• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2241
  • Last Modified:

VBScript - How to Write To an inuse Registry Hive

So, I am trying to write a VBScript code to disable javascript within Adobe Reader, and I'm running into a small snag.  My plan is to run this over the network as an account with Admin rights on all of the computers.  I can write to the default user profile, I can write to any user profile who hasn't logged in since the last restart, and I can even write to the registry of the user running the script, but how do you write to a different users registry hive who is currently logged in but not the current user?  My only guess right now was to maybe to add a script to the startup routine of that user to add the key as that user.  Any thoughts?  Below is my script thus far.
On Error Resume next
Const HKEY_USERS = &H80000003
Const HKEY_LOCAL_MACHINE = &H80000002
Set oFSO = CreateObject("Scripting.FileSystemObject")
set oShell = WScript.CreateObject("WScript.Shell")
strUserProfile = oShell.ExpandEnvironmentStrings("%UserProfile%")
 
Dim bReader9,bReader8,bAcrobat9,bAcrobat8
 
bReader9 = False
bReader8 = False
bAcrobat9 = False
bAcrobat8 = False
 
If oFSO.FolderExists("C:\Program Files\Adobe\Reader 9.0") Then bReader9 = True
If oFSO.FolderExists("C:\Program Files\Adobe\Reader 8.0") Then bReader8 = True
If oFSO.FolderExists("C:\Program Files\Adobe\Acrobat 9.0") Then bAcrobat9 = True
If oFSO.FolderExists("C:\Program Files\Adobe\Acrobat 8.0") Then bAcrobat8 = True
 
strComputer = "."
 
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
 
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
 
For Each subkey In arrSubKeys
	objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\" & subkey, "ProfileImagePath", strProfileDir
	if oFSO.FolderExists(strProfileDir & "\Desktop") Then
		if left(strProfileDir, 26) = "C:\Documents and Settings\" then
			if right(strProfileDir, 12) <> "LocalService" then
				if strProfileDir = strUserProfile Then
					'Current User Profile
					If bReader9 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bReader8 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bAcrobat9 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS","0","REG_DWORD"
					If bAcrobat8 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS","0","REG_DWORD"
				Else
					'Non-Logged in user profiles
					oShell.Run ("reg.exe load HKEY_USERS\CUSTOM """ & strProfileDir & "\NTuser.dat"""), 0, True
					wscript.sleep 1000
					If bReader9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bReader8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bAcrobat9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS","0","REG_DWORD"
					If bAcrobat8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS","0","REG_DWORD"
					wscript.sleep 1000
					oShell.Run ("REG.EXE unload HKEY_USERS\CUSTOM"), 0, True
				end if
			end If
		end If
	end if
Next
 
 
 
 
'Default User Profile
oShell.Run ("REG.EXE LOAD HKEY_USERS\CUSTOM ""%ALLUSERSPROFILE%\..\Default User\NTUSER.DAT"""), 0, True
wscript.sleep 1000
If bReader9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
If bReader8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
If bAcrobat9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS","0","REG_DWORD"
If bAcrobat8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS","0","REG_DWORD"
wscript.sleep 1000
oShell.Run ("REG.EXE UNLOAD HKEY_USERS\CUSTOM"), 0, True
 
 
 
Function ReadRegKey(byval pstrRegKey) 
	on Error Resume Next 
	Dim Result 
	Dim WSHShell 
	Set WSHShell = CreateObject("WScript.Shell") 
	Result = WSHShell.RegRead (pstrRegKey) 
 
	If Hex(Err) = "80070002" Then 
	Result = "[None]" 
	End If 
 
	ReadRegKey = Result 
 
	Set WSHShell = Nothing 
 
	on Error Goto 0 
end Function

Open in new window

0
martel73
Asked:
martel73
  • 9
  • 5
1 Solution
 
Donald StewartNetwork AdministratorCommented:
These adm's worked for me

CLASS USER
CATEGORY "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
 POLICY "bConsoleOpen"
  PART "bConsoleOpen"
  NUMERIC
  VALUENAME "bConsoleOpen"
  END PART
 END POLICY
 POLICY "bEnableJS"
  PART "bEnableJS"
  NUMERIC
  VALUENAME "bEnableJS"
  END PART
 END POLICY
 POLICY "bEnableMenuItems"
  PART "bEnableMenuItems"
  NUMERIC
  VALUENAME "bEnableMenuItems"
  END PART
 END POLICY
END CATEGORY
 
 
 
 
CLASS USER
CATEGORY "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
 POLICY "bConsoleOpen"
  PART "bConsoleOpen"
  NUMERIC
  VALUENAME "bConsoleOpen"
  END PART
 END POLICY
 POLICY "bEnableJS"
  PART "bEnableJS"
  NUMERIC
  VALUENAME "bEnableJS"
  END PART
 END POLICY
 POLICY "bEnableMenuItems"
  PART "bEnableMenuItems"
  NUMERIC
  VALUENAME "bEnableMenuItems"
  END PART
 END POLICY
END CATEGORY
0
 
martel73Author Commented:
Unfortunately I can't use group policy, because our network admins have their heads up their rears.  The conversation went something like this...

