Obtaining security settings through batch script

Posted on 2003-11-01
Last Modified: 2013-12-04
I'm in the process of writing a batch script for Windows 2000 and 2003 server and I would like to know if it is possible to:
1.  extract specific keys from a batch script (I don't want to take a copy of the registry.

2. extract specific values from the local security policy (ie: everything under password policy, lockout policy, audit policy, user rights assignment, security options).

Question by:KABOOM

Expert Comment

ID: 9664020
A tool that can assist you with the registry side of things is regfind.exe from the resource kit.
RegFind is a command-line tool that you can use to search the Windows 2000 registry for arbitrary data, key names, or value names. The tool allows you to replace any of these with new values.

RegFind Syntax
regfind [{-m \\ComputerName | -h HiveFile HiveRoot | -w Win95Directory}] [-i n] [-o OutputWidth] [-p RegistryKeyPath] [{-z | -t DataType}] [{-b | -B}] [-y] [-n] [SearchString [-r ReplacementString]]


-m \\ComputerName
specifies a remote Windows 2000 computer (machine) whose registry is to be manipulated.
-h HiveFile HiveRoot
specifies a local hive to manipulate.
-w Win95Directory
specifies the paths to Windows 95 system.dat and user.dat files.
-i n
specifies the display indentation multiple. Default is 4.
-o OutputWidth
specifies how wide the output is to be. By default OutputWidth is set to the width of the console window, if standard output (STDOUT) has not been redirected to a file. In the latter case, an OutputWidth of 240 is used.
-p RegistryKeyPath
specifies where in the registry to start searching. All entries below this point in the registry hierarchy are also searched. If no path is specified, RegFind searches the entire registry, which can be time consuming.
If the path contains spaces, it must be surrounded by quotations marks:
"Registry Key Path With Spaces"
specifies to search for REG_SZ and REG_EXPAND_SZ values that are missing a trailing null character and/or have a length that is not a multiple of the size of a Unicode character. If -r is also specified, any replacement string is ignored and RegFind adds the missing null character and/or adjusts the length up to an even multiple of the size of a Unicode character.
-t DataType
specifies which registry types to search. DataType can be REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, or REG_NONE. Default is any of the _SZ types.
only valid with _SZ searches. Specifies that RegFind should look for occurrences of the SearchString inside of REG_BINARY data. May not be specified with a ReplacementString that is not the same length as the SearchString.
same as -b but also looks for ANSI version of string within REG_BINARY values.
only valid with _SZ searches. Specifies that RegFind should ignore case when searching.
specifies to include key and value names in the search; -n may not specified with -t.
is the value to search for. If SearchString is not specified, RegFind searches based on type.
If SearchString contains spaces, it must be surrounded by quotations marks:
"Search String With Spaces"
-r ReplacementString
specifies an optional replacement string to replace any matches with.
SearchString and ReplacementString must be of the same type as specified by the -t switch. For any of the _SZ types, it is just a string. For REG_DWORD, it is a single number (for example: 0x1000 or 4096). For REG_BINARY, it is a number specifing #bytes, optionally followed by the actual bytes, with a separate number for each DWORD (for example, 0x06 0x12345678 0x1234). If just the byte count is specified, RegFind searches for all REG_BINARY values that have that length. May not search for length and specify -r.
When doing replacements, RegFind displays the value after the replacement has been. It is usually best to run RegFind once without the -r switch to see what will be changed before it is actually changed.
Whenever specifying a registry path, either on the command line or in an input file, the following prefix strings can be used:
Each of these strings can stand alone as the key name or be followed a BACKSLASH (\) and a subkey path.

This example searches the HKEY_CURRENT_USER\Control Panel registry key for entries of type REG_DWORD.

C:\>regfind -p "HKEY_CURRENT_USER\Control Panel" -t REG_DWORD

Scanning HKEY_CURRENT_USER\Control Panel registry tree
Searching for any match based on type
Will match values of type: REG_DWORD

        ActiveWndTrkTimeout = REG_DWORD 0x00000000
        ForegroundFlashCount = REG_DWORD 0x00000003
        ForegroundLockTimeout = REG_DWORD 0x00030d40
        CaretWidth = REG_DWORD 0x00000001
        PaintDesktopVersion = REG_DWORD 0x00000001
    Microsoft Input Devices
                    Version = REG_DWORD 0x00050000
        ActiveWindowTracking = REG_DWORD 0x00000000

Adding the regfind to a batch would be easy

Author Comment

ID: 9664119
Hmmm, that's a good suggestion but the problem is, our company uses a script to do a security review on standard stuff and depending on the client - they may or may not have regfind installed.  I find most administrators are hesitant to install stuff on production servers.  Is there a way to write a small batch application?

Expert Comment

ID: 9665458
Distribute the regfind with your batch file? Or perhaps just have it in the same dir as your batch file.


Accepted Solution

integer earned 250 total points
ID: 9701927

I do this a lot, a good way to accomplish a goal with the requirement of no extra software would be to use the /E switch on the regedit command.

regedit /E file.tmp "HKEY_CURRENT_USER\Control Panel" would dump the "HKEY_CURRENT_USER\Control Panel" registry key to a file called file.tmp.  

You could then use a FOR loop to spin through the values and enumerate to environmental variables for post processing.  If I knew what keys you wanted and what you wanted to parse I could give you an answer more specific to your request but this should get you started.

Best Regards,



Author Comment

ID: 9708586
Thank you for the suggestion.  
Is there a way to get the permissions on HKCU\Control Panel?

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question