Sign in to follow this  
Followers 0
Ghost21

Registrey Keys

23 posts in this topic

I'm trying to find this key on say 50 computers ..

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

The " S-1-5-21-3710774075-2757586091-1839342869-1190 " keeps changing on different pcs... can I regread with like an * or something like that ???/

Help please !!!!

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

EDIT: This will pull from the locally loaded hive

Edited by danwilli

Share this post


Link to post
Share on other sites

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

EDIT: This will pull from the locally loaded hive

Thanks but it has to be --> S-1-5-21-3710774075-2757586091-1839342869-1190 <-- only the last 4 digits change it seems...

Share this post


Link to post
Share on other sites

why does it have to be "S-1-5-21-3710774075-2757586091-1839342869-1190" ???

What are you trying to do. The key I gave you allows read/write...

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

the changes in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs will be reflected in

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

and the other way around too

EDIT: maybe I am missunderstanding

Edited by danwilli

Share this post


Link to post
Share on other sites

the changes in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs will be reflected in

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

and the other way around too

EDIT: maybe I am missunderstanding

OK I'm trying to read the \HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

key because I can't see the local one on a remote machine.. but when I try it on a different machine the path changes.. from \HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

to

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-????\Software\Microsoft\Internet Explorer\TypedURLs

how can I get the last 4 digits ... without getting this key either S-1-5-21-3710774075-2757586091-1839342869-1274_Classes

it has the stupid _Classes at the end....

Share this post


Link to post
Share on other sites

hmm, I will look into it, but as of now I am no help... Sorry

Share this post


Link to post
Share on other sites

could you use question marks as the last 4 digits?

Share this post


Link to post
Share on other sites

the user number ID can be found here: HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

but still, if you have no access to HKEY_CURRENT_USER, it does you no good

Share this post


Link to post
Share on other sites

FYI, its not always 4 digits

oh great .... :) This is going to suck... can I stringlen or something like that and remove _classes and go left to the beggining to get the string ???

Share this post


Link to post
Share on other sites

ISn't there a way to read * or search for everything in that line starting with ???

Can't regread do this ???

Share this post


Link to post
Share on other sites

From Help File:

It is possible to access remote registries by using a keyname in the form "\\computername\keyname". To use this feature you must have the correct access rights on NT/2000/XP/2003, or if you are using a 9x based OS the remote PC must have the remote registry service installed first (See Microsoft Knowledge Base Article - 141460).

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

I'm trying to find this key on say 50 computers ..

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

The " S-1-5-21-3710774075-2757586091-1839342869-1190 " keeps changing on different pcs... can I regread with like an * or something like that ???/

Help please !!!!

I had to do something similar to this a week ago but for Outlook keys. I'm sure this code is pretty drawn out and lengthy for what it does, but I am still learning and I did get it working. I hope this is remotely close to what you are looking for. Long live AutoIT

For $z = 1 to 100
$Ivar = RegEnumKey("HKEY_USERS", $z)
If @error <> 0 then ExitLoop
If StringLeft($Ivar, 41) = "S-1-5-21-484763869-1708537768-1177238915-" Then $tempvar = StringRight($Ivar, 6)
$tempvar = Number($tempvar)
If $tempvar <> 0 then Call ("Continue")
                
Next

Func Continue ()

For $a = 1 to 100
$var = RegEnumKey("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES", $a)
    If @error <> 0 then ExitLoop
                    
    For $b = 1 to 100
                $var2 = RegEnumKey("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES" & "\" & $var, $b)
    If @error <> 0 then ExitLoop
                                        
    For $c = 1 to 100
    $var3 = RegEnumVal("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\" & $var & "\" & $var2, $c)
    If @error <> 0 then ExitLoop
                        
    $var4 = RegRead("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\" & $var & "\" & $var2 & "\", $var3)
    If StringInStr($var4,"oldserver") Then $tempvar2 = StringReplace($var4,"oldserver","newserver")

RegWrite("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\" & $var & "\" & $var2, $var3, "REG_SZ", $tempvar2)
EndIf
Next
Next
Next
EndFunc
Edited by WhiteSpace

Share this post


Link to post
Share on other sites

I'm not the brightest bulb in the pack by far, but couldn't you use a RegEnum function that I've seen around here on the HKEY_USERS key, and just go through them all, and then use string compares to find the exact one you need if there's more? But yeah, RegEnumKey or something similar should be able scan all Keys into an array that can be searched for the one you need, or just use them all in a loop to scan every key that may be right.

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

Here is a program that I made to grab the SID of a local user on the computer. You could just as easily replace @Computername with the name of the computer you want to grab the information. Hope you find it helpful.

