Solved

Windows Registry Key/Value Date Created/Date Modified Time Stamp and other Registry Questions

Posted on 2009-05-04
9
5,499 Views
Last Modified: 2013-12-03
Question 1 (the toughest I believe)
I thought that I saw somewhere the information when a Registry Key or Value was added to the Registry Database or when it was Modified. I know that you cannot see that in the Windows Registry Editor. Is there a way to find that out?

Or is this information not even stored in the Registry Database Files themselves and also not in any other DB of Windows that could be accessed. WMI comes into my mind.
 
Question 2
How can I determine using VBScript what the Data Type of a Registry Value is? Important to me are subtle differences like REG_SZ, REG_EXPAND_SZ or REG_MULTI_SZ. The functions of the Windows Script Host do not provide that information. For them String is String, but it makes a big difference for the Registry. Following this question, how can I create a value with VBScript with the data type REG_MULTI_SZ. The WshShellObject (WScript.Shell) reference for RegWrite method explicitly states that writing Multi String values is not supported by WSH.

Question 3.
How can I open and the read, write or delete keys and values from a registry file that is not a registry database file from my own operating system, for example the registry of a system that crashed and where I booted from a boot disk with file access to that system and would like to use some scripts for extracting or inserting data for data recovery purposes and/or to may be fix what causes the system to crash.

I know that you can somehow load registry files into your own system registry (although I don't know how that actually works) with different Key and Hive names. I saw some tools doing it, but I would like to do it myself and be able to write my own scripts to have the flexibility that I need.

VBScript Code samples or links to them would be appreciated. Thanks

I will reward 200 points full answers of the first question and 150 points each for the 2nd and 3rd question. If you are able to answer all three, you will get the full 500 points.


'WSH RegWrite Method

 

Set WshShell = WScript.CreateObject("WScript.Shell") 

WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\", 1, "REG_BINARY" 

WshShell.RegWrite "HKCU\Software\ACME\FortuneTeller\MindReader", "Goocher!", "REG_SZ"

 

'Supported Data Types: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ

'Not Supported Data Type: REG_MULTI_SZ

Open in new window

0
Comment
Question by:Cumbrowski
  • 5
  • 4
9 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 24296793
Q1:

'RegQueryInfoKey()' (http://msdn.microsoft.com/en-us/library/ms724902(VS.85).aspx) can do that for keys, but there is no equivalent API to retrieve the creation/modification time of values.

Q2:

'RegEnumValue()' (http://msdn.microsoft.com/en-us/library/ms724865(VS.85).aspx) allows you to interate through a key's values and also obtain the data type as well as the contents.

Q3:

That can be done using 'RegLoadKey()' (http://msdn.microsoft.com/en-us/library/ms724889(VS.85).aspx) for a registry file on your machine or 'RegConnectRegistry()' (http://msdn.microsoft.com/en-us/library/ms724840(VS.85).aspx) if you want to read the registry of a remote computer.
0
 
LVL 5

Author Comment

by:Cumbrowski
ID: 24299207
Thanks JKR,

Half way from how it seems.
I am not a C++ programmer, but all the MSDN articles are for C++.
How can I make use of those in VBScript?

Thanks
0
 
LVL 86

Expert Comment

by:jkr
ID: 24299610
Well, these APIs should be accessible from VBS also - at least they are from any 'managed' languages (or 'regular' VB), so there must be some way...
0
 
LVL 5

Author Comment

by:Cumbrowski
ID: 24300730
Not always, but pretty much always differently than with C++ or even VB.NET

I'd would like to give you half the points (250) (for half the overall answer). How do I do that?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 5

Author Comment

by:Cumbrowski
ID: 24369806
I was able to figure out the answers for Question 2 and 3 myself. See code samples below.

I have not found an answer for Question 1 yet though. If somebody could translate the C++ stuff to VBScript that would be great. I am referring to this:

'RegQueryInfoKey()' (http://msdn.microsoft.com/en-us/library/ms724902(VS.85).aspx)


Question 2)

========================================================

Creating Expanded String Values

-----------------------------------------

Uses WMI to create an expanded string value under HKLM\SOFTWARE\System Admin Scripting Guide.

