/*
* (C) Jeremy Allison 1997. All rights reserved.
*
* This program is free for commercial and non-commercial use.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted.
*
* THIS SOFTWARE IS PROVIDED BY JEREMY ALLISON ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include "des.h"
/*
* Program to dump the Lanman and NT MD4 Hashed passwords from
* an NT SAM database into a Samba smbpasswd file. Needs Administrator
* privillages to run.
* Takes one arg - the name of the machine whose SAM database you
* wish to dump, if this arg is not given it dumps the local machine
* account database.
*/
/*
* Convert system error to char. Returns
* memory allocated with LocalAlloc.
*/
char *error_to_string(DWORD error)
{
char *msgbuf;
if(FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
error,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
(char *)&msgbuf,
0,
NULL
) == 0)
return 0;
return msgbuf;
}
/*
* Return a pointer to a string describing an os error.
* error_to_string returns a pointer to LocalAlloc'ed
* memory. Cache it and release when the next one is
* requested.
*/
char *str_oserr(DWORD err)
{
static char *lastmsg = 0;
if(lastmsg)
LocalFree((HLOCAL)lastmsg);
lastmsg = error_to_string(err);
return lastmsg;
}
/*
* Utility function to get allocate a SID from a name.
* Looks on local machine. SID is allocated with LocalAlloc
* and must be freed by the caller.
* Returns TRUE on success, FALSE on fail.
*/
BOOL get_sid(const char *name, SID **ppsid)
{
SID_NAME_USE sid_use;
DWORD sid_size = 0;
DWORD dom_size = 0;
char *domain;
*ppsid = 0;
if(LookupAccountName(0, name, 0, &sid_size, 0, &dom_size, &sid_use) == 0) {
if(GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
fprintf( stderr, "get_sid: LookupAccountName for size on name %s failed. Error was %s\n",
name, str_oserr(GetLastError()));
return FALSE;
}
}
*ppsid = (SID *)LocalAlloc( LMEM_FIXED, sid_size);
domain = (char *)LocalAlloc( LMEM_FIXED, dom_size);
if( *ppsid == 0 || domain == 0) {
fprintf( stderr, "get_sid: LocalAlloc failed. Error was %s\n",
str_oserr(GetLastError()));
if(*ppsid)
LocalFree((HLOCAL)*ppsid);
if(domain)
LocalFree((HLOCAL)domain);
*ppsid = 0;
return FALSE;
}
if(LookupAccountName(0, name, *ppsid, &sid_size, domain, &dom_size, &sid_use) == 0) {
fprintf( stderr,
"get_sid: LookupAccountName failed for name %s. Error was %s\n",
name, str_oserr(GetLastError()));
LocalFree((HLOCAL)*ppsid);
LocalFree((HLOCAL)domain);
*ppsid = 0;
return FALSE;
}
LocalFree((HLOCAL)domain);
return TRUE;
}
/*
* Utility function to setup a security descriptor
* from a varargs list of char *name followed by a DWORD access
* mask. The access control list is allocated with LocalAlloc
* and must be freed by the caller.
* returns TRUE on success, FALSE on fail.
*/
BOOL create_sd_from_list( SECURITY_DESCRIPTOR *sdout, int num, ...)
