Jump to content

Sandboxie - Get Register Data

dmoniac

By dmoniac,
in AutoIt Example Scripts

 Share

Recommended Posts

dmoniac Seeker

dmoniac

Posted
Posted (edited)

Hi.

This is a script to dump all the registry of Sandboxie.

Great after an install to look data registered.

CODE
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****

#AutoIt3Wrapper_Res_Language=1036

#AutoIt3Wrapper_Res_requestedExecutionLevel=highestAvailable

#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

#cs ----------------------------------------------------------------------------

AutoIt Version: 3.2.10.0

Author: dmoniac

Script Function:

Template AutoIt script.

#ce ----------------------------------------------------------------------------

Dim $DefBox = EnvGet("APPDATA") & "\Sandbox\DefaultBox"

Dim $RegFile = $DefBox & "\RegHive"

Dim $ExportFile

If not FileExists($RegFile) Then

MsgBox(4096, "Information", "Registry Hive does not exist in "& @CRLF & $DefBox)

$newpath = InputBox("Recherche Manuelle", "Indiquez le dossier de votre Sandbox", $DefBox, "", 500, 130)

if (@error) = 0 Then

$DefBox=$newpath

$RegFile = $DefBox & "\RegHive"

If not FileExists($RegFile) Then

MsgBox(4096, "Information", "Registry Hive does not exist in "& @CRLF & $DefBox)

exit 5

EndIf

Else

msgbox(0,"ERREUR","Impossible de trouver la base de registre Sandbox")

exit 5

EndIf

EndIf

$ExportFile = $RegFile & ".export"

;Chargement des registres

$CMD = 'reg.exe LOAD HKLM\Sandbox "' &$RegFile& '"'

$retval = RunWait($CMD, @ScriptDir,@SW_HIDE)

;msgbox(0,"", @error)

If ( $retval = 0 ) Then

RegDelete("HKLM\Sandbox\machine\software\microsoft\com3","Com+Enabled")

RegDelete("HKLM\Sandbox\machine\software\microsoft\ole","EnableDCOM")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","NukeOnDelete")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","UseGlobalSettings")

RegDelete("HKLM\Sandbox\user\current\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess","BrowseNewProcess")

Else

Msgbox(0,"Erreur LOAD HKLM\Sandbox",$retval)

exit 1

EndIf

;Suppression du fichier

FileDelete($ExportFile)

;Export des registres

$CMD = 'reg.exe EXPORT HKLM\Sandbox "' &$ExportFile& '"'

$retval = RunWait($CMD, @ScriptDir, @SW_HIDE)

If ( $retval <> 0 ) Then

Msgbox(0,"Erreur EXPORT HKLM\Sandbox",@error)

EndIf

reformatRegfile($ExportFile, $ExportFile&'.reg')

FileDelete($ExportFile)

;Chargement des registres

$CMD = 'reg.exe UNLOAD HKLM\Sandbox'

$retval = RunWait($CMD, @ScriptDir,@SW_HIDE)

If ( $retval <> 0 ) Then

Msgbox(0,"Erreur UNLOAD HKLM\Sandbox",@error)

exit 2

EndIf

Msgbox(0,"Information", "Export des éléments du registre dans "&@CRLF&$ExportFile&'.reg')

exit 0

;Transforme l'export du registre Sandbox en Registre Windows

Func reformatRegfile( $exportfile, $regfile)

$file = FileRead($exportfile)

If $file = -1 Then

MsgBox(0, "Error", "Unable to open file "&$exportfile)

return 0

EndIf

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox]','',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\user\current_CLASSES','[HKEY_CLASSES_ROOT',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\user\current','[HKEY_CURRENT_USER',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\user','[HKEY_USER',0, 0)

$file=StringReplace($file,'[HKEY_LOCAL_MACHINE\Sandbox\machine','[HKEY_LOCAL_MACHINE',0, 0)

FileDelete($regfile)

$ret = FileWrite($regfile, $file)

If $ret <> 1 Then

MsgBox(0, "Error", "Unable to write file "&$regfile)

return 0

EndIf

EndFunc

Edited by dmoniac
Link to comment
Share on other sites
mlowery Seeker

mlowery

Posted
Posted

Hi.

This is a script to dump all the registry of Sandboxie.

Great after an install to look data registered.

This looks very helpful. Can you explain why the code must delete these registry keys?

Merci!

CODE
If ( $retval = 0 ) Then

RegDelete("HKLM\Sandbox\machine\software\microsoft\com3","Com+Enabled")

RegDelete("HKLM\Sandbox\machine\software\microsoft\ole","EnableDCOM")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","NukeOnDelete")

RegDelete("HKLM\Sandbox\machine\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket","UseGlobalSettings")

RegDelete("HKLM\Sandbox\user\current\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess","BrowseNewProcess")

Else

Link to comment
Share on other sites
dmoniac Seeker

dmoniac

Posted
  • Author
Posted

This looks very helpful. Can you explain why the code must delete these registry keys?

Merci!

I don't know, I have just translate original javascript code to autoit code.

You can delete this part of code if you like.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...