Solved

Search Registry from text File data : vb6

Posted on 2004-10-12
8
348 Views
Last Modified: 2009-12-16
Hello Experts

I would like to do a search in the registry for strings i have in a text file. (SEARCH-REG.TXT)

my text file (SEARCH-REG.TXT) would contain different amount of lines and  data like

9E56BE60-C50F-11CF-9A2C-00A0C90A90CE  
43654364-R50F-ete-9-eA2C-00A0C90A90CE
any data string
any data string
etc
etc

what the code below does is to enumerate through the registry and display the
result in a listbox.

the code below only allows me to do 1 search at a time. , but i would really like to search
from a text file (SEARCH-REG.TXT)  

i would like to search like this

1. start searching registry
2. first item in registry is "data1"  
3: is "data1"   in my (SEARCH-REG.TXT)  if yes display in listbox
------------------------------------------------------------------------------
1. second item in registry is "data2"  
2: is "data2"   in my (SEARCH-REG.TXT) if yes display in listbox
------------------------------------------------------------------------------
etc
etc

-------------------------------------------------------------------------------
The  code i am using  is

Dim WithEvents cReg As cRegSearch

Private Sub Command1_Click()
   
  Set cReg = New cRegSearch
   
  cReg.RootKey = &H0&  ' Search all of registry
 
  cReg.SearchFlags = KEY_NAME * 1 + VALUE_NAME * 1 + VALUE_VALUE * 1 + WHOLE_STRING * 0
 
  cReg.SearchString = "String to find" ' String to find   ' *******  
 
  cReg.DoSearch
 
End Sub
Private Sub cReg_SearchFound(ByVal sRootKey As String, ByVal sKey As String, ByVal sValue As Variant, ByVal lFound As FOUND_WHERE)
   
   Dim lvItm As ListItem
   
   With ListView1
       Set lvItm = .ListItems.Add(, , sTemp)
       lvItm.SubItems(1) = sRootKey
       lvItm.SubItems(2) = sKey
       lvItm.SubItems(3) = sValue
   End With
   
   Set lvItm = Nothing
   
End Sub

Private Sub cReg_SearchKeyChanged(ByVal sFullKeyName As String)
  If Me.WindowState <> vbMinimized Then Label3 = sFullKeyName 'Display, This event cause a lot of printing.
End Sub

Private Sub Form_Unload(Cancel As Integer)
   cReg.StopSearch
   Set cReg = Nothing
End Sub

-------------------------------------------------------------------------------

the line that reads

  cReg.SearchString = "String to find" ' String to find   ' *******  

would need to be replaced by the new search code.

----------------------------------------------------
remeber to search like

1st registry item >>  then look in  (SEARCH-REG.TXT)  
2nd registry item>>  then look in  (SEARCH-REG.TXT)  
3rd registry item >>  then look in (SEARCH-REG.TXT)

and do not search like

(SEARCH-REG.TXT)  >> 1st registry item
(SEARCH-REG.TXT)  >> 2nd registry item
(SEARCH-REG.TXT)  >> 3rd registry item
----------------------------------------------------

thankyou experts.
0
Comment
Question by:Jimmyx1000
8 Comments
 
LVL 12

Expert Comment

by:BobLamberson
ID: 12294049
Hi Jimmyx1000,

What are the other properties, methods of
> cRegSearch

can you post the function  cReg.DoSearch ?

Bob
0
 

Author Comment

by:Jimmyx1000
ID: 12294384

---------------------------------------------------------------------------------
'Here is the cRegSearch

'Class Module

' Class for searching Windows Registry
'
' Written by Arkadiy Olovyannikov (ark@fesma.ru)
' Copyright 2001 by Arkadiy Olovyannikov
'
' This software is FREEWARE. You may use it as you see fit for
' your own projects but you may not re-sell the original or the
' source code.
'
' No warranty express or implied, is given as to the use of this
' program. Use at your own risk.

Option Explicit

Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegEnumKey Lib "advapi32.dll" Alias "RegEnumKeyA" (ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpName As String, ByVal cbName As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegEnumValue Lib "advapi32.dll" Alias "RegEnumValueA" (ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpValueName As String, lpcbValueName As Long, ByVal lpReserved As Long, lpType As Long, lpData As Byte, lpcbData As Long) As Long

Enum ROOT_KEYS
     HKEY_ALL = &H0&
     HKEY_CLASSES_ROOT = &H80000000
     HKEY_CURRENT_USER = &H80000001
     HKEY_LOCAL_MACHINE = &H80000002
     HKEY_USERS = &H80000003
     HKEY_PERFORMANCE_DATA = &H80000004
     HKEY_CURRENT_CONFIG = &H80000005
     HKEY_DYN_DATA = &H80000006
End Enum