{
va_list ap;
SID **sids = 0;
char *name;
DWORD amask;
DWORD acl_size;
PACL pacl = 0;
int i;
if((sids = (SID **)calloc(1,sizeof(SID *)*num)) == 0) {
fprintf(stderr, "create_sd_from_list: calloc fail.\n");
return FALSE;
}
acl_size = num * (sizeof(ACL) +
sizeof(ACCESS_ALLOWED_ACE) +
sizeof(DWORD));
/* Collect all the SID's */
va_start( ap, num);
for( i = 0; i < num; i++) {
name = va_arg( ap, char *);
amask = va_arg(ap, DWORD);
if(get_sid( name, &sids[i]) == FALSE)
goto cleanup;
acl_size += GetLengthSid(sids[i]);
}
va_end(ap);
if((pacl = (PACL)LocalAlloc( LMEM_FIXED, acl_size)) == 0) {
fprintf( stderr, "create_sd_from_list: LocalAlloc fail. Error was %s\n",
str_oserr(GetLastError()));
goto cleanup;
}
if(InitializeSecurityDescriptor( sdout, SECURITY_DESCRIPTOR_REVISION) == FALSE) {
fprintf( stderr, "create_sd_from_list: InitializeSecurityDescriptor fail. Error was %s\n",
str_oserr(GetLastError()));
goto cleanup;
}
if(InitializeAcl( pacl, acl_size, ACL_REVISION) == FALSE) {
fprintf( stderr, "create_sd_from_list: InitializeAcl fail. Error was %s\n",
str_oserr(GetLastError()));
goto cleanup;
}
va_start(ap, num);
for( i = 0; i < num; i++) {
ACE_HEADER *ace_p;
name = va_arg( ap, char *);
amask = va_arg( ap, DWORD);
if(AddAccessAllowedAce( pacl, ACL_REVISION, amask, sids[i]) == FALSE) {
fprintf( stderr, "create_sd_from_list: AddAccessAllowedAce fail. Error was %s\n",
str_oserr(GetLastError()));
goto cleanup;
}
/* Make sure the ACE is inheritable */
if(GetAce( pacl, 0, (LPVOID *)&ace_p) == FALSE) {
fprintf( stderr, "create_sd_from_list: GetAce fail. Error was %s\n",
str_oserr(GetLastError()));
goto cleanup;
}
ace_p->AceFlags |= ( CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
}
/* Add the ACL into the sd. */
if(SetSecurityDescriptorDacl( sdout, TRUE, pacl, FALSE) == FALSE) {
fprintf( stderr, "create_sd_from_list: SetSecurityDescriptorDacl fail. Error was %s\n",
str_oserr(GetLastError()));
goto cleanup;
}
for( i = 0; i < num; i++)
if(sids[i] != 0)
LocalFree((HLOCAL)sids[i]);
free(sids);
return TRUE;
cleanup:
if(sids != 0) {
for( i = 0; i < num; i++)
if(sids[i] != 0)
LocalFree((HLOCAL)sids[i]);
free(sids);
}
if(pacl != 0)
LocalFree((HLOCAL)pacl);
return FALSE;
}
/*
* Function to go over all the users in the SAM and set an ACL
* on them.
*/
int set_userkeys_security( HKEY start, const char *path, SECURITY_DESCRIPTOR *psd,
HKEY *return_key)
{
HKEY key;
DWORD err;
char usersid[128];
DWORD indx = 0;
/* Open the path and enum all the user keys - setting
the same security on them. */
if((err = RegOpenKeyEx( start, path, 0, KEY_ENUMERATE_SUB_KEYS, &key)) !=
ERROR_SUCCESS) {
fprintf(stderr, "set_userkeys_security: Failed to open key %s to enumerate. \
Error was %s.\n",
path, str_oserr(err));
return -1;
}
/* Now enumerate the subkeys, setting the security on them all. */
do {
DWORD size;
FILETIME ft;
size = sizeof(usersid);
err = RegEnumKeyEx( key, indx, usersid, &size, 0, 0, 0, &ft);
if(err == ERROR_SUCCESS) {
HKEY subkey;
indx++;
if((err = RegOpenKeyEx( key, usersid, 0, WRITE_DAC, &subkey)) !=
ERROR_SUCCESS) {
fprintf(stderr, "set_userkeys_security: Failed to open key %s to set security. \
Error was %s.\n",
usersid, str_oserr(err));
RegCloseKey(key);
return -1;
}
if((err = RegSetKeySecurity( subkey, DACL_SECURITY_INFORMATION,
psd)) != ERROR_SUCCESS) {
fprintf(stderr, "set_userkeys_security: Failed to set security on key %s. \
Error was %s.\n",
usersid, str_oserr(err));
RegCloseKey(subkey);
RegCloseKey(key);
return -1;
}
RegCloseKey(subkey);
}
} while(err == ERROR_SUCCESS);
if(err != ERROR_NO_MORE_ITEMS) {
RegCloseKey(key);
return -1;
}
if(return_key == 0)
RegCloseKey(key);
else
*return_key = key;
return 0;
}
/*
* Function to travel down the SAM security tree in the registry and restore
* the correct ACL on them. Returns 0 on success. -1 on fail.
