Jump to content

Remote Registry - Cannot read HKCU? (limitation?)

tAKTelapis
 Share

Recommended Posts

tAKTelapis Universalist

tAKTelapis

Posted
Posted

Hey Guys,

I am working on a project to explore the different ways a computer can have its internet remotely "disabled", its on a large network environment in a school, the idea is a lab control program capable of disabling the internet on the fly, as fast as possible.

I do already have something which does this, however it is extremely slow as it is remotely importing an IPsec policy file which has access to port 8080 and port 80 blocked.

I am now looking at alternative methods, the current method is to blank out the proxy settings on the remote system (or set the proxy to disabled), whilst trying to check the concept, i have noted that i cannot remotely read the proxy part of the registry, here is my code:

Dim $CurrentProxy
Dim $ProxyOverride

$strPcName = "computername"

If 1 Then
    $CurrentProxy = RegRead("\\"&$strPcName&"\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\", "ProxyServer")
    $ProxyOverride = RegRead("\\"&$strPcName&"\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\", "ProxyOverride")
EndIf

MsgBox(0, "Details are", "Proxy: " & $CurrentProxy & @CRLF & _
        "Proxy Exceptions: "&$ProxyOverride)

I have checked, and the Remote Registry service is indeed turned on, and i do have admin rights over the machine in question. I do note that when i connect to a remote registry from within regedit i do not see the HKCU and the HKCR.

Is this a limitation in the Remote Access abilities of RegRead? (and as such, all other remote registry activity?)

I was looking to do this without having to have a service running on the remote computer.

Also, all other suggestions towards disabling the internet access is welcome (i have a few other thoughts, this did however appear to be the easiest and cleanest approach)

Regards

/tAK

Link to comment
Share on other sites
wkain1 Seeker

wkain1

Posted
Posted

You can read HKCU but it is under the HKEY_USERS\(SID). You would either need to know the SID of the user or could probably do a RegEnumKey. There are some you can ignore like S-1-5-18,19,20 which are network users and system users.

Link to comment
Share on other sites
tAKTelapis Universalist

tAKTelapis

Posted
  • Author
Posted

Cheers wkain1.. awesome first post :whistle:

It appears to me that S-1-5-21-(lot of other numbers) is the SID in most cases that i have looked, upto the 21 is always the same.

I have found some VBS based examples that can enumerate the currently logged in user and the SID of that user, then pass it back into my script.

So far, so good. Cheers for the help.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...