ScriptingNoob Posted March 25, 2012 Share Posted March 25, 2012 Hi all, I am trying to write a script that can read all sub-keys of a particular registry key, and them from there I can analyze each sub-key. I am trying to script a Malware Cleanup utility that will only remove the bad keys from this portion of the registry. The bad keys have the value of "Debugger" in them. Here is the key I am trying to read from: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"; and here is what I put together so far. $Target = "My Target IP Address" For $i = 1 to 1000 $Key = RegEnumKey("\\" & $Target & "\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", $i) For $i2 = 1 to 2 $Value = RegEnumVal("\\" & $Target & "\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" & $Key, $i2) If $Value = "Debugger" Then MsgBox(0, "Found One", "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" & $Key) Else EndIf Next Next Right now I am using a For..Next statement as my loop, but on some systems there are 20 sub-keys and others there are 1000. If I leave my For...Next with a limit of 1000 it will take much longer to run then necessary. Is there a way to go through all Sub-keys (only one level necessary) of a particular key? Thank you, Link to comment Share on other sites More sharing options...
ScriptingNoob Posted March 25, 2012 Author Share Posted March 25, 2012 OK, I think after much (more) Googling and trial and error I found that if I use "While..WEnd" instead of For...Next and combine it with "If @error <> 0 then ExitLoop", I get better results. Local $i = 1 While 1 $Key = RegEnumKey("" & $Target & "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options", $i) $i += 1 If @error <> 0 then ExitLoop ;MsgBox(0, $i, $Key) For $i2 = 1 to 3; will look up to 3 values deep $Value = RegEnumVal("" & $Target & "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" & $Key, $i2) If $Value = "Debugger" Then MsgBox(0, "Found One", "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" & $Key) ; Add RegDelete here for said key Else EndIf Next WEnd thoughts? Link to comment Share on other sites More sharing options...
ZacUSNYR Posted March 26, 2012 Share Posted March 26, 2012 You could append it to a string with a separator and then return the stringsplit value from the function (or assign the stringsplit value to your array). A more inefficient way would be to just add an element to the array each loop. Link to comment Share on other sites More sharing options...
DXRW4E Posted September 16, 2012 Share Posted September 16, 2012 Ciao. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now