don't use the disassembler how do I do it using a hex editor? I cannot find 'RegCreateKey' on some (or most) executable files when using hex editor (HxD) and even if I found it, then what?

Last seen: 2 months 1 day ago
Joined: 2014-12-31 09:15
Hi Andhika24kd

Hi Andhika24kd

I can certainly do that. My disassembler of choice is IDA Pro v7.0 (note the version, 7.0 is free whereas 7.1 currently isn't). And you won't find 'RegCreateKey' in HxD because, as I said, you need to search the assembly code for that command, not the binary that hex editors see. Next, did you read the contents of the Stack Exchange link I posted? I ask because this post will basically assume that you have.

Basically, you first want to always make a backup of any EXEs you modify. Next, my workflow is that you would open IDA, load the EXE you want to modify into it and let it do the disassembly. It should then be in flowchart view after that, at which point I get out of that view by pressing Space. After that, do a text search (Alt + T) for the word RegCreateKey or RegOpenKey. You can also tick "Show all occurrences" for a list of every location where that word was found. You can then double-click on a search result to jump to it's location.

Now, what you are looking for is something like this picture: The green boxes show the block of code you are looking for: a bunch of "Push <something>" commands followed by a "Call RegOpen/CreateKey" command. The specific part that interests you is the command in the red boxes. This push command tells the RegOpen/CreateKey function which registry hive it is accessing; 80000002h being the HKEY_LOCAL_MACHINE hive.

Next, I note the number to the left of the "push registry hive" command (00415235 and 00415260) and subtract 400000 from them. This gives you the address of the data that needs to be modified. Next, open the file in a hex editor and navigate to the address you calculated. You are looking for something like this picture: The red box is what you are looking for, with 6802000080 meaning the HKEY_LOCAL_MACHINE hive. To change this to the HKEY_CURRENT_USER hive, change the "02" into a "01".

If you want to do this without a disassembler (which I don't recommend), use the hex editor's search function to search for the hex values "6802000080" and change the "02" into a "01". After that, thoroughly test your EXE to ensure that registry access is the only thing you changed.

Last seen: 1 year 4 months ago
Joined: 2018-06-28 07:13
Thanks for the detailed explanation

And sorry for the (very) late reply, I didn't get any notification

Log in or register to post comments