Jump to content
Sign in to follow this  
ScriptingNoob

RegEnumKey into Array, can it be done?

Recommended Posts

ScriptingNoob

Hi all,

I am trying to write a script that can read all sub-keys of a particular registry key, and them from there I can analyze each sub-key. I am trying to script a Malware Cleanup utility that will only remove the bad keys from this portion of the registry. The bad keys have the value of "Debugger" in them.

Here is the key I am trying to read from: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"; and here is what I put together so far.

$Target = "My Target IP Address"
For $i = 1 to 1000
$Key = RegEnumKey("\\" & $Target & "\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", $i)
For $i2 = 1 to 2
  $Value = RegEnumVal("\\" & $Target & "\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" & $Key, $i2)
  If $Value = "Debugger" Then
   MsgBox(0, "Found One", "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" & $Key)
  Else
  EndIf
Next
Next

Right now I am using a For..Next statement as my loop, but on some systems there are 20 sub-keys and others there are 1000. If I leave my For...Next with a limit of 1000 it will take much longer to run then necessary.

Is there a way to go through all Sub-keys (only one level necessary) of a particular key?

Thank you,

Share this post


Link to post
Share on other sites
ScriptingNoob

OK, I think after much (more) Googling and trial and error I found that if I use "While..WEnd" instead of For...Next and combine it with "If @error <> 0 then ExitLoop", I get better results.

Local $i = 1
While 1
$Key = RegEnumKey("" & $Target & "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options", $i)
$i += 1
If @error <> 0 then ExitLoop
;MsgBox(0, $i, $Key)
For $i2 = 1 to 3; will look up to 3 values deep
  $Value = RegEnumVal("" & $Target & "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" & $Key, $i2)
  If $Value = "Debugger" Then
   MsgBox(0, "Found One", "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" & $Key)
   ; Add RegDelete here for said key
  Else
  EndIf
Next
WEnd

thoughts?

Share this post


Link to post
Share on other sites
ZacUSNYR

You could append it to a string with a separator and then return the stringsplit value from the function (or assign the stringsplit value to your array). A more inefficient way would be to just add an element to the array each loop.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×