#NoTrayIcon

;Create a Com error handler
$oMyError = ObjEvent("AutoIt.Error", "ErrorHandler")
$UsernameFound = False

If $CmdLine[0] = 0 Or $CmdLine[0] >= 3 Then 
    MsgBox(16, "Usage", "Usage: " & @ScriptName & " /USER=Username" & @CRLF & _
    "Place the username on commandline which you want to get their SID")
ElseIf $CmdLine[0] = 1 Then
    If StringInStr(StringUpper($CmdLine[1]), "/USER=") Then
        FindSid()
    Else
        MsgBox(16, "Usage", "Usage: " & @ScriptName & " /USER=Username" & @CRLF & _
        "Place the username on commandline which you want to get their SID")
        Exit
    EndIf
ElseIf $CmdLine[0] = 2 Then
    If StringUpper($CmdLine[1]) = "/S" Or StringUpper($CmdLine[2]) = "/S" Or StringInStr(StringUpper($CmdLine[1]), "/USER=") Or StringInStr(StringUpper($CmdLine[2]), "/USER=") Then
        FindSid()
    EndIf
EndIf

Func FindSid()
    $Username = StringSplit($CmdLine[1], "=")
    If @error Then
        $Username = StringSplit($CmdLine[2], "=")
    EndIf
    
    $objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\cimv2")
    $colAccount = $objWMIService.ExecQuery ("Select * FROM Win32_Group where LocalAccount = 'True'")
    For $objGroup In $colAccount
        $oGroup = ObjGet("WinNT://" & @ComputerName & "/" & $objGroup.Name) 
        For $oUserGroup In $oGroup.Members 
            If StringLower($oUserGroup.Name) = StringLower($Username[2]) Then
                $UsernameFound = True
            EndIf
        Next
    Next
        
    If $UsernameFound Then
        $objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\cimv2")
        $colAccount = $objWMIService.ExecQuery ("Select Name,SID from Win32_UserAccount where name = '" & $Username[2] & "'")
        For $objAccount in $colAccount
            If $objAccount.Name = $Username[2] Then
                RegWrite("HKEY_LOCAL_MACHINE\Software\GFS\SID", $Username[2], "REG_SZ", $objAccount.SID)
                ExitLoop
            EndIf
        Next
    
        ;if registry key exists then export reg exists to registry
        $var = RegEnumKey("HKEY_USERS\" & $objAccount.SID, 1)
        If @error <> 0 Then
            RegWrite("HKEY_LOCAL_MACHINE\Software\GFS\SID", "RegExists", "REG_SZ", False)
            Exit
        Else
            RegWrite("HKEY_LOCAL_MACHINE\Software\GFS\SID", "RegExists", "REG_SZ", True)
        EndIf
    Else
        If Not StringInStr($CmdLineRaw, "/s") Then
            MsgBox(16, "Username not found", "The username " & $Username[2] & " was not found on the computer.")
        EndIf
    EndIf
EndFunc

Func ErrorHandler()
    If Not StringInStr($CmdLineRaw, "/s") Then
        $HexNumber = Hex($oMyError.number, 8)
        Msgbox(16, "Error", "There was an error." & @CRLF & @CRLF & _
        "Error description is: " & @TAB & $oMyError.description & @CRLF & _
        "Error number is: " & @TAB & $HexNumber & @CRLF & _
        "Error scriptline is: " & @TAB & $oMyError.scriptline & @CRLF)
        Exit
    EndIf
Endfunc
Edited by wkain1

Share this post


Link to post
Share on other sites

When I've had to change certain settings for multiple profiles on a machine, I had to put together a script that loaded each userhive, made the changes, unloaded the hive. I could prolly find the script if you want to have a look and if it's relevant to what you want...?

Share this post


Link to post
Share on other sites

When I've had to change certain settings for multiple profiles on a machine, I had to put together a script that loaded each userhive, made the changes, unloaded the hive. I could prolly find the script if you want to have a look and if it's relevant to what you want...?

This frekin crazy... Why can't there be something in reg read that you can put in ?/?

Share this post


Link to post
Share on other sites

Alas, Windows doesn't work that way. If a user is not logged on, their particular Hive is not loaded (saves memory and is more secure I guess).

So if you want to make changes to their Hive, you need to load it first.

Share this post


Link to post
Share on other sites

Its rather simple really, as a security feature against remotely changing settings for the currently logged on user M$ obviously found it pertinent to disable access to the HKEY_CURRENT_USER branch of the registry remotely.

HOWEVER, if you access the HKEY_USERS branch of the registry remotely, followed by the key that is named after the SID of the currently logged on user, you can see and manipulate any items you wish. the answer lies in using a modified version of the code that wkain1 posted (have no time to modify it atm, but i can see how easy it would be) and the pseudo code goes something like this:

feed your script the PCname to get registry of

pass name onto the GetSID function, along with the name of the currently logged on user (there is a way to get this via WMI aswell, will post VBS later if wanted)

Once the SID is returned, go ahead and access the following registry key:

HK_USERS\$UserSID\Whatever\Key\You\Want\to\read

That should pretty much cover it, i was looking at this as a way of disabling the proxy of a user on the fly to disable internet access, seeing as the users do not have access to enable / disable it via the tools menu in IE, however the noted flaw in the plan was that a user could simply logon and then back off, thus resetting the proxy via logon scripts.. still, an effective means of manipulating data, such as visited URLs in the way the OP wanted, i have been investigating many ways to develop the idea of having access to the users remote registry and this is worth looking into.

My major issue so far, has been my lacking of understanding in the way that Au3 operates with WMI calls, as i did not have a VBS and an Au3 script to compare, now with the example that Wkain1 has provided, i might make some headway in that department.

That about does it for my long winded rant, hope there was some useful info in that.

/tAK

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0