Sign in to follow this  
Followers 0
Tripredacus

RegDelete fails on Server 2008 R2

10 posts in this topic

#1 ·  Posted (edited)

I ran into an interesting behaviour with one of my scripts on Server 2008 R2. I have 2 programs. After the first program is done, it writes a registry key into RunOnce (it ends up on the Wow6432Node) to run the second program. After rebooting, the second program is run, but one of the things it is supposed to do is delete that key from RunOnce. It does not do this. It does everything else it is programmed to do (FileExists, Run a ComSpec command, show a MsgBox)

If I reboot the computer again, the second program runs again (because the key is still populated)  Code is simple:

RegDelete ("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce", "1")

This program is used on all OSes, and this problem does not occur on 64bit Windows 7 or Windows 8. I have not tested Server 2012 yet. There is nothing in either the Application or System event logs.

Any idea why this could be happening?

Edited by Tripredacus

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Hello,

When running a 64bit OS, you should use HKEY_LOCAL_MACHINE64 or HKLM64 as first parameter, as specified in the help file:

A registry key must start with "HKEY_LOCAL_MACHINE" ("HKLM") or "HKEY_USERS" ("HKU") or "HKEY_CURRENT_USER" ("HKCU") or "HKEY_CLASSES_ROOT" ("HKCR") or "HKEY_CURRENT_CONFIG" ("HKCC").

When running on 64-bit Windows if you want to delete a key or value specific to the 64-bit environment you have to suffix the HK... with 64 i.e. HKLM64.
Edited by Neutro

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Hello,

When running a 64bit OS, you should use HKEY_LOCAL_MACHINE64 or HKLM64 as first parameter, as specified in the help file:

 

The data to delete is in the Wow6432Node. Using HKLM64 specified that the data is to be in the 64bit (natural) location in the registry. If I had specified HKLM64 to delete, the command would complete with no action because the registry key does not exist.

Update: I just tested on Server 2012 and it deletes the registry key just fine. So the problem is only on Server 2008 R2...

Edited by Tripredacus

Share this post


Link to post
Share on other sites

Update: After extended tests, the key is never deleted even on reboots. I have modified my original post to reflect this.

Share this post


Link to post
Share on other sites

Hi.

Use procmon.exe to check, if the targeted reg value to be deleted is addressed correctly, and, if so, why it's refused to be deleted.

use the same script, to *WRITE* some value to the same key of the registry, just to see, if the access is fine.

 

are you using #requireadmin?

Is the 2nd script compiled to 64bit or 32bit EXE?

Regards, Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

I just disabled the ability to run the apps on Server 2008 R2 until I can figure it out.

I did run ProcMon yesterday, and it shows a SUCCESS when trying to delete the registry key. Yet I can open regedit and find that the key is still there.

I am not using #requireadmin because the scripts run in Audit Mode. The apps are compiled for 32bit. I thought about making a wrapper for 64bit (I had to do something similar for Office 2013) but I had doubts on whether or not it could access that part of the registry. Typically you need a 64bit exe if you are having problems accessing the 64bit registry with the 32bit exe.

So far I've got this:


    RegDelete ("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce", "1")
    RegDelete ("HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce", "1")
    Run(@ComSpec & " /c reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 1 /f")
    Run(@ComSpec & " /c reg delete HKLM\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce /v 1 /f")

First one fails, as expected, because they key does not exist.

Second one succeeds, but the key isn't actually deleted.

I had hoped that the Reg.exe would have solved the problem, but apparently it hasn't. To make matters worse, running that reg delete command manually from a command prompt DOES work, so I know its just a usage issue. I may try out the 64bit EXE just to see what happens.

Share this post


Link to post
Share on other sites

have you have attempted to run it with redirection disabled?

DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1)

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Again, I want to be clear here that this isn't a problem with redirection. The registry key is not in the 64bit registry. But either way, I can't make a change to the OS in that way, its not allowed. :ph34r:

I had an idea yesterday of launching a .cmd file and see if that works. Haven't had the chance to test it yet.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

I can't make a change to the OS in that way, its not allowed.

 

 

Its only for the duration of the script... your other changes are permanent.

and I'll paypal MSFN a dollar if it doesnt work :)

-iamtheky

*and this statement is suspect at best

 

Typically you need a 64bit exe if you are having problems accessing the 64bit registry with the 32bit exe
Edited by boththose

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

I have confirmed this to be a problem with the OS and not how I'm going about trying to delete the key. If I go into Regedit and manually change the key to something else, and then reboot, the key is reverted to what it was before I changed it. I will take this topic to TechNet now instead.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0