Jump to content

Inaccurate results with RegRead


timmy2
 Share

Recommended Posts

I want to determine if AutoLogon is enabled on a Windows 10 Pro (64-bit) system. It's my understanding that the following registry key will exist and equal 1 if autologon is enabled, or equal 0 if disabled. 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon

So l looked up RegRead in AutoIt's help file and tested the example.

#include <MsgBoxConstants.au3>

Local $sVar = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProgramFilesDir")
MsgBox($MB_SYSTEMMODAL, "Program files are in:", $sVar)

The resulting message box says:  C:\Program Files (x86)

Regedit says the value in ProgramFilesDir is C:\Program Files. "C:\Program Files (x86)" is in a nearby key "ProgramFilesDir(x86)", which makes sense.

I ignored this anomaly and tried RegRead in my own script:

#include <MsgBoxConstants.au3>

$isEnabled = RegRead("Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")

If $isEnabled = 1 then
    MsgBox($MB_SYSTEMMODAL, "", "Autologon enabled.")
Else
    MsgBox($MB_SYSTEMMODAL, "", "Autologon disabled.")
EndIf

My punishment for ignoring the problem with the Help file example is that regardless of whether the AutoAdminLogon key equals 0 or 1 in reality, my script's $isEnabled variable returns 0.

Despite the problem with the RegRead example I still figure I'm at fault, but I would appreciate someone pointing out my mistake, please. 

 

 

Link to comment
Share on other sites

Running on x64?

go with "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion"

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Link to comment
Share on other sites

56 minutes ago, careca said:

Running on x64?

go with "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion"

Thank you @carecafor replying. Your suggestion solves the riddle of the Help file example not working properly, but not the problem with my script failing to return the correct value.

I have checked the registry value of:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

After enabling and later disabling Auto-Logon using "Control userpasswords2",  AutoAdminLogon has the expected value in it in both instances. So I believe I'm looking at the correct registry key and string in my script.

Edited by timmy2
Link to comment
Share on other sites

@error returns a 2, which means "unable to open requested main key", which led me to realize that "Computer" should not be there.

So I changed the script to: 

#include <MsgBoxConstants.au3>

Local $isEnabled = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")

If @error Then
    MsgBox($MB_SYSTEMMODAL, "Error", "Failed to work." & @CRLF & "@error = " & @error)
EndIf

...and now @error returns -1, unable to open requested value. 

Edited by timmy2
Link to comment
Share on other sites

I dont have that key, so no errors here.

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Link to comment
Share on other sites

1 minute ago, careca said:

I dont have that key, so no errors here.

Thank you for checking @careca. I don't think the key exists until Auto-Logon is enabled for the first time, at which point it's set to 1. Subsequently disabling Auto-Logon using Control Userpassword2 (or NetPlWiz) will change the value of that key to 0.  

Link to comment
Share on other sites

When your script is compiled as 32 bit on a 64-bit machine use HKLM64 to access 64-bit registry and HKLM for 32-bit registry for example:

;~ Script is compiled as 32-Bit
Global $sHKLM = @OSArch = "x64" ? "HKLM64" : "HKLM"
Global $vResult = RegRead($sHKLM & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
    If @error Then MsgBox(4096, "Error", "Error reading registry key: " & @error)
Switch $vResult
    Case 1
        MsgBox(4096, "Result", "Autologon Enabled")
    Case Else
        MsgBox(4096, "Result", "Autlogon Disabled")
EndSwitch

 

Link to comment
Share on other sites

4 minutes ago, Subz said:

When your script is compiled as 32 bit on a 64-bit machine use HKLM64 to access 64-bit registry and HKLM for 32-bit registry for example:

;~ Script is compiled as 32-Bit
Global $sHKLM = @OSArch = "x64" ? "HKLM64" : "HKLM"
Global $vResult = RegRead($sHKLM & "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
    If @error Then MsgBox(4096, "Error", "Error reading registry key: " & @error)
Switch $vResult
    Case 1
        MsgBox(4096, "Result", "Autologon Enabled")
    Case Else
        MsgBox(4096, "Result", "Autlogon Disabled")
EndSwitch

Woo Hoo!  Thank You very, very much, @Subz.  This puddle had become a tar pit. Glad to move on.  Do you happen to know where this is described in the Help file? I would like to read up on it, to know if it applies only to the registry or to other situations.

FIDPb1v.jpg

Link to comment
Share on other sites

Not much information, but it can be found under RegRead, RegWrite, RegDelete, or just search for HKLM64 in the help file.  In most of my scripts just to make it clear to others I use the following to know which hive I'm reading or writing.  You should also note that Microsoft Reg also accepts HKLM and/or HKLM64.

Global $sHKLM32 = "HKLM"
Global $sHKLM64 = "HKLM64"

 

Link to comment
Share on other sites

2 minutes ago, Subz said:

Not much information, but it can be found under RegRead, RegWrite, RegDelete, or just search for HKLM64 in the help file.  In most of my scripts just to make it clear to others I use the following to know which hive I'm reading or writing.  You should also note that Microsoft Reg also accepts HKLM and/or HKLM64.

Global $sHKLM32 = "HKLM"
Global $sHKLM64 = "HKLM64"

 

Thank you for the clarification. 

Link to comment
Share on other sites

8 hours ago, Subz said:

When your script is compiled as 32 bit on a 64-bit machine use HKLM64 to access 64-bit registry and HKLM for 32-bit registry

Is this the same as having the HKLM with the Wow6432Node bit in there?

Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Link to comment
Share on other sites

The following code would return the 32-bit values on a Windows x64 system and compiled as 32-bit, the only way I know of to access the 64-bit node is to use HKLM64

Local $sWinlogon1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
Local $sWinlogon2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
ConsoleWrite($sWinlogon1 & @CRLF & $sWinlogon2 & @CRLF)

If you compiled the same script as 64-bit it would return both the 32-bit and 64-bit values as you would expect, however in this scenario you would always need to define Wow6432Node when trying to access 32-bit node, as both HKLM and HKLM64 would both point to the 64-bit node.

Hope that made sense.

Link to comment
Share on other sites

  • 2 weeks later...
On 11/18/2018 at 8:34 AM, Subz said:

The following code would return the 32-bit values on a Windows x64 system and compiled as 32-bit, the only way I know of to access the 64-bit node is to use HKLM64

Local $sWinlogon1 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
Local $sWinlogon2 = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon")
ConsoleWrite($sWinlogon1 & @CRLF & $sWinlogon2 & @CRLF)

If you compiled the same script as 64-bit it would return both the 32-bit and 64-bit values as you would expect, however in this scenario you would always need to define Wow6432Node when trying to access 32-bit node, as both HKLM and HKLM64 would both point to the 64-bit node.

Hope that made sense.

Yes, it did. Thank you @Subz.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...