Gianni Posted August 13, 2017 Share Posted August 13, 2017 When I use the reg query dos command to get the value of a registry key, it returns also extra infos not required. For example the following command typed at a dos prompt returns the last loggedon username, but not only the username, The name of the key and the type of the key are also returned, while the username is the last word of the returned string. reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64 /v LastLoggedOnUser Now, since the findstr dos command allows to filter the output by a sort of regular expression (type "findstr /?" in a dos prompt for more details) in the following snippet I'm piping the output of the reg query command to the findstr command trying to get only the last word of the passed string using regexp, but without success. #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" ; *** here needed regexp pattern to return only the last word *** Local $sRegExp = '"\<LastLoggedOnUser.*"' ; with ths pattern I get the whole last line ; Local $sRegExp = '"\s(\w+)$"' ; Ths pattern should return the last word(??), but it doesn't Local $sCmd = 'reg query ' & $sKeyname & ' /v ' & $sValuename & ' | findstr ' & $sRegExp Local $sOut, $hPid = Run(@ComSpec & " /c " & $sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) Is there some RegExp genius with a good soul that could kindly provide an hint? Thanks Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt.... Link to comment Share on other sites More sharing options...
Danyfirex Posted August 13, 2017 Share Posted August 13, 2017 (edited) Hello due to findstr only allows match(It will not extract the matched value) so you need to add something like this at the end. I'm not a RegExp genius. ConsoleWrite(StringRegExp($sOut,"\.\\.+$",1)[0] & @CRLF) between what's wrong with RegRead? Saludos Edited August 13, 2017 by Danyfirex Gianni 1 Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
Gianni Posted August 13, 2017 Author Share Posted August 13, 2017 thanks @Danyfirex for the nice hit, but I was wondering if the "dirty work" could be done completly within the "DOS" side, so to have the returned date already "usable" without further parsing... P.S. 34 minutes ago, Danyfirex said: between what's wrong with RegRead? I have to read the registry of many remote computers, so I want to spawn more readings on parallel to speed up the work, more or less in a way similar to this. If I use the RegRead() function I have to read each registry in sequence slowing down the whole process Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt.... Link to comment Share on other sites More sharing options...
mikell Posted August 13, 2017 Share Posted August 13, 2017 Hmm. Using the findstr /r flag (to allow regex) it seems that this can be used only to do a check As Danyfirex suggested apparently you will have to regex the output ... Gianni 1 Link to comment Share on other sites More sharing options...
Gianni Posted August 13, 2017 Author Share Posted August 13, 2017 thanks @mikell for your answer, ... if the regexp con be used only to check (?) why the following pattern extract only the line that begins with word "LastLoggedOnUser" from the more lines returned by Reg query? '"\<LastLoggedOnUser.*"' Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt.... Link to comment Share on other sites More sharing options...
Gianni Posted August 13, 2017 Author Share Posted August 13, 2017 hmm, Both of you are right.... it seems that "findstr always returns every full line that contains a match, it is not capable of returning sub-strings only" * ....well, if I will have to regexp the output ... I will do thank you all Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt.... Link to comment Share on other sites More sharing options...
iamtheky Posted August 13, 2017 Share Posted August 13, 2017 if your friend powershell is available: #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = 'powershell $test = reg query ' & $sKeyname & ' /v ' & $sValuename & '; echo ' & '$test[2].substring(34)' Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) Gianni 1 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Danyfirex Posted August 13, 2017 Share Posted August 13, 2017 iamtheky you seem to be a powershell guy. I really love powershell. But must of time I prefer use it out of AutoIt. iamtheky We should talk more about powershell in the forum it really rocks. Saludos iamtheky 1 Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
Gianni Posted August 13, 2017 Author Share Posted August 13, 2017 thanks @iamtheky, nice hint, So, $test[2].substring(34) will return second line and chars from 34 on. This is ok for this Key, On different keys the 34 should be arranged accordingly.... Is there an RegExp extractor in PowerShell? Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt.... Link to comment Share on other sites More sharing options...
iamtheky Posted August 13, 2017 Share Posted August 13, 2017 im still playing with .split, but the way reg query returns that is certainly odd. substr was the first success (of many failures) performing string ops on that line. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Gianni Posted August 13, 2017 Author Share Posted August 13, 2017 @iamtheky, in this link https://stackoverflow.com/questions/17345879/extract-substring-with-regex-on-powershell they are using the -match parameter to use regexp patterns against a string. I've copy pasted some code from there and mixed the regexp pattern by @Danyfirex from post #2 above and merged the whole in the following snippet, but it extract the whole last line instead of only the last word. #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" ; https://stackoverflow.com/questions/17345879/extract-substring-with-regex-on-powershell Local $sCmd = 'powershell $test = (reg query ' & $sKeyname & ' /v ' & $sValuename & ') -match ''\.\\.+$'' ; echo $test ' Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) what do you suggest? Chimp small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt.... Link to comment Share on other sites More sharing options...
