How to Hack the LaCIE Ethernet 1TB NAS (Rack-Mount Version)

 In Technology, Tidbits, Time Kill, w00t, Windows

lacieI’ve recently had access to a LaCIE Ethernet 1TB (terabyte) NAS (network attached storage) server similar to the one we use at our work place. These things are great because you don’t have to hook them up to a computer (they’re really just small computer servers with huge hard drives). Also, you can make user accounts and set aside spaces just for individual users or groups of users. You can setup full permissions or read-only permissions. It uses FTP, HTTP, AppleTalk (AFP), and Windows Sharing (SMB). The big hang-up we’ve had with our work LaCIE is that it has this clunky, slow, and altogether not very useful graphical interface. Since it’s always running, it slows down almost every operation we try to do on it. I decided that with the new one I have access to, I didn’t want to deal with that, I’d rather have the default Windows XP Embedded shell back. The LaCIE runs Windows XP Embedded (2002 Version) with Service Pack 1, and a custom shell that replaces Explorer.exe to restrict access to the system.

This is a pretty high geek-level endeavor, but if you feel comfortable, read on and learn how we cracked it wide open (without cracking the case)!

Running Any Program on the LaCIE

By default, there is no easy way to run a program on the LaCIE while it’s locked down with the custom shell. You do, however, have access to the task manager via the usual CTRL+ALT+DEL (CTRL+ALT+END for Remote Desktop Consoles). However, that’s been locked down, too. It was by sheer accident that my coworker Brian discovered clicking on the “user” tab and then going to “File” the option to run a “New Task” was available. We used this to launch iexplore.exe (Internet Explorer).

taskmanager

You’ll get an error that it can’t find the location referenced – it’s looking for your Desktop. Apparently IE is dumb and must be able to find your user’s desktop or it throws an error. We’ll fix that later. For now, hit enter and continue. Once we had Internet Explorer launched, we attempted several silly things, such as Windows Update. That didn’t work, but we didn’t know that XP Embedded just doesn’t like to do that. I managed to upgrade the Windows Installer to the latest version, but apparently XP embedded doesn’t include the Background Intelligent Transfer Service (BITS) and thus the Cryptographic Services service fails, and then Windows Update (wuauserv) fails. On to the next task:

WARNING: Everything after this will probably void your warranty if you have one, and I’m not responsible if you mess up these directions or something doesn’t work as expected, and I’m not responsible if you break anything or experience loss of data or money or man-hours as a result of these directions. You’ve been warned. (But it’s probably going to be okay, nothing here should badly mess up your system, just be sure you have your data backed up somewhere and your LaCIE restore disks & instructions if needed.)

Install Firefox

We didn’t want to use silly old Internet Explorer to access the web, so we took IE over to GetFirefox.com and downloaded the latest Firefox web browser. Eureka! It worked! No special steps taken except launching IE via the task manager as described above.

Replacement Registry Editor

I’m not sure if XP Embedded doesn’t normally come with regedit or regedit32 by default, but this one didn’t. The important settings that had been locked down in our LaCIE were all carefully guarded in the registry, so we were going to need a replacement. (Later, it turns out we just needed to copy regedit.exe and clb.dll from another regular XP install to get real registry editing.) I downloaded RegistryExplorer from Whirling Dervishes. This gave us access into the Windows registry in Explorer folder-style.

Set Windows XP Embedded Custom Shell Back to Default Explorer.exe Shell

From this Microsoft MSDN article, I learned that there are three keys that deal with setting the shell Windows uses when booting up:

Microsoft® Windows® XP has a feature that can provide the solution through the registry. The registry for each user account and administrator account can be set up to start a user-specific shell. There are three keys that must be set up. The first two are generic for all users. This article refers to the keys as “Key1,” “Key2,” and “Key3” for simplicity.

Key1 is a string value. When Windows XP starts, Key1 is called and the default Windows shell is started. However, if the default value is changed to USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Windows looks in the HKEY_Current_User key to start a specific shell for the user logging on. If the specific user shell is not found, Key2 is called and a default shell is started.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot\Shell
Type: REG_SZ
Value: SYS:Microsoft\Windows NT\CurrentVersion\Winlogon

Key2 provides a default shell if the user shell application cannot be found. When you select a shell component for a Microsoft Windows XP Embedded configuration, Key 2 is set up to the shell application as the default shell.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Type: REG_SZ
Value: Explorer.exe (or this can be a different default application)

Key3 sets up a shell for the current user or logged-on user. Thus, the only way to change a particular user’s shell is to log on to the user account and create this registry entry.

