All geek questions in one place

HKU registry bush recursive search for DWORD value

I need help with VBScript that will recursively look for the Windows HKU registry hive for a DWORD . It would be useful if the script could ignore system accounts only in S-1-5-21* keys. I MUST accomplish this using the HKU hive rather than the HKCU hive, because the program that I plan to use to run the script runs in the context of the system. Nothing like this.

Thanks.

 Const HKCU = &H80000001 Const HKLM = &H80000002 Const HKU = &H80000003 strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ strComputer & "\root\default:StdRegProv") 'Read the HKEY_CURRENT_USER hive, registry path, and valuename to retrieve settings strKeyPath = "Software\Policies\Microsoft\Windows\System\Power" strValueName = "PromptPasswordOnResume" oReg.GetDWORDValue HKCU,strKeyPath,strValueName,dwValue 'Return a failure exit code if entry does not exist If IsNull(dwValue) Then Wscript.Echo "The value is either Null or could not be found in the registry." WScript.Quit 1 'Return a failure exit code if value does not equal STIG setting ElseIf dwValue <> 1 Then Wscript.Echo "This is a finding. ", strValueName,"=", dwValue WScript.Quit 1 'Return a passing exit code if value matches STIG setting ElseIf dwValue = 1 Then Wscript.Echo "This is not a finding. " WScript.Quit 0 End If

All this is what I eventually came up with to solve my problem.

 Const HKEY_CURRENT_USER = &H80000001 Const HKEY_LOCAL_MACHINE = &H80000002 Const HKEY_USERS = &H80000003 'Set the local computer as the target strComputer = "." 'set the objRegistry Object Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv") 'Enumerate All subkeys in HKEY_USERS objRegistry.EnumKey HKEY_USERS, "", arrSubkeys 'Define variables strKeyPath = "\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" strValueName = "HideZoneInfoOnProperties" strSID = "S-1-5-21-\d*-\d*-\d*-\d{4,5}\\" strValue = 1 f = True For Each i in arrSubKeys Set objRegExp = New RegExp objRegExp.IgnoreCase = True objRegExp.Global = True objRegExp.Pattern = strSID Set colMatches = objRegExp.Execute(i + strKeyPath) For Each objMatch In colMatches objRegistry.GetDWORDValue HKEY_USERS,i + strKeyPath,strValueName,dwValue If IsNull(dwValue) Then WScript.Echo "This is a finding, the key " & i + strKeyPath & "\" & strValueName & " does not exist." f = False ElseIf dwValue <> strValue Then WScript.Echo "This is a finding, the " & i + strKeyPath & "\" & strValueName & ": " & dwValue & " does not equal REG_DWORD = " & strValue & "." f = False ElseIf dwValue = strValue Then WScript.Echo "This is not a finding " & i + strKeyPath & "\" & strValueName & " = " & dwValue End If Next Next If f Then WScript.Quit 0 Else WScript.Quit 1 End If
+4
source share
2 answers

Here you do not need recursion. Just iterate over the HKEY_USERS subkeys and (try) read the value. The return code GetDWORDValue() will indicate whether this value can be read.

 Const HKEY_USERS = &h80000003 subkey = "Software\Policies\Microsoft\Windows\System\Power" name = "PromptPasswordOnResume" computer = "." Set reg = GetObject("winmgmts://" & computer & "/root/default:StdRegProv") reg.EnumKey HKEY_USERS, "", sidList For Each sid In sidList key = sid & "\" & subkey rc = reg.GetDWORDValue(HKEY_USERS, key, name, val) If rc = 0 Then If val = 1 Then WScript.Echo "OK" WScript.Quit 0 Else WScript.Echo "Not OK" WScript.Quit 1 End If End If Next
+2
source

I'm not sure if I'm right. If you want to search in HKU not in HKCU, then the point is that the account in HKU is displayed in HKCU. As in your case, S-1-5-21 * will be displayed in HKCU. You can verify this by changing the entry in the HKCU, and this will be reflected in the HKU (S-1-5-21 *) and vice versa.

0
source

Source: https://habr.com/ru/post/1443752/

More articles:


All Articles