Jump to content

Reading policies from registry


Recommended Posts

Hi there!

I've been away for quite a while - and now I'm back.

... And I'm sick and tired of script kiddies making spyware that change windows policies.

So I wanted to make a simple autoIT program that would list (à la HijackThis) any active policies on a PC. This would help a lot of people. (I've got a truckload of 129 registry keys where policies can be set). I have no intention of deleting of modifying theses values. I just want to read them.

My problem is that AutoIT refuses to touch any registry key that contains the word "policies".

Is this by design or is this a bug?

Here, try this in your autoIT rig ...

CODE
$test1 = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system",1)

$err = @error

ConsoleWrite($test1&@TAB&$err&@CR)

If anyone can get this to work I will share this program with everyone and hopefully save a life or something!

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

Some more info.

Just checked out the console window.

When I run the above RegEnumKey, the error message I get is "Le fichier spécifié est introuvable." (my windows is french)

Translation --> "The specified file is not found"

Is that weird or what?

I've reset, I've done all that I could and now I'm stuck :whistle:

Thanks to anyone smart enough to show me the error of my ways!

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

You are using the wrong function. Look at the example:

For $i = 1 to 10
    $var = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE", $i)
    If @error <> 0 then ExitLoop
    MsgBox(4096, "SubKey #" & $i & " under HKLM\Software: ", $var)
NextoÝ÷ Ù8b±û§rب·­º¹ì(F~]2¢æ«zÇ)ཀྵnzÅ,zØb±«­¢+Ù½ÈÀÌØí¤ôÄѼÄÀÀ(ÀÌØíÙÈôI¹ÕµY° ÅÕ½Ðí!-14ÀäÈíM=Q]IÀäÈí5¥É½Í½ÐÀäÈí]¥¹½ÝÌÀäÈí
ÕÉɹÑYÉÍ¥½¸ÀäÈíÁ½±¥¥ÌÀäÈíÍåÍÑ´ÅÕ½Ðì°ÀÌØí¤¤)¥ÉɽȱÐìÐìÀQ¡¸á¥Ñ1½½À)5Í    ½à ÐÀäØ°ÅÕ½ÐíY±Õ9µÅÕ½ÐìµÀìÀÌØí¤µÀìÅÕ½Ðìչȥ¸Õѽ%ÐÌ­äÅÕ½Ðì°ÀÌØíÙȤ)¹áÐ

You have to use RegRead in conjunction with this to get the data from each $var above.

Link to comment
Share on other sites

Loop through all subkeys and display name & value.

$REGPATH = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"

For $i = 1 to 100
    $var = RegEnumVal($REGPATH, $i)
    if @error <> 0 Then ExitLoop
    $value = RegRead($REGPATH, $var)
    MsgBox(0, "", "Element: " & $i & @CRLF & "Name: " & $var & @CRLF & "Value: " & $value)
Next
Link to comment
Share on other sites

Loop through all subkeys and display name & value.

$REGPATH = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"

For $i = 1 to 100
    $var = RegEnumVal($REGPATH, $i)
    if @error <> 0 Then ExitLoop
    $value = RegRead($REGPATH, $var)
    MsgBox(0, "", "Element: " & $i & @CRLF & "Name: " & $var & @CRLF & "Value: " & $value)
Next
WOW thanks. Still it's a bit twisted ; reading the key name with RegEnumVal and reading it's value with RegRead ...

In any case check this spot out, if I'm not too rusty by tomorrow there's going to be a new policy buster on the block ... hey good name eheheh

THanks again!

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

Ok well after a lot of fiddling around, WarriorX's technique works, but it's still very clear something's amiss in the registry reading routines of AUtoIT3. I've also checked on another PC and a virtual PC (which should be the same) and I still get some weird error messages.

Don't get me wrong. If you know EXACTLY where to search for registry values it works. As long as you do it EXACTLY like WarriorX.

As soon as you go poking in the dark it's back to square one.

I'll post my policy buster as soon as I get something working. That'll show you a few examples of what works and what does not.

Never a dull day programming AutoIT3!

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

Allright, an update.

What is giving me a problem is my routine to check if a particular registry branch exists...

$Reg_KEY = RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", "")
If @error <> 0 Then ContinueLoop

This should in fact (at least that's what I assume) signify me that there is a valid default value (hence the branch exists).

In fact it just throws me an error message -1 ==> "-1 if unable to open requested value"

However the documentation is formal about this: "To access the (Default) value use "" (a blank string) for the valuename."

So anyways I'll program around this "feature" :whistle:

Maybe this has something to do with the fact that i work in a french OS? Just guessing.

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

I believe you have a permissions issue. That last command worked for me.

$Reg_KEY = RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system", "")
If @error <> 0 Then MsgBox(0,"",$Reg_KEY)
I kinda figured it out - the problem resides in asking for the "" value.

It doesn't work properly here, it keeps on giving me an error message when it shouldn't (hey why mention you could do it in the documentation if it won't work).

In any case I'll check the permissions, but I'm not the one who changed them. And changing the permissions on a blank value seems a bit wacky to me :whistle:

Thanks!

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

I kinda figured it out - the problem resides in asking for the "" value.

It doesn't work properly here, it keeps on giving me an error message when it shouldn't (hey why mention you could do it in the documentation if it won't work).

In any case I'll check the permissions, but I'm not the one who changed them. And changing the permissions on a blank value seems a bit wacky to me :lmao:

What is it you claim doesn't work? Although it is presented in the RegEdit GUI, if the default value has not been set to anything, it doesn't actually exist. So doing a RegRead($RegKey, "") returns @error = -1 if the 'data' was '(value not set)'. If the data of Default has been set to anything, then you get a regular read with @error = 0. You also get the correct type in @extended, because when you write to Default, you can set it to any valid type. Once set, it can be successfully deleted, but it still shows up in the GUI only as an artifact or place holder.

Test this against Microsoft's command line REG.exe. Query a key for all values while Default is unset and it is not listed. Do it when data has been assigned to default and you get the value name "<NO NAME>". To query the default value you would use:

REG.EXE QUERY "HKLM\SOFTWARE\AutoIT v3" /v ""

If you do that when Default has a data value, you get <NO NAME> = "The data". If you do that when it has no value, you get "invalid parameter".

Just because it shows up in the RegEdit GUI does not mean Default exists, and AutoIt's RegWrite/RegRead functions behave as Microsoft's own REG.EXE too does with respect to it.

:whistle:

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Link to comment
Share on other sites

Just because it shows up in the RegEdit GUI does not mean Default exists, and AutoIt's RegWrite/RegRead functions behave as Microsoft's own REG.EXE too does with respect to it.

:whistle:

Thanks!

Anyways I went around the problem; can't remember why but anyways I was reading the "empty" cell and now I'm reading the first value. Makes more sense. And I've stopeed pulling my hair :lmao:

I am endeavoring, ma'am, to construct a mnemonic circuit using stone knives and bearskins.SpockMy UDFs:Deleted - they were old and I'm lazy ... :)My utilities:Comment stripperPolicy lister 1.07AutoIT Speed Tester (new!)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...