Link to home
Start Free TrialLog in
Avatar of Andrew Salm
Andrew Salm

asked on

How to delete reg key on multiple systems

Hi all...

I've tried finding what I need but most solutions offer various entries and switches on a vbs script or batch file.

I need to delete one single registry key if it is present. The key is as an example:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\DATALOSS1000

How can I accomplish this, and run it remotely on approximately 300 systems?

Batch file preferred...

Thanks in advance...
Avatar of David Favor
David Favor
Flag of United States of America image

Been years since I used Windoze. As I recall, the way I use to do this was to ssh into each machine + run reg on the command line.

You'd have to devise an approach that will work for you're specific network layout.

Also, if you using a Windoze machine to initiate all these commands, then you'd use Putty, rather than ssh.
You can use the REG DELETE command (and with a batch file)

http://www.edugeek.net/forums/windows-7/95213-deleting-registry-entries-batch-file.html

Be careful that the location is the same on all 300 machines!
Use  REG.exe or GPO Preferences
REG DELETE "\\COMPUTERNAME\HKLM\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins" /f /v DATALOSS1000

Open in new window

You can multithread it with CommandThreader
https://www.experts-exchange.com/articles/30139/How-to-thread-single-threaded-applications.html
Avatar of Andrew Salm
Andrew Salm

ASKER

Shaun Vermaak....

Your answer is closest to what I am looking for, although I am running in to an issue.

I get the error as follows:
1. Network path not found

when I change the script to to:
REG DELETE "%computername%\Computer\HKLM\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins" /f /v DATALOSS1000

I get the error:
Invalid Key Name
Andrew, the problem is Shawn already included "Computer" in the answer.

REG DELETE "\\%computername%\HKLM\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins" /f /v DATALOSS1000

Open in new window

Is DATALOSS1000 a key or a value?
Also, you can easily run this in a regular sequential manner with a simple for-loop without using the linked 3rd party code.

If you want to grab all the computer names from Active Directory to loop through you can use dsquery:

REM DeleteKeyAD.cmd
@(
   SETLOCAL
   ECHO OFF
   SET "_eLvl=0"
)

CALL :Main

(
   ENDLOCAL
   Exit /b %_eLvl%
)

:Main
   FOR /F "Tokens=2 Delims==," %%A IN ('dsquery computer -limit 0') DO (
      REG DELETE "\\%%~A\HKLM\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins" /f /v DATALOSS1000
   )
GOTO :EOF

Open in new window

Hello Ben,

First of all I realized the addition of "computer" in the syntax that Shaun provided. I ended up making it work with the following syntax:

REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\DATALOSS1000" /f

The DATALOSS1000 is the "Key" that I need to remove entirely.

Ben, how does this batch script work and do I need to provide admin credentials, or can I run it with admin credentials.
How long would this take on a network with approximately 2500 systems?
That (Reg Delete) is one good and correct way to do this.
Hello Andrew,

  Yeah that first part was a bit obvious, but since it was in the example it looked like you might need to have it cleared up.

   Since Data loss is the key you already hit upon how to delete the entire key, you can marry the two parts together to accomplish this.

  Running sequentially on 2500 Systems will probably get you in the order of 3-4 hours (rounding up to 3600 systems, and assuming 3 seconds per system on average -- this is a rough estimate based on the timeout value for the query being 4 seconds)

  this batch script works by querying the Active Directory  for all the computer objects.

  Note: If I recall DSQuery computer will not need admin privileges to run, but it would only be installed on a server OS by default.  (However, if needed you could run this as a domain admin beforehand sand save the output to a text file if an issue at the CLI as such:)

FOR /F "Tokens=2 Delims==," %A IN ('DSQuery computer -limit 0') DO @(ECHO.%~A>>C:\Some\Folder\ADComputerList.txt)

Open in new window


And then we would read that text file for the FOR loop in the patch file.