Enum SEARCH_FLAGS
     KEY_NAME = 0
     VALUE_NAME = 1
     VALUE_VALUE = 2
     WHOLE_STRING = 4
End Enum

Enum FOUND_WHERE
     FOUND_IN_KEY_NAME
     FOUND_IN_VALUE_NAME
     FOUND_IN_VALUE_VALUE
End Enum

Private Const STANDARD_RIGHTS_ALL = &H1F0000
Private Const KEY_QUERY_VALUE = &H1
Private Const KEY_SET_VALUE = &H2
Private Const KEY_CREATE_SUB_KEY = &H4
Private Const KEY_ENUMERATE_SUB_KEYS = &H8
Private Const KEY_NOTIFY = &H10
Private Const KEY_CREATE_LINK = &H20
Private Const SYNCHRONIZE = &H100000
Private Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE))
Const KEY_READ = &H20019  ' ((READ_CONTROL Or KEY_QUERY_VALUE Or
                          ' KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And (Not
                          ' SYNCHRONIZE))

Private Const ERROR_SUCCESS = 0&
Private Const ERR_MORE_DATA = 234&
Private Const ERROR_NO_MORE_ITEMS = 259&

Private Const REG_NONE = 0
Private Const REG_SZ = 1
Private Const REG_EXPAND_SZ = 2
Private Const REG_BINARY = 3
Private Const REG_DWORD = 4
Private Const REG_DWORD_LITTLE_ENDIAN = 4
Private Const REG_DWORD_BIG_ENDIAN = 5
Private Const REG_LINK = 6
Private Const REG_MULTI_SZ = 7
Private Const REG_RESOURCE_LIST = 8
Private Const REG_FULL_RESOURCE_DESCRIPTOR = 9
Private Const REG_RESOURCE_REQUIREMENTS_LIST = 10

Private Const MAX_KEY_SIZE = 260
Private Const MAX_VALUE_SIZE = 4096

Private Declare Sub CopyMem Lib "kernel32" Alias "RtlMoveMemory" (pDest As Any, pSource As Any, ByVal ByteLen As Long)

Public Event SearchFound(ByVal sRootKey As String, ByVal sKey As String, ByVal sValue As Variant, ByVal lFound As FOUND_WHERE)
Public Event SearchFinished(ByVal lReason As Long)
Public Event SearchKeyChanged(ByVal sFullKeyName As String)

Private mvarRootKey As ROOT_KEYS
Private mvarSearchFlags As SEARCH_FLAGS
Private mvarSearchString As String
Private mvarSubKey As String

Dim lStopSearch As Long

Public Property Let SubKey(ByVal vData As String)
    mvarSubKey = vData
End Property

Public Property Let SearchString(ByVal vData As String)
    mvarSearchString = vData
End Property

Public Property Let SearchFlags(ByVal vData As SEARCH_FLAGS)
    mvarSearchFlags = vData
End Property

Public Property Let RootKey(ByVal vData As ROOT_KEYS)
    mvarRootKey = vData
End Property

Public Sub DoSearch()
    If mvarRootKey <> HKEY_ALL Then
       If (mvarSearchFlags And VALUE_NAME) = VALUE_NAME Or (mvarSearchFlags And VALUE_VALUE) = VALUE_VALUE Then
          Call EnumRegValues(mvarRootKey, mvarSubKey)
       End If
       Call EnumRegKeys(mvarRootKey, mvarSubKey)
    Else
       Call EnumRegKeys(HKEY_CLASSES_ROOT, mvarSubKey)
       If lStopSearch Then GoTo Search_Terminated
       Call EnumRegKeys(HKEY_CURRENT_USER, mvarSubKey)
       If lStopSearch Then GoTo Search_Terminated
       Call EnumRegKeys(HKEY_LOCAL_MACHINE, mvarSubKey)
       If lStopSearch Then GoTo Search_Terminated
       Call EnumRegKeys(HKEY_USERS, mvarSubKey)
       If lStopSearch Then GoTo Search_Terminated
       Call EnumRegKeys(HKEY_PERFORMANCE_DATA, mvarSubKey)
       If lStopSearch Then GoTo Search_Terminated
       Call EnumRegKeys(HKEY_CURRENT_CONFIG, mvarSubKey)
       If lStopSearch Then GoTo Search_Terminated
       Call EnumRegKeys(HKEY_DYN_DATA, mvarSubKey)
    End If
Search_Terminated:
    RaiseEvent SearchFinished(lStopSearch)
    lStopSearch = 0
End Sub

