I'm using the examples from technet to try to read a dword / string from HKLM\Microsoft\Windows\CurrentVersion\Run called MyStartupExe.. It is returning empty.. This regular example works:
Const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set oReg=GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "Console"
strValueName = "HistoryBufferSize"
oReg.GetDWORDValue _
HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
WScript.Echo "Current History Buffer Size: " & dwValue
My adaptation of it does not work. The string and dword value exists in the registry at the key path I'm looking for.
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "MyStartUpExe"
oReg.GetDWORDValue _
HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
WScript.Echo "MyStartupExe" & dwValue
"MyStartUpExe" is most likely a REG_SZ value, not a REG_DWORD value, so you'll have to use GetStringValue() instead of GetDWORDValue().
oReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, value
WScript.Echo "MyStartUpExe" & value
Refer to the WMI StdRegProv class.
Or you could just use Shell.RegRead to read registry values where you don't know the values' datatype. If the return code of RegRead is 0 (success) a reg value exists, else if the return code will be some general error code, e.g. &h800xxxxx etc. then no reg value exists. To check your OS architecture type, query the Win32_Processor.Architecture value (where '0' = 'x86' or '9' = 'x64').
Related
Hi could any one point me in the right direction to create Vbscript to query computer name and then write the query result to registry HKLM\software\test dword or string
this is what i have got so far i just dont know how to link the query then add the query result to the registry -thanks in advance
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName"
strValueName = "ComputerName"
oReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strKeyPath, _
strValueName,strValue
From Help https://www.microsoft.com/en-au/download/details.aspx?id=2764
Computername
Set WshNetwork = WScript.CreateObject("WScript.Network")
WScript.Echo "Domain = " & WshNetwork.UserDomain
WScript.Echo "Computer Name = " & WshNetwork.ComputerName
WScript.Echo "User Name = " & WshNetwork.UserName
Write Registry
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\", 1, "REG_BINARY"
I am stumped here. I can't seem to wrap my head around getting the subkeys read into an array, and then walk through each subkey to search for a certain Dword value. I could assign variables to every subkey (which would take forever.)
My script works fine when I have it set up to look at one subkey and one value:
Const HKLM = &H80000002
Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7
strKeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Program\Policies\policy1"
strValueName = "lastStatus"
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
objRegistry.GetDWORDValue HKLM,strKeyPath,strValueName,dwValue
If dwValue = 0 Then
Wscript.Echo strcomputer & " not done."
Elseif dwvalue = 3 Then
Wscript.Echo strcomputer & " is done!"
But, I need the script to walk through HKLM\Software\program\policies\policy1, then HKLM\Software\program\policies\policy2, then HKLM\Software\program\policies\policy3... until it reads every policy, of which there are 32 to 34 depending on the computer.
Then I need to check within each policy subkey if a dword value = 0 or 3.
I am not sure what you mean by "can't wrap my head around arrays". Do you mean you don't like the idea? In that case if you can be sure about the names of the subkeys you can do it like
For i = 1 To 34
strKeyPath = "SOFTWARE\Program\Policies\policy" & i
objRegistry.GetDWORDValue HKLM,strKeyPath,strValueName,dwValue
Next
If you just mean you don't know the proper way to do it, the normal approach would be
Const HKLM = &H80000002
strComputer = "."
strKeyPath = "SOFTWARE\Policies\"
strValueName = "lastStatus"
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
objRegistry.EnumKey HKLM, strKeyPath, subKeys
For Each subKey In subKeys
objRegistry.GetDWORDValue HKLM,strKeyPath & subKey ,strValueName,dwValue
Next
Please note that either way, if you use the WMI registry provider the keyPaths are always without "HKEY_LOCAL_MACHINE\" because you have (correctly) specified that as constant already.
I want to see with vbs, registry path. I have solution for reading the key.
Set wshShell = CreateObject( "WScript.Shell" )
WScript.Echo "ID = " _
& wshShell.RegRead( "HKEY_USERS\key" )
Output is registry key string.
I want script which to show all paths in HKEY_USERS.