 The script uses the list, whichever way you do it, to loop and connect to each computer 's registry to run the command (THIS DOES require the user you are running as have administrative level rights to each end-point or to have the credentials pre-loaded into the windows credential manager.)
If you run is sequential it will take very long, that is why I recommended CommandThreader
https://www.experts-exchange.com/articles/30139/How-to-thread-single-threaded-applications.html
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Echo McKnife, look at GPO to potentially deny access to this key for reading by users or to whom..
Not sure whether you can use GPO to remove a key.
GPO/GPP will apply following a reboot.
Reg delete in a startup/shutdowns computer based GPO...

Usin wmic/powershell/vbscript to check for the presence of the key and then its removal with logging/recording info computer/system key removed, date of removal.....
Sorry, but who with a clear mind would suggest to run this from remote when there are 2500 machines involved?
I would. I have used CommandThreader against 68000 Computers to get the system information, took a few hours with 20 threads. Easy to configure firewall and access. Offline computers can be retargeted.
Yeah, but why, there is no reason for this effort in this case. A reg deletion is childs play and no mammoth action.
Agree, that is why I also mention GPO Preferences in my first comment #a42205896
@Arnold,

  Well he did ask us for a script, it crossed my mind to suggest the GPO method as well, but he seemed keen on a script.

  Also, keep in mind that to do this via GPO, you will be making changes via the Computer settings (requires a restart, or GPOUpdate /force run on the machine to get it to occur), or you need to make it part of the user's policy (requires 15 minutes to 2 hours for the policy to be refreshed unless a user logs on or you run GPOUpdate).

 I have several GPOs that change registry items through the User options, but they do not apply unless a user logs in, or you run GPOUpdate /force, in these cases you can still see the registry key present in the hive until either a user logs on after the GPO was updated, or you run GPO Update /force, but I haven't looked into the exact mechanisms and caveats for this since it hasn;t ever matter for the types of registry changes we've made this way.


 In any case, it's the sort of thing you can easily kick off and let run over a few hours, and with some minor modifications you can keep track of all systems, their successes and their failures, including checking if they are pingable first and with it as a log and also write the falls into a new start file to re-run later.

  I actually did a similar thing earlier this year on around 300 machines and it only took 15 minutes to query several keys per machine, while where half of them were local and the other half was through a WAN link (VPN) with about 100 ms latency.

  This averaged to 2 seconds per machine, and most of that slowness was due to the WAN link. but your mileage may vary.  this is why I just assumed 3600 machines instead of 2500 and assumed 3 seconds per machine to account for local machines taking 1second or less, while local machines might take 2-3 and unavailable machines might take 10.  

  I was able to reduce that run time to about 10 minutes, as the domain had a lot of bad objects, and I found that by using ping to check their availability, I found that doing a couple pings with a 100 ms timeout and then testing availability with a 1000 ms timeout was very solid at reducing false unreachable reporting even across the WAN, and this reduced the number of timeouts due to RPC being unavailable.

  On the reliability side, I also was able to reduce RPC errors further by trying to map a drive first using supplied credentials, but this also meant that servers which timed out took even longer to do so, which was a trade off.

  I thought about threading it because I could have done so, considering I did it all as a single-line command instead of a batch script, so I was thinki8gn about creating a batch to do the query and chance and then using CMD to start it with its own little looper and then just read the results since it's not really that hard to write some quick and dirty CMDs to do that (I do this for pings across many sites I want to start and leave running all the time), but it wasn't worth the effort considering the run-time for 300 systems.

 For 2500 systems you could get really lucky and be done in about an hour, or maybe it takes 4 hours, but unless there is urgent need to make sure the changes happening unison, I probably wouldn;t bother threading it whether doing it in the CLI natively or some other means.

 
But that's my two cents.