Danyfirex Posted August 14, 2017 Share Posted August 14, 2017 Due yo you are using powershell you probably could do something like this instead using reg query. #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sCmd = "powershell (Get-WmiObject -Class win32_computersystem -ComputerName '" & $sComputer & "').UserName -replace '" & $sComputer & "\\'" Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut) I'll check above question later. Saludos Gianni 1 Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
iamtheky Posted August 14, 2017 Share Posted August 14, 2017 (edited) once substring does its magic you can split on whatever you want: $matches is the magical return of -match that houses the data (-match just returns a boolean to the console) #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = "powershell $test = reg query " & $sKeyname & ' /v ' & $sValuename & " ; $test[2].substring(0) -match '\w+\\\w+$' ; $matches" Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) another example of how to use matches (dumps the boolean to null and retrieves only the domain\user in the stdout): #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = "powershell $test = reg query " & $sKeyname & ' /v ' & $sValuename & " ; $test[2].substring(0) -match '\w+\\\w+$' | out-null ; echo $matches[0]" Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) This one showing how to use .split to just get the username from the second line #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = "powershell $test = reg query " & $sKeyname & ' /v ' & $sValuename & " ; $test[2].substring(0).split('\')[-1]" Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) Edited August 14, 2017 by iamtheky Gianni and Danyfirex 2 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Danyfirex Posted August 14, 2017 Share Posted August 14, 2017 Here is the version using regexp #include <AutoItConstants.au3> Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = 'powershell $test = (reg query ' & $sKeyname & ' /v ' & $sValuename & '); ([regex]::Match($test,''\.\\.+$'')).Groups[0].Value' Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) Saludos iamtheky and Gianni 2 Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
iamtheky Posted August 14, 2017 Share Posted August 14, 2017 (edited) @Danyfirex on Win7 i get a return of .\Ky i get no return on Win10 edit: does this work on yours? #include <AutoItConstants.au3> DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1) Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = 'cmd /c ' & 'powershell $test = reg query ' & $sKeyname & ' /v ' & $sValuename & ' ; out-null ; ' & '[regex]::Match($test,''(SZ.+\s)(.+\\.+.$)'').Groups[2].value' Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) Edited August 14, 2017 by iamtheky fixed regex ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Danyfirex Posted August 14, 2017 Share Posted August 14, 2017 I've tested on Windows 10x64. It works. do both versions return wrong value for you? Saludos Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
iamtheky Posted August 14, 2017 Share Posted August 14, 2017 (edited) yours just returns blank on Win10x64 16257.rs_prerelease PSversion: 5.1.16257.1000 on win7 x64 it returns as expected. My adjustment works on both systems, but I have no idea why im seeing the results i am. Edited August 14, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Danyfirex Posted August 14, 2017 Share Posted August 14, 2017 10 hours ago, iamtheky said: @Danyfirex on Win7 i get a return of .\Ky i get no return on Win10 edit: does this work on yours? #include <AutoItConstants.au3> DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1) Local $sComputer = @ComputerName Local $sKeyname = '"\\' & $sComputer & '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /REG:64' Local $sValuename = "LastLoggedOnUser" Local $sCmd = 'cmd /c ' & 'powershell $test = reg query ' & $sKeyname & ' /v ' & $sValuename & ' ; out-null ; ' & '[regex]::Match($test,''(SZ.+\s)(.+\\.+.$)'').Groups[2].value' Local $sOut, $hPid = Run($sCmd, "", @SW_HIDE, $STDERR_MERGED) Do $sOut &= StdoutRead($hPid) Until @error ConsoleWrite($sOut & @CRLF) Yes it works. Saludos Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
Danyfirex Posted August 14, 2017 Share Posted August 14, 2017 Example using WMI. Global Const $HKLM = 0x80000002 Global $oErrorHandler = ObjEvent("AutoIt.Error", "_ErrFunc") Local $strComputer = @ComputerName Local $objCtx = ObjCreate("WbemScripting.SWbemNamedValueSet") $objCtx.Add("__ProviderArchitecture", 64) Local $objLocator = ObjCreate("Wbemscripting.SWbemLocator") Local $objServices = $objLocator.ConnectServer($strComputer, "root\default", "", "", Null, Null, Null, $objCtx) Local $objStdRegProv = $objServices.Get("StdRegProv") Local $Inparams = $objStdRegProv.Methods_("GetStringValue").Inparameters $Inparams.Hdefkey = $HKLM $Inparams.Ssubkeyname = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" $Inparams.Svaluename = "LastLoggedOnUser" Local $Outparams = $objStdRegProv.ExecMethod_("GetStringValue", $Inparams, Null, $objCtx) ConsoleWrite($Outparams.SValue & @CRLF) ; User's COM error function. Will be called if COM error occurs Func _ErrFunc($oError) ; Do anything here. ConsoleWrite(@ScriptName & " (" & $oError.scriptline & ") : ==> COM Error intercepted !" & @CRLF & _ @TAB & "err.number is: " & @TAB & @TAB & "0x" & Hex($oError.number) & @CRLF & _ @TAB & "err.windescription:" & @TAB & $oError.windescription & @CRLF & _ @TAB & "err.description is: " & @TAB & $oError.description & @CRLF & _ @TAB & "err.source is: " & @TAB & @TAB & $oError.source & @CRLF & _ @TAB & "err.helpfile is: " & @TAB & $oError.helpfile & @CRLF & _ @TAB & "err.helpcontext is: " & @TAB & $oError.helpcontext & @CRLF & _ @TAB & "err.lastdllerror is: " & @TAB & $oError.lastdllerror & @CRLF & _ @TAB & "err.scriptline is: " & @TAB & $oError.scriptline & @CRLF & _ @TAB & "err.retcode is: " & @TAB & "0x" & Hex($oError.retcode) & @CRLF & @CRLF) EndFunc ;==>_ErrFunc Saludos Gianni 1 Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut Link to comment Share on other sites More sharing options...
iamtheky Posted August 14, 2017 Share Posted August 14, 2017 (edited) Thinking more about the original problem: Think maybe those are /0s between the fields, like reg query places between entries in multi_SZ? FindStr = "FINDSTR cannot search for null bytes commonly found in Unicode files." Edited August 14, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now