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

 

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 

strComputer & "\root\default:StdRegProv")

 

strKeyPath = "SOFTWARE\System Admin Scripting Guide"

strValueName = "Expanded String Value Name"

strValue = "%PATHEXT%"

 

oReg.SetExpandedStringValue _

    HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
 
 
 

Uses WMI to list all the registry values and their types 

------------------------------------------------------------------------

under HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

const HKEY_LOCAL_MACHINE = &H80000002

const REG_SZ = 1

const REG_EXPAND_SZ = 2

const REG_BINARY = 3

const REG_DWORD = 4

const REG_MULTI_SZ = 7

 

strComputer = "."

Set StdOut = WScript.StdOut

 

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ 

strComputer & "\root\default:StdRegProv")

 

strKeyPath = "SYSTEM\CurrentControlSet\Control\Lsa"

 

oReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath,_

 arrValueNames, arrValueTypes

 

For i=0 To UBound(arrValueNames)

    StdOut.WriteLine "Value Name: " & arrValueNames(i) 

    

    Select Case arrValueTypes(i)

        Case REG_SZ

            StdOut.WriteLine "Data Type: String"

            StdOut.WriteBlankLines(1)

        Case REG_EXPAND_SZ

            StdOut.WriteLine "Data Type: Expanded String"

            StdOut.WriteBlankLines(1)

        Case REG_BINARY

            StdOut.WriteLine "Data Type: Binary"

            StdOut.WriteBlankLines(1)

        Case REG_DWORD

            StdOut.WriteLine "Data Type: DWORD"

            StdOut.WriteBlankLines(1)

        Case REG_MULTI_SZ

            StdOut.WriteLine "Data Type: Multi String"

            StdOut.WriteBlankLines(1)

    End Select 

Next
 

Question 3)

==================================================================

You can attach registry databases from other systems to your own registry (and detach them) with the REG command line command.
 

Load Registry

----------------------------------------

REG LOAD KeyName FileName
 

  KeyName    ROOTKEY\SubKey (local machine only)

             ROOTKEY  [ HKLM | HKU ]

  SubKey   The key name to load the hive file into. Creating a new key

  FileName   The name of the hive file to load

             You must use REG SAVE to create this file

Examples:
 

 REG LOAD HKLM\TempHive TempHive.hiv

     Loads the file TempHive.hiv to the Key HKLM\TempHive
 
 

Unloading

-------------------------------
 

REG UNLOAD KeyName
 

  KeyName    ROOTKEY\SubKey (local machine only)

              ROOTKEY  [ HKLM | HKU ]

  SubKey   The key name of the hive to unload

 

Examples:
 

    REG UNLOAD HKLM\TempHive

    Unloads the hive TempHive in HKLM
 

The REG LOAD and REG UNLOAD commands can easily be executed using the RUN method of the WScript.Shell object like:
 

Dim strCmdLine 

strCmdLine = "REG LOAD HKLM\TempHive TempHive.hiv"

CreateObject("WScript.Shell").Run strCmdLine, 0, True

Open in new window

0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 24370119
0
 
LVL 5

Author Comment

by:Cumbrowski
ID: 24370953
Thanks jkr. The article is interesting in itself, but did not answer question 1.... however.. it refers to an article by the same author that does address that question. See

Reading and Writing Registry Keys with Visual Basic
http://www.windowsdevcenter.com/lpt/a/4923

especially the paragraph "Getting Information about Keys"
0
 
LVL 5

Author Closing Comment

by:Cumbrowski
ID: 31577617
Not directly answered the remaining question, but pointed (by accident or on purpose) to the right direction, which lead to the actual answer :)
0
 
LVL 86

Expert Comment

by:jkr
ID: 24370984
Glad to be of some help - make sure your next Q is more C/C++ related, please ;o)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

A theme is a collection of property settings that allow you to define the look of pages and controls, and then apply the look consistently across pages in an application. Themes can be made up of a set of elements: skins, style sheets, images, and o…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now