 In the end, I think this is mostly just a case of running with the author's actual request because it's a fairly simply executed Idea as a script, and what the author requested.
@Ben's "keep in mind that to do this via GPO, you will be making changes via the Computer settings (requires a restart, or GPOUpdate /force run on the machine to get it to occur" - um, no. The GPO background refresh (occurs by default every 90 minutes) will do.
The refresh, will kick in if one makes changes to an existing GPO, not sure about a new one.......
At times when one asks a question one has their own background as the basis for formulating the question.
There are potentially many ways to skin this, possible vbscript, powershell, wmic, but as was pointed out, if windows Firewall is active on the clients, remote access to that client will not be possible.
The GPO is a do and wait. NEW GPO will deal with future issues where the install package that created this reference .. will be handling this event ..........

If this is a key that causes issues, a policy that makes sure that this key does not reappear....... in the future...

Have not tested the implication of changes potentially, some changes might kick-in the removal startup/shutdown process will not trigger until the event....
have added registry records, have not tried to remove .....
@mcknife there is a 30 minute stagger on GPO refresh + a 15 minutes replication time for the GOO to be available in a moderately sized environment.

So, perhaps I should have said it can take up to 120 minutes total before a GPO is refreshed by a particular client plus about 15 minutes to ensure the GPO has replicated (assuming fast links and tcp/ip replication) and can be applied by a domain controller in the site the client machine is in in the first place.

 [b]So technically between 1 and 135 minutes.[/b]

[b]But that is a bare bones minimum.[/b]  Maybr you have slow links with smtp (defaults to 90 minutes) or non-default replication times and/or complex replication patterns for multi geographical locations.
I appreciate all the feedback here so far. Thank you all for your contributions.

Unfortunately I don't have the ability in this case to use GPO for this. I literally need a script that I can push and run to selected systems. I don't care if it takes 2 or 3 hours... I just need that key gone. I believe there may only be about 550 systems with this key present.

Again, if anyone has a script for deleting this key, I would greatly appreciate it.

Thanks again for all of your feedback and suggestions.
Hey Andrew,

  This will do what you need, it will get all the names of all the computers from Active directory, loop through them and delete the registry key.

  It will keep track of where the registry key was deleted in a log file for you.

REM DeleteKeyAD.cmd
@(
	SETLOCAL EnableDelayedExpansion
	ECHO OFF
	SET "_eLvl=0"
	CALL :GetDateTime
	SET "_LogFile=%~dp0\Log\%~n0_Log_!IsoDate!_!IsoTime!.log"
	IF NOT EXIST "%~dp0\Log" (
		MD "%~dp0\Log"
	)
	SET "Write-Output=CALL :OutEcho "
)

CALL :Main

(
	ENDLOCAL
	Exit /b %_eLvl%
)

:Main
	FOR /F "Tokens=2 Delims==," %%A IN ('dsquery computer -limit 0') DO (
		PING -n 1 -w 200 %%~A >NUL
		(
			(
				PING -n 1 -w 200 %%~A >NUL
			) &&(
				(
					REG DELETE "\\%%~A\HKLM\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\DATALOSS1000" /f
				) && (
					%Write-Output% %%~A - PING SUCCESS! - DATALOSS1000 Delete SUCCESS!
				)
			) || (
				%Write-Output% %%~A - PING SUCCESS! - DATALOSS1000 Delete FAILED!
			)
		) || (
			%Write-Output% %%~A - PING FAILED! - Check by hand!
		)
	)
GOTO :EOF


:OutEcho
	ECHO.%*
	ECHO.%*>>"%_LogFile%"
GOTO :EOF

:GetDateTime
	FOR /F "Tokens=1-7 delims=MTWFSmtwfsouehrandit:-\/. " %%A IN ("%DATE% %TIME: =0%") DO (
		FOR /F "Tokens=2-4 Skip=1 Delims=(-)" %%a IN ('ECHO.^| DATE') DO (
			SET "%%~a=%%~A"
			SET "%%~b=%%~B"
			SET "%%~c=%%~C"
			SET "HH=%%~D"
			SET "Mn=%%~E"
			SET "SS=%%~F"
			SET "Ms=%%~G"
		)
	)
	SET "TTime=%HH%.%Mn%.%SS%"
	SET "IsoTime=%HH%.%Mn%.%SS%.%Ms%"
	SET "TDate=%yy%-%mm%-%dd%"
	SET "IsoDate=%yy%-%mm%-%dd%"
GOTO :EOF

Open in new window

Hey Ben,

Thank you for this. What I am trying to find though, is where the Domain variable is here...or do I need to run this on the DC?

