Sign in to follow this  
Followers 0
dmoniac

Sandboxie - Get Register Data

3 posts in this topic

#1 ·  Posted (edited)

Hi.

This is a script to dump all the registry of Sandboxie.

Great after an install to look data registered.

CODE
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****

#AutoIt3Wrapper_Res_Language=1036

#AutoIt3Wrapper_Res_requestedExecutionLevel=highestAvailable

#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

#cs ----------------------------------------------------------------------------

AutoIt Version: 3.2.10.0

Author: dmoniac

Script Function:

Template AutoIt script.

#ce ----------------------------------------------------------------------------

Dim $DefBox = EnvGet("APPDATA") & "\Sandbox\DefaultBox"

Dim $RegFile = $DefBox & "\RegHive"

Dim $ExportFile

If not FileExists($RegFile) Then

MsgBox(4096, "Information", "Registry Hive does not exist in "& @CRLF & $DefBox)

$newpath = InputBox("Recherche Manuelle", "Indiquez le dossier de votre Sandbox", $DefBox, "", 500, 130)

if (@error) = 0 Then

$DefBox=$newpath

$RegFile = $DefBox & "\RegHive"

If not FileExists($RegFile) Then

MsgBox(4096, "Information", "Registry Hive does not exist in "& @CRLF & $DefBox)

exit 5

EndIf

Else

msgbox(0,"ERREUR","Impossible de trouver la base de registre Sandbox")

exit 5

EndIf

EndIf

$ExportFile = $RegFile & ".export"

;Chargement des registres

$CMD = 'reg.exe LOAD HKLM\Sandbox "' &$RegFile& '"'

$retval = RunWait($CMD, @ScriptDir,@SW_HIDE)

;msgbox(0,"", @error)

If ( $retval = 0 ) Then

RegDelete("HKLM\Sandbox\machine\software\microsoft\com3","Com+Enabled")

RegDelete("HKLM\Sandbox\machine\software\microsoft\ole","EnableDCOM")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","NukeOnDelete")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","UseGlobalSettings")

RegDelete("HKLM\Sandbox\user\current\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess","BrowseNewProcess")

Else

Msgbox(0,"Erreur LOAD HKLM\Sandbox",$retval)

exit 1

EndIf

;Suppression du fichier

FileDelete($ExportFile)

;Export des registres

$CMD = 'reg.exe EXPORT HKLM\Sandbox "' &$ExportFile& '"'

$retval = RunWait($CMD, @ScriptDir, @SW_HIDE)

If ( $retval <> 0 ) Then

Msgbox(0,"Erreur EXPORT HKLM\Sandbox",@error)

EndIf

reformatRegfile($ExportFile, $ExportFile&'.reg')

FileDelete($ExportFile)

;Chargement des registres

$CMD = 'reg.exe UNLOAD HKLM\Sandbox'

$retval = RunWait($CMD, @ScriptDir,@SW_HIDE)

If ( $retval <> 0 ) Then

Msgbox(0,"Erreur UNLOAD HKLM\Sandbox",@error)

exit 2

EndIf

Msgbox(0,"Information", "Export des éléments du registre dans "&@CRLF&$ExportFile&'.reg')

exit 0

;Transforme l'export du registre Sandbox en Registre Windows

Func reformatRegfile( $exportfile, $regfile)

$file = FileRead($exportfile)

If $file = -1 Then

MsgBox(0, "Error", "Unable to open file "&$exportfile)

return 0

EndIf

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox]','',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\user\current_CLASSES','[HKEY_CLASSES_ROOT',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\user\current','[HKEY_CURRENT_USER',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\user','[HKEY_USER',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\machine','[HKEY_LOCAL_MACHINE',0, 0)

FileDelete($regfile)

$ret = FileWrite($regfile, $file)

If $ret <> 1 Then

MsgBox(0, "Error", "Unable to write file "&$regfile)

return 0

EndIf

EndFunc

Edited by dmoniac

Share this post


Link to post
Share on other sites



Hi.

This is a script to dump all the registry of Sandboxie.

Great after an install to look data registered.

This looks very helpful. Can you explain why the code must delete these registry keys?

Merci!

CODE
If ( $retval = 0 ) Then

RegDelete("HKLM\Sandbox\machine\software\microsoft\com3","Com+Enabled")

RegDelete("HKLM\Sandbox\machine\software\microsoft\ole","EnableDCOM")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","NukeOnDelete")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","UseGlobalSettings")

RegDelete("HKLM\Sandbox\user\current\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess","BrowseNewProcess")

Else

Share this post


Link to post
Share on other sites

This looks very helpful. Can you explain why the code must delete these registry keys?

Merci!

I don't know, I have just translate original javascript code to autoit code.

You can delete this part of code if you like.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0