Obtaining security settings through batch script

I'm in the process of writing a batch script for Windows 2000 and 2003 server and I would like to know if it is possible to:
1.  extract specific keys from a batch script (I don't want to take a copy of the registry.

2. extract specific values from the local security policy (ie: everything under password policy, lockout policy, audit policy, user rights assignment, security options).

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A tool that can assist you with the registry side of things is regfind.exe from the resource kit.
RegFind is a command-line tool that you can use to search the Windows 2000 registry for arbitrary data, key names, or value names. The tool allows you to replace any of these with new values.

RegFind Syntax
regfind [{-m \\ComputerName | -h HiveFile HiveRoot | -w Win95Directory}] [-i n] [-o OutputWidth] [-p RegistryKeyPath] [{-z | -t DataType}] [{-b | -B}] [-y] [-n] [SearchString [-r ReplacementString]]


-m \\ComputerName
specifies a remote Windows 2000 computer (machine) whose registry is to be manipulated.
-h HiveFile HiveRoot
specifies a local hive to manipulate.
-w Win95Directory
specifies the paths to Windows 95 system.dat and user.dat files.
-i n
specifies the display indentation multiple. Default is 4.
-o OutputWidth
specifies how wide the output is to be. By default OutputWidth is set to the width of the console window, if standard output (STDOUT) has not been redirected to a file. In the latter case, an OutputWidth of 240 is used.
-p RegistryKeyPath
specifies where in the registry to start searching. All entries below this point in the registry hierarchy are also searched. If no path is specified, RegFind searches the entire registry, which can be time consuming.
If the path contains spaces, it must be surrounded by quotations marks:
"Registry Key Path With Spaces"
specifies to search for REG_SZ and REG_EXPAND_SZ values that are missing a trailing null character and/or have a length that is not a multiple of the size of a Unicode character. If -r is also specified, any replacement string is ignored and RegFind adds the missing null character and/or adjusts the length up to an even multiple of the size of a Unicode character.
-t DataType
specifies which registry types to search. DataType can be REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, or REG_NONE. Default is any of the _SZ types.
only valid with _SZ searches. Specifies that RegFind should look for occurrences of the SearchString inside of REG_BINARY data. May not be specified with a ReplacementString that is not the same length as the SearchString.
same as -b but also looks for ANSI version of string within REG_BINARY values.
only valid with _SZ searches. Specifies that RegFind should ignore case when searching.
specifies to include key and value names in the search; -n may not specified with -t.
is the value to search for. If SearchString is not specified, RegFind searches based on type.
If SearchString contains spaces, it must be surrounded by quotations marks:
"Search String With Spaces"
-r ReplacementString
specifies an optional replacement string to replace any matches with.
SearchString and ReplacementString must be of the same type as specified by the -t switch. For any of the _SZ types, it is just a string. For REG_DWORD, it is a single number (for example: 0x1000 or 4096). For REG_BINARY, it is a number specifing #bytes, optionally followed by the actual bytes, with a separate number for each DWORD (for example, 0x06 0x12345678 0x1234). If just the byte count is specified, RegFind searches for all REG_BINARY values that have that length. May not search for length and specify -r.
When doing replacements, RegFind displays the value after the replacement has been. It is usually best to run RegFind once without the -r switch to see what will be changed before it is actually changed.
Whenever specifying a registry path, either on the command line or in an input file, the following prefix strings can be used:
Each of these strings can stand alone as the key name or be followed a BACKSLASH (\) and a subkey path.

This example searches the HKEY_CURRENT_USER\Control Panel registry key for entries of type REG_DWORD.

C:\>regfind -p "HKEY_CURRENT_USER\Control Panel" -t REG_DWORD

Scanning HKEY_CURRENT_USER\Control Panel registry tree
Searching for any match based on type
Will match values of type: REG_DWORD

        ActiveWndTrkTimeout = REG_DWORD 0x00000000
        ForegroundFlashCount = REG_DWORD 0x00000003
        ForegroundLockTimeout = REG_DWORD 0x00030d40
        CaretWidth = REG_DWORD 0x00000001
        PaintDesktopVersion = REG_DWORD 0x00000001
    Microsoft Input Devices
                    Version = REG_DWORD 0x00050000
        ActiveWindowTracking = REG_DWORD 0x00000000

Adding the regfind to a batch would be easy
KABOOMAuthor Commented:
Hmmm, that's a good suggestion but the problem is, our company uses a script to do a security review on standard stuff and depending on the client - they may or may not have regfind installed.  I find most administrators are hesitant to install stuff on production servers.  Is there a way to write a small batch application?
Distribute the regfind with your batch file? Or perhaps just have it in the same dir as your batch file.


I do this a lot, a good way to accomplish a goal with the requirement of no extra software would be to use the /E switch on the regedit command.

regedit /E file.tmp "HKEY_CURRENT_USER\Control Panel" would dump the "HKEY_CURRENT_USER\Control Panel" registry key to a file called file.tmp.  

You could then use a FOR loop to spin through the values and enumerate to environmental variables for post processing.  If I knew what keys you wanted and what you wanted to parse I could give you an answer more specific to your request but this should get you started.

Best Regards,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KABOOMAuthor Commented:
Thank you for the suggestion.  
Is there a way to get the permissions on HKCU\Control Panel?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.