Me: We need to push out a registry key via group policy because there is a security hole in Adobe that wont be patched for 2-3 weeks.

Admin: Doesn't sound like a network problem to me.

Me: Um, well it is easily fixable via group policy.

Admin: Nah, I think you should just take care of it yourself.

Me: So instead of adding a group policy template, you are going to try and make me deploy a script to over two thousand computers?

Admin: Yep.

Me: AHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!  Why!!!?!?!??!?!

Admin: I'm not going to risk breaking the network by making a group policy when you can just take care of this yourself.

Me: WTF!?!?!?!?!?

Admin's Boss:  Job well done Admin, you've managed to not only stop a tech from dropping work on your lap, but you managed to piss them off in the process.  You have made me proud.


In all fairness, the Network Admin Manager is out of the office, but that's what he would have said had he been there.
0
 
martel73Author Commented:
Also, don't forget to patch Adobe Acrobat if you have it installed on any computers (or set to be the default reader on any computers).  Your two templates will only cover Reader.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Donald StewartNetwork AdministratorCommented:
LOL...nice conversation above
"Admin: Doesn't sound like a network problem to me."
 
let him explain to his boss how 2000 computers got infected on the network instead of pushing out a registry that takes all but 2 minutes to implement..
0
 
Donald StewartNetwork AdministratorCommented:
use psexec with the "-i" switch to get the users that are logged on
0
 
Donald StewartNetwork AdministratorCommented:
export your registry setting as adobejavascript.reg
put this line in a .bat
regedit /s \\server\share\adobejavascript.reg
 
run psexec.exe  \\* -c -i \\path\to\.bat file >>>>the "*" will run it on every computer in domain. I think you can add the "-d" switch so that it wont wait for the command to complete before starting the next.
0
 
Donald StewartNetwork AdministratorCommented:
give this a try :-)



;----------------------------------------
; Administrative Template
; Adding and enabling this template will allow you to disable
; javascript in Adobe Reader/professional versions 6-9
;
;Remember in GPMC to go View->Filtering
;and uncheck "Only show policy settings that can be fully managed"
 
 
CLASS USER
 
CATEGORY !!custompolicy
CATEGORY !!adobe
 
POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Acrobat 9.x"
KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Reader 8.x"
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Acrobat 8.x"
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Reader 7.x"
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Acrobat 7.x"
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Reader 6.x"
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
POLICY "JavaScript Acrobat 6.x"
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
 
END CATEGORY ; custompolicy
END CATEGORY ; adobe
 
[strings]
custompolicy="Custom Policy Settings"
adobe="Adobe Acrobat/Reader 6.x - 9.x"

Open in new window

0
 
martel73Author Commented:
Okay, I figured it out.  I don't know what I was thinking.  When a users registry hive is in use, it is mounted in the HK_Users\<SID OF USER> folder.  So I just tweaked my code to write to that folder if the hive is in use (i.e. it errors when you try to write to it).  Below is the working code.  I pushed it out to 75% of our computers in about an hour.  Not to shabby.  Luckily it doesn't matter if the user is logged in or not, or even if Adobe is open or closed.
On Error Resume next
Const HKEY_USERS = &H80000003
Const HKEY_LOCAL_MACHINE = &H80000002
Set oFSO = CreateObject("Scripting.FileSystemObject")
set oShell = WScript.CreateObject("WScript.Shell")
strUserProfile = oShell.ExpandEnvironmentStrings("%UserProfile%")
eProgramFiles = oShell.ExpandEnvironmentStrings("%ProgramFiles%")
 
Dim bReader9,bReader8,bAcrobat9,bAcrobat8
 
bReader9 = False
bReader8 = False
bAcrobat9 = False
bAcrobat8 = False
 
If oFSO.FolderExists(eProgramFiles & "\Adobe\Reader 9.0") Then bReader9 = True
If oFSO.FolderExists(eProgramFiles & "\Adobe\Reader 8.0") Then bReader8 = True
If oFSO.FolderExists(eProgramFiles & "\Adobe\Acrobat 9.0") Then bAcrobat9 = True
If oFSO.FolderExists(eProgramFiles & "\Adobe\Acrobat 8.0") Then bAcrobat8 = True
 
strComputer = "."
 