Key: HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Type: REG_SZ
Value: c:\windows\system32\account shell.exe, where account shell.exe is the name of the application.”

I made the appropriate key changes to point the HKEY_LOCAL_MACHINE (key 1) at the “USR:…” value, then found that the HKEY_CURRENT_USER (key 2) was set to a value of “ED.exe” which seems to be the LaCIE interface. I changed that value to point to “Explorer.exe” and then crossed my fingers and logged out, then rebooted. Voila! Windows XP Desktop and start menu!desktop

Unlock Locked Down Features

Several things were still locked down – for example, the “Run” dialog was not available via the Start menu, and we still had to use the lame Task Manager trick to start tasks. This was simply unacceptable. It turns out there was a key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and then a dword called “NoRun” – changed it’s value from “1” to “0,” killed the Explorer.exe process, and restarted it. Eureka! We have “Run” dialogue.

Our friends over in Desktop Support had a handy “unlock-down” registry key (use at your own risk! You could seriously screw things up!) that unlocks pretty much everything else that might be locked down. Just right-click (or CTRL-CLICK for Macs) and choose “Save Link As” to download that file to your LaCIE desktop. Then double-click the file and confirm you want to import the registry keys. You can always open the file for editing in Notepad, too, to make sure this file is legit.

Epilogue

We didn’t do too much more to this LaCIE rack-mount NAS, but it was fun to play with. I imagine almost anything could be run on this, provided it’s stark 256mb of RAM and 1.00Ghz processor can handle it. We did note that once we changed the default shell back to Explorer.exe instead of ED.exe, the web service had to be manually started by running (and then killing) the ED.exe process. For security reasons, it might be best to leave this off anyway and just manage everything from Terminal Services (Remote Desktop) or a connected keyboard, mouse and monitor to the local console.

I’m not going to tell you what to do with this, but you could probably setup a web site using the IIS server, or install WAMP and disable IIS completely. You could also install uTorrent since it’s light-weight and uses minimal resources. You know, to download all those public domain movies and classical music.

Zöe
Hi, I'm Zöe. Thanks for reading! If you enjoyed this, please feel free to leave a comment below.
Recommended Posts
Showing 0 comments
  • jjsb

    Thanks so much, I found this be very informative and helpful. I have had the 2TB model for almost 2 years now and been hanging to get it to more. Cheers

  • ms

    Seem to be having a problem with my lacie. When I launch task manager and go to file, there is no ‘New Task (Run)’ option. The only thing that is available is the ‘Exit Task Manager’ option under file.

    • The Raging Tech

      There’s the trick. You need to go over to the last tab on the right (Users) and click on that tab, then go to “File” before you’ll have the “New Task (Run)” option. If you’re on any of the other tabs “New Task (Run)” will not be in the File menu. Took us forever to figure that out.

  • Zip

    Your better off deleting registry files that have ‘No’ in their name as well as a few others to get full access.

    Delete ‘DisableWindowsUpdateAccess’ reg file to run windows update 🙂

    BTW, thanks for the tut!

    • The Raging Tech

      @Zip: You actually *can’t* run Windows Update on XP embedded OS. You have to use the MS tool for people who are paying to be able to admin XP Embedded machines to deploy the updates. I would not advise people to delete keys that say “No” in their name. Some of those are good things 🙂 But that’s a good way to start looking. Thanks for the tips.

  • sd

    I’m looking to have access to IIS so I can do user segregation for the FTP server, so that I can direct each user to a specific folder when they connect and they don’t have access to the root folder. Do you think this process would allow me to accomplish that?

    • The Raging Tech

      Probably. I do know that the IIS service is pretty locked down. We found that killing the ED gui process killed the IIS server from starting automatically, although if you’re crafty I’m sure you can get it back to starting on startup. Then it’s just a matter of setting up IIS the way you like it via the Enterprise configuration system.

  • sd

    I'm looking to have access to IIS so I can do user segregation for the FTP server, so that I can direct each user to a specific folder when they connect and they don't have access to the root folder. Do you think this process would allow me to accomplish that?

  • cr

    Thanks for the information. Have also found that if you manage to open any file browser window (e.g. Add Program Exception to the Firewall), you can right click to “Open” or “Run” any of the files – a handy one is the “cmd.exe” which opens a command window – anything else can be launched from there.

  • Unintended Teacher

    Thanks for the information. Have also found that if you manage to open any file browser window (e.g. Add Program Exception to the Firewall), you can right click to “Open” or “Run” any of the files – a handy one is the “cmd.exe” which opens a command window – anything else can be launched from there.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text.