For example tree:
HKEY_USERS \
S-1-5-20_Classes
S-1-5-20
S-1-5-21
S-1-5-21-15325-362362362 (I want to output only this path)
You can use the WMI StdRegProv.EnumKey methods to list all subkeys under a specific registry key. For example:
Const HKEY_USERS = &H80000003
strComputer = "."
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\default:StdRegProv")
strKeyPath = ""
objReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
WScript.Echo subkey
Next
I need help with a VBScript that will recursively search the Windows HKU registry hive for a DWORD value. It would be helpful if the script could ignore the system accounts only looking in the S-1-5-21* keys. I MUST accomplish this using the HKU hive and not the HKCU hive because the program I plan to use to run the script runs in the context of system. No way around that.
Thank you.
Const HKCU = &H80000001
Const HKLM = &H80000002
Const HKU = &H80000003
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
'Read the HKEY_CURRENT_USER hive, registry path, and valuename to retrieve settings
strKeyPath = "Software\Policies\Microsoft\Windows\System\Power"
strValueName = "PromptPasswordOnResume"
oReg.GetDWORDValue HKCU,strKeyPath,strValueName,dwValue
'Return a failure exit code if entry does not exist
If IsNull(dwValue) Then
Wscript.Echo "The value is either Null or could not be found in the registry."
WScript.Quit 1
'Return a failure exit code if value does not equal STIG setting
ElseIf dwValue <> 1 Then
Wscript.Echo "This is a finding. ", strValueName,"=", dwValue
WScript.Quit 1
'Return a passing exit code if value matches STIG setting
ElseIf dwValue = 1 Then
Wscript.Echo "This is not a finding. "
WScript.Quit 0
End If
All this is what I ultimately came up with to resolve my issue.
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
'Set the local computer as the target
strComputer = "."
'set the objRegistry Object
Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
'Enumerate All subkeys in HKEY_USERS
objRegistry.EnumKey HKEY_USERS, "", arrSubkeys
'Define variables
strKeyPath = "\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments"
strValueName = "HideZoneInfoOnProperties"
strSID = "S-1-5-21-\d*-\d*-\d*-\d{4,5}\\"
strValue = 1
f = True
For Each i in arrSubKeys
Set objRegExp = New RegExp
objRegExp.IgnoreCase = True
objRegExp.Global = True
objRegExp.Pattern = strSID
Set colMatches = objRegExp.Execute(i + strKeyPath)
For Each objMatch In colMatches
objRegistry.GetDWORDValue HKEY_USERS,i + strKeyPath,strValueName,dwValue
If IsNull(dwValue) Then
WScript.Echo "This is a finding, the key " & i + strKeyPath & "\" & strValueName & " does not exist."
f = False
ElseIf dwValue <> strValue Then
WScript.Echo "This is a finding, the " & i + strKeyPath & "\" & strValueName & ": " & dwValue & " does not equal REG_DWORD = " & strValue & "."
f = False
ElseIf dwValue = strValue Then
WScript.Echo "This is not a finding " & i + strKeyPath & "\" & strValueName & " = " & dwValue
End If
Next
Next
If f Then
WScript.Quit 0
Else
WScript.Quit 1
End If
You don't need recursion here. Simply iterate over the subkeys of HKEY_USERS and (try to) read the value. The return code of GetDWORDValue() will indicate whether or not the value could be read.
Const HKEY_USERS = &h80000003
subkey = "Software\Policies\Microsoft\Windows\System\Power"
name = "PromptPasswordOnResume"
computer = "."
Set reg = GetObject("winmgmts://" & computer & "/root/default:StdRegProv")
reg.EnumKey HKEY_USERS, "", sidList
For Each sid In sidList
key = sid & "\" & subkey
rc = reg.GetDWORDValue(HKEY_USERS, key, name, val)
If rc = 0 Then
If val = 1 Then
WScript.Echo "OK"
WScript.Quit 0
Else
WScript.Echo "Not OK"
WScript.Quit 1
End If
End If
Next
I am not sure if i got you right. If it is that you want to search in the HKU not in the HKCU, then the point is that an account in HKU is mapped to HKCU. Like in your case S-1-5-21* will be mapped to HKCU. You can check it by modifying an entry in HKCU and that will be reflected in HKU(S-1-5-21*) and vice-a-versa.