*/
int restore_sam_tree_access( HKEY start )
{
char path[128];
char *p;
HKEY key;
DWORD err;
SECURITY_DESCRIPTOR sd;
DWORD admin_mask;
admin_mask = WRITE_DAC | READ_CONTROL;
if(create_sd_from_list( &sd, 2, "SYSTEM", GENERIC_ALL,
"Administrators", admin_mask) == FALSE)
return -1;
strcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users");
/* Remove the security on the user keys first. */
if(set_userkeys_security( start, path, &sd, 0) != 0)
return -1;
/* now go up the path, restoring security */
do {
if((err = RegOpenKeyEx( start, path, 0, WRITE_DAC, &key)) !=
ERROR_SUCCESS) {
fprintf(stderr, "restore_sam_tree_access:Failed to open key %s to set \
security. Error was %s.\n",
path, str_oserr(err));
return -1;
}
if((err = RegSetKeySecurity( key, DACL_SECURITY_INFORMATION,
&sd)) != ERROR_SUCCESS) {
fprintf(stderr, "restore_sam_tree_access: Failed to set security on key %s. \
Error was %s.\n",
path, str_oserr(err));
RegCloseKey(key);
return -1;
}
RegCloseKey(key);
p = strrchr(path, '\\');
if( p != 0)
*p = 0;
} while( p != 0 );
return 0;
}
/*
* Function to travel the security tree and add Administrators
* access as WRITE_DAC, READ_CONTROL and READ.
* Returns 0 on success. -1 on fail if no security was changed,
* -2 on fail if security was changed.
*/
int set_sam_tree_access( HKEY start, HKEY *return_key)
{
char path[128];
char *p;
HKEY key;
DWORD err;
BOOL security_changed = FALSE;
SECURITY_DESCRIPTOR sd;
DWORD admin_mask;
BOOL finished = FALSE;
admin_mask = WRITE_DAC | READ_CONTROL | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS;
if(create_sd_from_list( &sd, 2, "SYSTEM", GENERIC_ALL,
"Administrators", admin_mask) == FALSE)
return -1;
strcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users");
p = strchr(path, '\\');
do {
if( p != 0)
*p = 0;
else
finished = TRUE;
if((err = RegOpenKeyEx( start, path, 0, WRITE_DAC, &key)) !=
ERROR_SUCCESS) {
fprintf(stderr, "set_sam_tree_access:Failed to open key %s to set \
security. Error was %s.\n",
path, str_oserr(err));
return (security_changed ? -2: -1);
}
if((err = RegSetKeySecurity( key, DACL_SECURITY_INFORMATION,
&sd)) != ERROR_SUCCESS) {
fprintf(stderr, "set_sam_tree_access: Failed to set security on key %s. \
Error was %s.\n",
path, str_oserr(err));
RegCloseKey(key);
return (security_changed ? -2: -1);
}
security_changed = TRUE;
RegCloseKey(key);
if(p != 0) {
*p++ = '\\';
p = strchr(p, '\\');
}
} while( !finished );
if(set_userkeys_security( start, path, &sd, &key) != 0)
return -2;
if(return_key == 0)
RegCloseKey(key);
else
*return_key = key;
return 0;
}
/*
* Function to get a little-endian int from an offset into
* a byte array.
*/
int get_int( char *array )
{
return ((array[0]&0xff) + ((array[1]<<8)&0xff00) +
((array[2]<<16)&0xff0000) +
((array[3]<<24)&0xff000000));
}
/*
* Convert a 7 byte array into an 8 byte des key with odd parity.
