Sign in to follow this  
Followers 0
ScriptingNoob

RegEnumKey into Array, can it be done?

4 posts in this topic

Hi all,

I am trying to write a script that can read all sub-keys of a particular registry key, and them from there I can analyze each sub-key. I am trying to script a Malware Cleanup utility that will only remove the bad keys from this portion of the registry. The bad keys have the value of "Debugger" in them.

Here is the key I am trying to read from: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"; and here is what I put together so far.

$Target = "My Target IP Address"
For $i = 1 to 1000
$Key = RegEnumKey("\\" & $Target & "\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", $i)
For $i2 = 1 to 2
  $Value = RegEnumVal("\\" & $Target & "\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" & $Key, $i2)
  If $Value = "Debugger" Then
   MsgBox(0, "Found One", "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" & $Key)
  Else
  EndIf
Next
Next

Right now I am using a For..Next statement as my loop, but on some systems there are 20 sub-keys and others there are 1000. If I leave my For...Next with a limit of 1000 it will take much longer to run then necessary.

Is there a way to go through all Sub-keys (only one level necessary) of a particular key?

Thank you,

Share this post


Link to post
Share on other sites



OK, I think after much (more) Googling and trial and error I found that if I use "While..WEnd" instead of For...Next and combine it with "If @error <> 0 then ExitLoop", I get better results.

Local $i = 1
While 1
$Key = RegEnumKey("" & $Target & "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options", $i)
$i += 1
If @error <> 0 then ExitLoop
;MsgBox(0, $i, $Key)
For $i2 = 1 to 3; will look up to 3 values deep
  $Value = RegEnumVal("" & $Target & "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" & $Key, $i2)
  If $Value = "Debugger" Then
   MsgBox(0, "Found One", "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" & $Key)
   ; Add RegDelete here for said key
  Else
  EndIf
Next
WEnd

thoughts?

Share this post


Link to post
Share on other sites

You could append it to a string with a separator and then return the stringsplit value from the function (or assign the stringsplit value to your array). A more inefficient way would be to just add an element to the array each loop.

Share this post


Link to post
Share on other sites

Ciao.


apps-odrive.pngdrive_app_badge.png box-logo.png new_logo.png MEGA_Logo.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0