I'm trying to create a report of User Accounts info on the members of an AD I manage. Specifically I need what accounts are configured on their Outlook installation; What kind of protocol are they using (POP/IMAP) and where are the associated PST files stored for backup purposes. I reckon I can deploy a VBScript on all machines which can write to a file in a shared location and I can then retrive that file.
I found some scripts online which can find the PST file location in HKCU..\Windows Messaging Subsystem\Profiles but couldn't understand how they were parsing the Hex keys. If I can figure that out, I can probably get the other info stored on the subkeys.
Any help on solving this would be appreciated.
Finally figured it out using pointers online. This basically loops down to three levels in the registry from a specified subkey and writes it to a file.
const HKCU = &H80000001
Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7
strComputer = "."
Set StdOut = WScript.StdOut
Dim objFSO :Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objPSTLog :Set objPSTLog = objFSO.OpenTextFile("%temp%\pst.log",8,True)
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\"
oReg.EnumKey HKCU, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
objPSTLog.WriteLine(subkey)
strkeyPath1 = strkeyPath & subkey 'Outlook
oReg.EnumKey HKCU, strKeyPath1, arrSubKeys1
if IsArray(arrSubKeys1) Then
For Each subkey1 In arrSubKeys1
strkeyPath2 = strkeyPath1 & "\" & subkey1 'Outlook\8bce72417aa40d418ab879690e9b39cc etc
oReg.EnumKey HKCU, strKeyPath2, arrSubKeys2
if IsArray(arrSubKeys2) Then
For Each subkey2 In arrSubKeys2
objPSTLog.WriteLine(subkey2)
strkeyPath3 = strkeyPath2 & "\" & subkey2 'Outlook\8bce72417aa40d418ab879690e9b39cc\0000001 etc
oReg.EnumValues HKCU, strKeyPath3, arrValueNames, arrTypes
if IsArray(arrValueNames) Then
For i = lBound(arrValueNames) To uBound(arrValueNames)
strValueName = arrValueNames(i)
Select Case arrTypes(i)
' Show a REG_SZ value
'
Case REG_SZ
oReg.GetStringValue HKCU, strKeyPath3, strValueName, strValue
objPSTLog.WriteLine(" " & strValueName & " (REG_SZ) = " & strValue)
' Show a REG_EXPAND_SZ value
'
Case REG_EXPAND_SZ
oReg.GetExpandedStringValue HKCU, strKeyPath3, strValueName, strValue
objPSTLog.WriteLine(" " & strValueName & " (REG_EXPAND_SZ) = " & strValue)
' Show a REG_BINARY value
'
Case REG_BINARY
oReg.GetBinaryValue HKCU, strKeyPath3, strValueName, arrBytes
strBytes = ""
For Each uByte in arrBytes
uByte = Hex(uByte)
strBytes = strBytes & uByte & " "
Next
objPSTLog.WriteLine(" " & strValueName & " (REG_BINARY) = " & strBytes)
' Show a REG_DWORD value
'
Case REG_DWORD
oReg.GetDWORDValue HKCU, strKeyPath3, strValueName, uValue
objPSTLog.WriteLine(" " & strValueName & " (REG_DWORD) = " & CStr(uValue))
' Show a REG_MULTI_SZ value
'
Case REG_MULTI_SZ
oReg.GetMultiStringValue HKCU, strKeyPath3, strValueName, arrValues
objPSTLog.WriteLine(" " & strValueName & " (REG_MULTI_SZ) =")
For Each strValue in arrValues
objPSTLog.WriteLine(" " & strValue)
Next
End Select
Next
End If
strKeyPath3=""
Next
End If
strKeyPath2=""
Next
strkeyPath1 = ""
End If
Next
objPSTLog.WriteLine("")
objPSTLog.WriteLine("--------------------------------------------------------------------------------------------------------------")
objPSTLog.WriteLine("")
objPSTLog.close
MsgBox "Script Run Successful"
It still writes the Hex values. The PST Location is stored in "Delivery Store EntryID", Account name and email in "Account Name" & "Email". All are stored as REG_BINARY.
How do I get the ASCII output in the REG_BINARY Case in the last loop?