*/
void str_to_key(unsigned char *str,unsigned char *key)
{
void des_set_odd_parity(des_cblock *);
int i;
key[0] = str[0]>>1;
key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
key[7] = str[6]&0x7F;
for (i=0;i<8;i++) {
key[i] = (key[i]<<1);
}
des_set_odd_parity((des_cblock *)key);
}
/*
* Function to convert the RID to the first decrypt key.
*/
void sid_to_key1(unsigned long sid,unsigned char deskey[8])
{
unsigned char s[7];
s[0] = (unsigned char)(sid & 0xFF);
s[1] = (unsigned char)((sid>>8) & 0xFF);
s[2] = (unsigned char)((sid>>16) & 0xFF);
s[3] = (unsigned char)((sid>>24) & 0xFF);
s[4] = s[0];
s[5] = s[1];
s[6] = s[2];
str_to_key(s,deskey);
}
/*
* Function to convert the RID to the second decrypt key.
*/
void sid_to_key2(unsigned long sid,unsigned char deskey[8])
{
unsigned char s[7];
s[0] = (unsigned char)((sid>>24) & 0xFF);
s[1] = (unsigned char)(sid & 0xFF);
s[2] = (unsigned char)((sid>>8) & 0xFF);
s[3] = (unsigned char)((sid>>16) & 0xFF);
s[4] = s[0];
s[5] = s[1];
s[6] = s[2];
str_to_key(s,deskey);
}
/*
* Function to split a 'V' entry into a users name, passwords and comment.
*/
int check_vp(char *vp, int vp_size, char **username, char **fullname,
char **comment, char **homedir,
char *lanman,int *got_lanman,
char *md4, int *got_md4,
DWORD rid
)
{
des_key_schedule ks1, ks2;
des_cblock deskey1, deskey2;
int username_offset = get_int(vp + 0xC);
int username_len = get_int(vp + 0x10);
int fullname_offset = get_int(vp + 0x18);
int fullname_len = get_int(vp + 0x1c);
int comment_offset = get_int(vp + 0x24);
int comment_len = get_int(vp + 0x28);
int homedir_offset = get_int(vp + 0x48);
int homedir_len = get_int(vp + 0x4c);
int pw_offset = get_int(vp + 0x9c);
*username = 0;
*fullname = 0;
*comment = 0;
*homedir = 0;
*got_lanman = 0;
*got_md4 = 0;
if(username_len < 0 || username_offset < 0 || comment_len < 0 ||
fullname_len < 0 || homedir_offset < 0 ||
comment_offset < 0 || pw_offset < 0)
return -1;
username_offset += 0xCC;
fullname_offset += 0xCC;
comment_offset += 0xCC;
homedir_offset += 0xCC;
pw_offset += 0xCC;
if((*username = (char *)malloc(username_len + 1)) == 0) {
fprintf(stderr, "check_vp: malloc fail for username.\n");
return -1;
}
if((*fullname = (char *)malloc(fullname_len + 1)) == 0) {
fprintf(stderr, "check_vp: malloc fail for username.\n");
free(*username);
*username = 0;
return -1;
}
if((*comment = (char *)malloc(comment_len + 1)) == 0) {
fprintf(stderr, "check_vp: malloc fail for comment.\n");
free(*username);
*username = 0;
free(*fullname);
*fullname = 0;
return -1;
}
if((*homedir = (char *)malloc(homedir_len + 1)) == 0) {
fprintf(stderr, "check_vp: malloc fail for homedir.\n");
free(*username);
*username = 0;
free(*fullname);
*fullname = 0;
free(*comment);
*comment = 0;
return -1;
}
wcstombs( *username, (wchar_t *)(vp + username_offset), username_len/sizeof(wchar_t));
(*username)[username_len/sizeof(wchar_t)] = 0;
wcstombs( *fullname, (wchar_t *)(vp + fullname_offset), fullname_len/sizeof(wchar_t));
(*fullname)[fullname_len/sizeof(wchar_t)] = 0;
wcstombs( *comment, (wchar_t *)(vp + comment_offset), comment_len/sizeof(wchar_t));
(*comment)[comment_len/sizeof(wchar_t)] = 0;
wcstombs( *homedir, (wchar_t *)(vp + homedir_offset), homedir_len/sizeof(wchar_t));
(*homedir)[homedir_len/sizeof(wchar_t)] = 0;
if(pw_offset >= vp_size) {
/* No password */
*got_lanman = 0;
*got_md4 = 0;
return 0;
}
/* Check that the password offset plus the size of the
lanman and md4 hashes fits within the V record. */
if(pw_offset + 32 > vp_size) {
/* Account disabled ? */