Public Sub StopSearch()
    lStopSearch = 1
End Sub

Private Sub EnumRegKeys(ByVal lKeyRoot As Long, ByVal sSubKey As String)
    Dim curidx As Long
    Dim KeyName As String
    Dim hKey As Long
    Dim sTemp As String
    If lStopSearch Then Exit Sub
    On Error GoTo ErrEnum
    If RegOpenKeyEx(lKeyRoot, sSubKey, 0, KEY_READ, hKey) Then Exit Sub
    Do
      DoEvents
      KeyName = Space$(MAX_KEY_SIZE)
      If RegEnumKey(hKey, curidx, KeyName, MAX_KEY_SIZE) <> ERROR_SUCCESS Then Exit Do
      curidx = curidx + 1
      KeyName = TrimNull(KeyName)
      If sSubKey <> "" Then
         sTemp = sSubKey & "\" & KeyName
      Else
         sTemp = KeyName
      End If
'****************************************************
'This event is used for showing currently viewing key.
'Usually you don't need this.
'To increase performance, remove this event
      If lStopSearch = 0 Then RaiseEvent SearchKeyChanged(RootKeyName(lKeyRoot) & "\" & sTemp)
'****************************************************
      If (mvarSearchFlags And KEY_NAME) = KEY_NAME Then
         If CheckMatching(KeyName) Then
            RaiseEvent SearchFound(RootKeyName(lKeyRoot), sTemp, "*", FOUND_IN_KEY_NAME)
         End If
      End If
      If (mvarSearchFlags And VALUE_NAME) = VALUE_NAME Or (mvarSearchFlags And VALUE_VALUE) = VALUE_VALUE Then
         Call EnumRegValues(lKeyRoot, sTemp)
      End If
      Call EnumRegKeys(lKeyRoot, sTemp)
    Loop
ErrEnum:
    If Err Then lStopSearch = Err
    RegCloseKey hKey
End Sub

Private Sub EnumRegValues(ByVal lKeyRoot As Long, ByVal sSubKey As String)
   Dim curidx As Long, ValueName As String, ValueValue As String
   Dim hKey As Long
   Dim lType As Long
   Dim arrData() As Byte
   Dim cbDataSize As Long
   If lStopSearch Then Exit Sub
   On Error GoTo ErrEnum
   If RegOpenKeyEx(lKeyRoot, sSubKey, 0, KEY_READ, hKey) Then Exit Sub
   Do
     ValueName = String(MAX_KEY_SIZE, 0)
     cbDataSize = MAX_VALUE_SIZE
     ReDim arrData(cbDataSize - 1)
     If RegEnumValue(hKey, curidx, ValueName, MAX_KEY_SIZE, ByVal 0&, lType, arrData(0), cbDataSize) <> ERROR_SUCCESS Then Exit Do
     If cbDataSize < 1 Then cbDataSize = 1
     ReDim Preserve arrData(cbDataSize - 1)
     ValueName = TrimNull(ValueName)
     If (mvarSearchFlags And VALUE_NAME) = VALUE_NAME Then
        If CheckMatching(ValueName) Then RaiseEvent SearchFound(RootKeyName(lKeyRoot), sSubKey & "\" & ValueName, GetRegData(lType, arrData), FOUND_IN_VALUE_NAME)
     End If
     If (mvarSearchFlags And VALUE_VALUE) = VALUE_VALUE Then
        ValueValue = TrimNull(GetRegData(lType, arrData))
        If CheckMatching(ValueValue) Then
           RaiseEvent SearchFound(RootKeyName(lKeyRoot), sSubKey & "\" & ValueName, ValueValue, FOUND_IN_VALUE_VALUE)
        End If
     End If
     curidx = curidx + 1
   Loop
ErrEnum:
   If Err Then lStopSearch = Err
   RegCloseKey hKey
End Sub

Private Function TrimNull(startstr As String) As String
   Dim pos As Integer
   pos = InStr(startstr, Chr$(0))
   If pos Then
      TrimNull = Left$(startstr, pos - 1)
      Exit Function
   End If
   TrimNull = startstr
End Function

Private Function CheckMatching(ByVal sCheck As String) As Boolean
   If (mvarSearchFlags And WHOLE_STRING) = WHOLE_STRING Then
      CheckMatching = (UCase(sCheck) = UCase(mvarSearchString))
   Else
      CheckMatching = InStr(1, sCheck, mvarSearchString, vbTextCompare)
   End If
End Function