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
 
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
 
For Each subkey In arrSubKeys
	objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\" & subkey, "ProfileImagePath", strProfileDir
	if oFSO.FolderExists(strProfileDir & "\Desktop") or oFSO.FolderExists(strProfileDir & "\Escritorio") Then
		if left(strProfileDir, 26) = "C:\Documents and Settings\" Then
			if right(strProfileDir, 12) <> "LocalService" Then
				if strProfileDir = strUserProfile Then
					'Current User Profile
					If bReader9 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bReader8 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bAcrobat9 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS","0","REG_DWORD"
					If bAcrobat8 = True Then oShell.RegWrite "HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS","0","REG_DWORD"
				Else
					'Non-Logged in user profiles
					oShell.Run ("reg.exe load HKEY_USERS\CUSTOM """ & strProfileDir & "\NTuser.dat"""), 0, True
					wscript.sleep 1000
					If bReader9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bReader8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
					If bAcrobat9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS","0","REG_DWORD"
					If bAcrobat8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS","0","REG_DWORD"
					If Err.Number <> 0 Then
						If bReader9 = True Then oShell.RegWrite "HKEY_USERS\" & subkey & "\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
						If bReader8 = True Then oShell.RegWrite "HKEY_USERS\" & subkey & "\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
						If bAcrobat9 = True Then oShell.RegWrite "HKEY_USERS\" & subkey & "\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
						If bAcrobat8 = True Then oShell.RegWrite "HKEY_USERS\" & subkey & "\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
						Err.Clear					
					End If
					wscript.sleep 1000
					oShell.Run ("REG.EXE unload HKEY_USERS\CUSTOM"), 0, True
				end If
			end If
		end If
	end if
Next
 
 
 
 
'Default User Profile
oShell.Run ("REG.EXE LOAD HKEY_USERS\CUSTOM ""%ALLUSERSPROFILE%\..\Default User\NTUSER.DAT"""), 0, True
wscript.sleep 1000
If bReader9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\9.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
If bReader8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS", "0", "REG_DWORD"
If bAcrobat9 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\9.0\JSPrefs\bEnableJS","0","REG_DWORD"
If bAcrobat8 = True Then oShell.RegWrite "HKEY_USERS\CUSTOM\Software\Adobe\Adobe Acrobat\8.0\JSPrefs\bEnableJS","0","REG_DWORD"
wscript.sleep 1000
oShell.Run ("REG.EXE UNLOAD HKEY_USERS\CUSTOM"), 0, True
 
 
 
Function ReadRegKey(byval pstrRegKey) 
	on Error Resume Next 
	Dim Result 
	Dim WSHShell 
	Set WSHShell = CreateObject("WScript.Shell") 
	Result = WSHShell.RegRead (pstrRegKey) 
 
	If Hex(Err) = "80070002" Then 
	Result = "[None]" 
	End If 
 
	ReadRegKey = Result 
 
	Set WSHShell = Nothing 
 
	on Error Goto 0 
end Function

Open in new window

0
 
Donald StewartNetwork AdministratorCommented:
I am using the adm above and it works perfect, in case you wanted to try it
0
 
Donald StewartNetwork AdministratorCommented:
Thought might want to know this also. The user can re-enable it upon being prompted by a pdf requiring JS. So, by default, if you are using group policy you'll have a +-90 minute window of exposure before GP applies over the user's change.
 
So you would be better off using group policy, and modifying your gp refresh rate to like 15 minutes
0
 
martel73Author Commented:
LOL, we don't refresh GP on a schedule, because someone complained that their screen flickered every 90 minutes.  So, not GP updates for us.  We only force a GP update when a change is made.  Yes, I know how dumb that is.  Yes, I've done a considerable amount of yelling at people to try and get that changed.  No, they haven't listened. Yes, I've seen group policy go well over two months at a time without a single forced refresh.
0
 
Donald StewartNetwork AdministratorCommented:
Well, my main point was "The user can re-enable it upon being prompted by a pdf requiring JS"
0
 
Donald StewartNetwork AdministratorCommented:
LOL....so much for your registry edit or the ADM
 
http://isc.sans.org/diary.html?storyid=5926 
0
 
martel73Author Commented:
Yeah, I saw that yesterday.  It's really not a big deal.  Malware authors typically go for the low hanging fruit on the tree.  I'm sure they'll be happy enough to exploit this in all of the slackers who choose to do nothing.  I'll be surprised to see any in-the-wild non-javascript exploits of this before 9.1 comes out.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now