*got_lanman = -1;
*got_md4 = -1;
return 0;
}
/* Get the two decrpt keys. */
sid_to_key1(rid,(unsigned char *)deskey1);
des_set_key((des_cblock *)deskey1,ks1);
sid_to_key2(rid,(unsigned char *)deskey2);
des_set_key((des_cblock *)deskey2,ks2);
vp += pw_offset;
/* Decrypt the lanman password hash as two 8 byte blocks. */
des_ecb_encrypt((des_cblock *)vp,
(des_cblock *)lanman, ks1, DES_DECRYPT);
des_ecb_encrypt((des_cblock *)(vp + 8),
(des_cblock *)&lanman[8], ks2, DES_DECRYPT);
vp += 16;
/* Decrypt the NT md4 password hash as two 8 byte blocks. */
des_ecb_encrypt((des_cblock *)vp,
(des_cblock *)md4, ks1, DES_DECRYPT);
des_ecb_encrypt((des_cblock *)(vp + 8),
(des_cblock *)&md4[8], ks2, DES_DECRYPT);
*got_lanman = 1;
*got_md4 = 1;
return 0;
}
/*
* Function to print out a 16 byte array as hex.
*/
void print_hexval(char *val)
{
int i;
for(i = 0; i < 16; i++)
printf("%02X", (unsigned char)val[i]);
}
/*
* Function to strip out any ':' or '\n', '\r' from a text
* string.
*/
void strip_text( char *txt )
{
char *p;
for( p = strchr(txt, ':'); p ; p = strchr( p + 1, ':'))
*p = '_';
for( p = strchr(txt, '\n'); p ; p = strchr(p + 1, '\n'))
*p = '_';
for( p = strchr(txt, '\r'); p ; p = strchr(p + 1, '\r'))
*p = '_';
}
/*
* Function to dump a users smbpasswd entry onto stdout.
* Returns 0 on success, -1 on fail.
*/
int printout_smb_entry( HKEY user, DWORD rid )
{
DWORD err;
DWORD type;
DWORD size = 0;
char *vp;
char lanman[16];
char md4_hash[16];
char *username;
char *fullname;
char *comment;
char *homedir;
int got_lanman;
int got_md4;
/* Find out how much space we need for the 'V' value. */
if((err = RegQueryValueEx( user, "V", 0, &type, 0, &size))
!= ERROR_SUCCESS) {
fprintf(stderr, "printout_smb_entry: Unable to determine size needed \
for user 'V' value. Error was %s.\n.", str_oserr(err));
return -1;
}
if((vp = (char *)malloc(size)) == 0) {
fprintf(stderr, "printout_smb_entry: malloc fail for user entry.\n");
return -1;
}
if((err = RegQueryValueEx( user, "V", 0, &type, (LPBYTE)vp, &size))
!= ERROR_SUCCESS) {
fprintf(stderr, "printout_smb_entry: Unable to read user 'V' value. \
Error was %s.\n.", str_oserr(err));
free(vp);
return -1;
}
/* Check heuristics */
if(check_vp(vp, size, &username, &fullname, &comment,
&homedir, lanman, &got_lanman,
md4_hash, &got_md4, rid) != 0) {
fprintf(stderr, "Failed to parse entry for RID %X\n", rid);
free(vp);
return 0;
}
/* Ensure username of comment don't have any nasty suprises
for us such as an embedded ':' or '\n' - see multiple UNIX
passwd field update security bugs for details... */
strip_text( username );
strip_text( fullname );
strip_text( comment );
/* If homedir contains a drive letter this mangles it - but it protects
the integrity of the smbpasswd file. */
strip_text( homedir );
printf("%s:%d:", username, rid);
if(got_lanman) {
if(got_lanman == -1) /* Disabled account ? */
printf("********************************");
else
print_hexval(lanman);
} else
printf("NO PASSWORD*********************");
printf(":");
if(got_md4) {
if(got_md4 == -1) /* Disabled account ? */
printf("********************************");
else
print_hexval(md4_hash);
} else
printf("NO PASSWORD*********************");
printf(":");
if(*fullname)
printf("%s", fullname);
if(*fullname && *comment)
printf(",");
if(*comment)
printf("%s", comment);
printf(":");
if(*homedir)
printf("%s", homedir);
printf(":\n");
free(username);
free(comment);
free(homedir);
free(vp);
return 0;
}
/*
* Function to go through all the user SID's - dumping out
* their SAM values. Returns 0 on success, -1 on fail.