Private Function GetRegData(ByVal lType As Long, abData() As Byte) As String
   Dim lData As Long, i As Long
   Dim sTemp As String
   sTemp = ""
   Select Case lType
        Case REG_SZ, REG_MULTI_SZ
             GetRegData = TrimNull(StrConv(abData, vbUnicode))
        Case REG_DWORD
             CopyMem lData, abData(0), 4&
             GetRegData = "0x" & Format(Hex(lData), "00000000") & "(" & lData & ")"
        Case REG_BINARY
             For i = 0 To UBound(abData)
                 sTemp = sTemp & Right("00" & Hex(abData(i)), 2) & " "
             Next i
             GetRegData = Left(sTemp, Len(sTemp) - 1)
        Case Else
             GetRegData = "Temporary unsupported"
   End Select
End Function

Private Function RootKeyName(lKey As Long) As String
   Select Case lKey
       Case HKEY_CLASSES_ROOT: RootKeyName = "HKEY_CLASSES_ROOT"
       Case HKEY_CURRENT_USER: RootKeyName = "HKEY_CURRENT_USER"
       Case HKEY_LOCAL_MACHINE: RootKeyName = "HKEY_LOCAL_MACHINE"
       Case HKEY_USERS: RootKeyName = "HKEY_USERS"
       Case HKEY_PERFORMANCE_DATA: RootKeyName = "HKEY_PERFORMANCE_DATA"
       Case HKEY_CURRENT_CONFIG: RootKeyName = "HKEY_CURRENT_CONFIG"
       Case HKEY_DYN_DATA: RootKeyName = "HKEY_DYN_DATA"
   End Select
End Function
Private Sub Class_Initialize()
   mvarRootKey = HKEY_ALL
   mvarSubKey = ""
   mvarSearchString = ""
End Sub

Private Sub Class_Terminate()
  lStopSearch = 1
End Sub


---------------------------------------------------------------------------------

0
 
LVL 10

Expert Comment

by:anv
ID: 12294732
Private Sub Command1_Click()
   
  Set cReg = New cRegSearch
   
  cReg.RootKey = &H0&  ' Search all of registry
 
  cReg.SearchFlags = KEY_NAME * 1 + VALUE_NAME * 1 + VALUE_VALUE * 1 + WHOLE_STRING * 0
 
  cReg.SearchString = "String to find" ' String to find   ' *******  
 
  cReg.DoSearch
 
End Sub
'try adding a loop in ur above code..

like this..

also b4 that...open ur file as TextStream which would be easier to use ..

like..

dim fso as FilesystemObject
dim txtF as TextStream
set fso = new FileSystemObject
set txtF = fso.OpenTextFile("c:\SEARCH-REG.TXT",ForReading,False)

dim stringToFind as string

While Not txtF.AtEndOfStream
  stringToFind = txtf.ReadLine
  cReg.SearchString = StringToFind
wend

its not full code...but u can get he idea of how to do it..from above explanation..
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 14

Expert Comment

by:Shiju Sasidharan
ID: 12310982
hI
First open the text file and store the entire content in a string Variable.(user TextStream or normal file open functions)

u know how to extact each data from the registry, now u check each data  with this string variable using InStr function.
 simple ;-)

'---------------------------------
sContent = "Content in the Text file"

if InStr(1,sContent, "Your data from registry") <> 0 then
 
   'Code for Adding data to list

end if

'-----------------------------
Shiju

0
 
LVL 27

Accepted Solution

by:
Ark earned 500 total points
ID: 12343835
Hi
Glad to see my code is usefull :)
Just change
Private mvarSearchString As String
to
Private mvarSearchString As Collection, fill this collection from your file, having key and text of collection items same as file strings and in

Private Function CheckMatching(ByVal sCheck As String) As Boolean
   On Error Resume Next
   mVar = mvarSearchString(sCheck)
   If (Err = 0) Then ' string found
      CheckMatching=True
'Optionally if you are sure sCheck occures only once
'      mvarSearchString.Remove sCheck
   End If
End Function

Above code is for WHOLE_STRING search. For partial search use For Each...Next loop

Regards
Arkadiy Olovyannikov
0
 
LVL 12

Expert Comment

by:BobLamberson
ID: 12529654
Jimmy,

Have you gotten the answer you needed to this question?  If not, post what you further question is and see if someone can help. If you have you need to close the question. See      http://www.experts-exchange.com/help.jsp#hs5
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

When trying to find the cause of a problem in VBA or VB6 it's often valuable to know what procedures were executed prior to the error. You can use the Call Stack for that but it is often inadequate because it may show procedures you aren't intereste…
Enums (shorthand for ‘enumerations’) are not often used by programmers but they can be quite valuable when they are.  What are they? An Enum is just a type of variable like a string or an Integer, but in this case one that you create that contains…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now