Obtaining security settings through batch script

Posted on 2003-11-01
Last Modified: 2013-12-04
I'm in the process of writing a batch script for Windows 2000 and 2003 server and I would like to know if it is possible to:
1.  extract specific keys from a batch script (I don't want to take a copy of the registry.

2. extract specific values from the local security policy (ie: everything under password policy, lockout policy, audit policy, user rights assignment, security options).

Question by:KABOOM

Expert Comment

ID: 9664020
A tool that can assist you with the registry side of things is regfind.exe from the resource kit.
RegFind is a command-line tool that you can use to search the Windows 2000 registry for arbitrary data, key names, or value names. The tool allows you to replace any of these with new values.

RegFind Syntax
regfind [{-m \\ComputerName | -h HiveFile HiveRoot | -w Win95Directory}] [-i n] [-o OutputWidth] [-p RegistryKeyPath] [{-z | -t DataType}] [{-b | -B}] [-y] [-n] [SearchString [-r ReplacementString]]


-m \\ComputerName
specifies a remote Windows 2000 computer (machine) whose registry is to be manipulated.
-h HiveFile HiveRoot
specifies a local hive to manipulate.
-w Win95Directory
specifies the paths to Windows 95 system.dat and user.dat files.
-i n
specifies the display indentation multiple. Default is 4.
-o OutputWidth
specifies how wide the output is to be. By default OutputWidth is set to the width of the console window, if standard output (STDOUT) has not been redirected to a file. In the latter case, an OutputWidth of 240 is used.
-p RegistryKeyPath
specifies where in the registry to start searching. All entries below this point in the registry hierarchy are also searched. If no path is specified, RegFind searches the entire registry, which can be time consuming.
If the path contains spaces, it must be surrounded by quotations marks:
"Registry Key Path With Spaces"
specifies to search for REG_SZ and REG_EXPAND_SZ values that are missing a trailing null character and/or have a length that is not a multiple of the size of a Unicode character. If -r is also specified, any replacement string is ignored and RegFind adds the missing null character and/or adjusts the length up to an even multiple of the size of a Unicode character.
-t DataType
specifies which registry types to search. DataType can be REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, or REG_NONE. Default is any of the _SZ types.
only valid with _SZ searches. Specifies that RegFind should look for occurrences of the SearchString inside of REG_BINARY data. May not be specified with a ReplacementString that is not the same length as the SearchString.
same as -b but also looks for ANSI version of string within REG_BINARY values.
only valid with _SZ searches. Specifies that RegFind should ignore case when searching.
specifies to include key and value names in the search; -n may not specified with -t.
is the value to search for. If SearchString is not specified, RegFind searches based on type.
If SearchString contains spaces, it must be surrounded by quotations marks:
"Search String With Spaces"
-r ReplacementString
specifies an optional replacement string to replace any matches with.
SearchString and ReplacementString must be of the same type as specified by the -t switch. For any of the _SZ types, it is just a string. For REG_DWORD, it is a single number (for example: 0x1000 or 4096). For REG_BINARY, it is a number specifing #bytes, optionally followed by the actual bytes, with a separate number for each DWORD (for example, 0x06 0x12345678 0x1234). If just the byte count is specified, RegFind searches for all REG_BINARY values that have that length. May not search for length and specify -r.
When doing replacements, RegFind displays the value after the replacement has been. It is usually best to run RegFind once without the -r switch to see what will be changed before it is actually changed.
Whenever specifying a registry path, either on the command line or in an input file, the following prefix strings can be used:
Each of these strings can stand alone as the key name or be followed a BACKSLASH (\) and a subkey path.

This example searches the HKEY_CURRENT_USER\Control Panel registry key for entries of type REG_DWORD.

C:\>regfind -p "HKEY_CURRENT_USER\Control Panel" -t REG_DWORD

Scanning HKEY_CURRENT_USER\Control Panel registry tree
Searching for any match based on type
Will match values of type: REG_DWORD

        ActiveWndTrkTimeout = REG_DWORD 0x00000000
        ForegroundFlashCount = REG_DWORD 0x00000003
        ForegroundLockTimeout = REG_DWORD 0x00030d40
        CaretWidth = REG_DWORD 0x00000001
        PaintDesktopVersion = REG_DWORD 0x00000001
    Microsoft Input Devices
                    Version = REG_DWORD 0x00050000
        ActiveWindowTracking = REG_DWORD 0x00000000

Adding the regfind to a batch would be easy

Author Comment

ID: 9664119
Hmmm, that's a good suggestion but the problem is, our company uses a script to do a security review on standard stuff and depending on the client - they may or may not have regfind installed.  I find most administrators are hesitant to install stuff on production servers.  Is there a way to write a small batch application?

Expert Comment

ID: 9665458
Distribute the regfind with your batch file? Or perhaps just have it in the same dir as your batch file.


Accepted Solution

integer earned 250 total points
ID: 9701927

I do this a lot, a good way to accomplish a goal with the requirement of no extra software would be to use the /E switch on the regedit command.

regedit /E file.tmp "HKEY_CURRENT_USER\Control Panel" would dump the "HKEY_CURRENT_USER\Control Panel" registry key to a file called file.tmp.  

You could then use a FOR loop to spin through the values and enumerate to environmental variables for post processing.  If I knew what keys you wanted and what you wanted to parse I could give you an answer more specific to your request but this should get you started.

Best Regards,



Author Comment

ID: 9708586
Thank you for the suggestion.  
Is there a way to get the permissions on HKCU\Control Panel?

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
OfficeMate Freezes on login or does not load after login credentials are input.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now