RegDelete fails on Server 2008 R2

Tripredacus · June 5, 2013

I ran into an interesting behaviour with one of my scripts on Server 2008 R2. I have 2 programs. After the first program is done, it writes a registry key into RunOnce (it ends up on the Wow6432Node) to run the second program. After rebooting, the second program is run, but one of the things it is supposed to do is delete that key from RunOnce. It does not do this. It does everything else it is programmed to do (FileExists, Run a ComSpec command, show a MsgBox)

If I reboot the computer again, the second program runs again (because the key is still populated) Code is simple:

RegDelete ("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce", "1")

This program is used on all OSes, and this problem does not occur on 64bit Windows 7 or Windows 8. I have not tested Server 2012 yet. There is nothing in either the Application or System event logs.

Any idea why this could be happening?

Edited June 12, 2013 by Tripredacus

Neutro · June 5, 2013

Hello,

When running a 64bit OS, you should use HKEY_LOCAL_MACHINE64 or HKLM64 as first parameter, as specified in the help file:

A registry key must start with "HKEY_LOCAL_MACHINE" ("HKLM") or "HKEY_USERS" ("HKU") or "HKEY_CURRENT_USER" ("HKCU") or "HKEY_CLASSES_ROOT" ("HKCR") or "HKEY_CURRENT_CONFIG" ("HKCC").

When running on 64-bit Windows if you want to delete a key or value specific to the 64-bit environment you have to suffix the HK... with 64 i.e. HKLM64.

Edited June 5, 2013 by Neutro

Tripredacus · June 6, 2013

Hello,

When running a 64bit OS, you should use HKEY_LOCAL_MACHINE64 or HKLM64 as first parameter, as specified in the help file:

The data to delete is in the Wow6432Node. Using HKLM64 specified that the data is to be in the 64bit (natural) location in the registry. If I had specified HKLM64 to delete, the command would complete with no action because the registry key does not exist.

Update: I just tested on Server 2012 and it deletes the registry key just fine. So the problem is only on Server 2008 R2...

Edited June 6, 2013 by Tripredacus

Tripredacus · June 12, 2013

Update: After extended tests, the key is never deleted even on reboots. I have modified my original post to reflect this.

rudi · June 13, 2013

Hi.

Use procmon.exe to check, if the targeted reg value to be deleted is addressed correctly, and, if so, why it's refused to be deleted.

use the same script, to *WRITE* some value to the same key of the registry, just to see, if the access is fine.

are you using #requireadmin?

Is the 2nd script compiled to 64bit or 32bit EXE?

Regards, Rudi.

Tripredacus · June 13, 2013

I just disabled the ability to run the apps on Server 2008 R2 until I can figure it out.

I did run ProcMon yesterday, and it shows a SUCCESS when trying to delete the registry key. Yet I can open regedit and find that the key is still there.

I am not using #requireadmin because the scripts run in Audit Mode. The apps are compiled for 32bit. I thought about making a wrapper for 64bit (I had to do something similar for Office 2013) but I had doubts on whether or not it could access that part of the registry. Typically you need a 64bit exe if you are having problems accessing the 64bit registry with the 32bit exe.

So far I've got this:

    RegDelete ("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce", "1")
    RegDelete ("HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce", "1")
    Run(@ComSpec & " /c reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 1 /f")
    Run(@ComSpec & " /c reg delete HKLM\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce /v 1 /f")

First one fails, as expected, because they key does not exist.

Second one succeeds, but the key isn't actually deleted.

I had hoped that the Reg.exe would have solved the problem, but apparently it hasn't. To make matters worse, running that reg delete command manually from a command prompt DOES work, so I know its just a usage issue. I may try out the 64bit EXE just to see what happens.

iamtheky · June 13, 2013

have you have attempted to run it with redirection disabled?

DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1)

Tripredacus · June 14, 2013

Again, I want to be clear here that this isn't a problem with redirection. The registry key is not in the 64bit registry. But either way, I can't make a change to the OS in that way, its not allowed. :ph34r:

I had an idea yesterday of launching a .cmd file and see if that works. Haven't had the chance to test it yet.

iamtheky · June 14, 2013

I can't make a change to the OS in that way, its not allowed.

Its only for the duration of the script... your other changes are permanent.

and I'll paypal MSFN a dollar if it doesnt work

-iamtheky

*and this statement is suspect at best

Typically you need a 64bit exe if you are having problems accessing the 64bit registry with the 32bit exe

Edited June 14, 2013 by boththose

Tripredacus · June 18, 2013

I have confirmed this to be a problem with the OS and not how I'm going about trying to delete the key. If I go into Regedit and manually change the key to something else, and then reboot, the key is reverted to what it was before I changed it. I will take this topic to TechNet now instead.

RegDelete fails on Server 2008 R2

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members