*/
int enumerate_users( HKEY key)
{
DWORD indx = 0;
DWORD err;
DWORD rid;
char usersid[128];
do {
DWORD size;
FILETIME ft;
size = sizeof(usersid);
err = RegEnumKeyEx( key, indx, usersid, &size, 0, 0, 0, &ft);
if(err == ERROR_SUCCESS) {
HKEY subkey;
indx++;
if((err = RegOpenKeyEx( key, usersid, 0, KEY_QUERY_VALUE, &subkey)) !=
ERROR_SUCCESS) {
fprintf(stderr, "enumerate_users: Failed to open key %s to read value. \
Error was %s.\n",
usersid, str_oserr(err));
RegCloseKey(key);
return -1;
}
rid = strtoul(usersid, 0, 16);
/* Hack as we know there is a Names key here */
if(rid != 0) {
if(printout_smb_entry( subkey, rid ) != 0) {
RegCloseKey(subkey);
return -1;
}
}
RegCloseKey(subkey);
}
} while(err == ERROR_SUCCESS);
if(err != ERROR_NO_MORE_ITEMS) {
RegCloseKey(key);
return -1;
}
return 0;
}
/*
* Print usage message and die.
*/
void usage(const char *arg0) {
fprintf(stderr, "Usage: %s <\\\\machine>\n", arg0);
exit(-1);
}
/*
* usage: \\machine
*/
int main(int argc, char **argv)
{
char username[128];
DWORD size;
HKEY start_key = HKEY_LOCAL_MACHINE;
HKEY users_key;
int err;
if(argc > 2)
usage(argv[0]);
/*
* Ensure we are running as Administrator before
* we will run.
*/
size = sizeof(username);
if(GetUserName(username, &size)== FALSE) {
fprintf(stderr, "%s: GetUserName() failed. Error was %s.",
argv[0], str_oserr(GetLastError()));
return -1;
}
if(stricmp( "Administrator", username) != 0) {
fprintf(stderr, "%s: You must be running as user Administrator \
to run this program\n", argv[0]);
return -1;
}
/*
* Open a connection to the remote machines registry.
*/
if(argc == 2) {
if((err = RegConnectRegistry( argv[1], HKEY_LOCAL_MACHINE, &start_key)) !=
ERROR_SUCCESS) {
fprintf(stderr, "%s: Failed to connect to registry on remote computer %s.\
Error was %s.\n", argv[0], argv[1], str_oserr(err));
return -1;
}
}
/*
* We need to get to HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users.
* The security on this key normally doesn't allow Administrators
* to read - we need to add this.
*/
if((err = set_sam_tree_access( start_key, &users_key)) != 0) {
if(err == -2)
restore_sam_tree_access( start_key);
return -1;
}
/* Print the users SAM entries in smbpasswd format onto stdout. */
enumerate_users( users_key );
RegCloseKey(users_key);
/* reset the security on the SAM */
restore_sam_tree_access( start_key );
if(start_key != HKEY_LOCAL_MACHINE)
RegCloseKey(start_key);
return 0;
}