I'm not overly comfortable with scripts etc... so I just want to make sure this does not break anything. Additionally, it appears that DSQuery is not available on my 2012 DC.

Thoughts?
Andrew, could you just put that script on hold for a second and explain why you "don't have the ability in this case to use GPO for this"? To use a script, you would need an account that has global administrative rights AND a pc that can reach the needed ports . Him who has access to such an account and such a privileged system can not take a minute and create that GPO? (...or ask a fellow admin to do that...?)?
Hello Andrew,

  So I didn't include the Domain, because that defaults yo to the current domain, if you're like me and have multiple domains to search through that can be changed to specify the domain instead.  ( I'll amend that and post it below.)

DS Query is included in All Windows Systems as of Windows Vista/2008 and onwards.  By default it is available on the Domain controllers because they have the "Active Directory Services Role" installed which also activates the "Remote Server Administration Tools' (RSAT)  for this role by default.

 Any member server, desktop, laptop with RSAT tools installed will also have DSQuery and DS Mod etc  available to them, I usually run this from my Windows 7 PC or my Windows 2012R2 Management system when I need to run them.

To use dsquery, you must run the dsquery command from an elevated command prompt.

I went through the script and commented out the majority of it  to give you a run down of how it is working.

Let me know if you need me to explain the logic in any place you have questions about the actions being performed by the code, I know what it's like when you aren't familiar with scripts, we were all there once :)

REM Script Name: DeleteKeyAD.cmd
REM @ acts as if "ECHO OFF was already applied"
@(
	REM SET LOCAL keeps changes to the CMD prompt in the local session
	REM ENABLEDELAYEDEXPANSION enabled some command extentions so you can process variables inside loops.
	SETLOCAL ENABLEDELAYEDEXPANSION
	REM ECHO OFF Turns off the echo of every command -- you won;t see REM items print to screen from here on out, nor will other comamnds, only thier output.
	ECHO OFF
	REM Set a default error level of False (No error)
	SET "_eLvl=0"
	REM Get the date and time variables setup.
	CALL :GetDateTime
	REM Set the path and filename of the logfile %~dp0\Log\ = path of the script + the subfolder "Log" -- %~n0_Log_!IsoDate!_!IsoTime!.log = name of the script + Log + the date + the time + .log
	SET "_LogFile=%~dp0\Log\%~n0_Log_!IsoDate!_!IsoTime!.log"
	REM Set the domain DN tfor the domain to look through:
	SET "_Domain_DN=DC=Your_DDomain,DC=com"
	REM Creates the log directory if it didn't exist.
	IF NOT EXIST "%~dp0\Log" (
		MD "%~dp0\Log"
	)
	REM This variable just makes a shortcut for owriting output to the screen and logfile.
	SET "Write-Output=CALL :OutEcho "
)

REM Calls the "Main" function, CALL returns to the place the function was called from after the function completed.
CALL :Main

(
	REM ENDLOCAL - ends the local variable session and means that changes made within it such as creating variables shoud not persist.
	ENDLOCAL
	REM Exit /b closes the script but leaves the calling CMD window open, it also returns an error level in case you are using the "%ERRORLEVEL%" variable or similar.
	Exit /b %_eLvl%
)

:Main
	
	REM Loop through all of the Computer systems in Active directory and attempt to connect to them to remove the registry key.
	FOR /F "Tokens=2 Delims==," %%A IN ('dsquery computer -limit 0 "%_Domain_DN%"') DO (
		REM Ping the machine once with a 200 millisecodn to prime it to be more likely to repond to the next request.
		PING -n 1 -w 200 %%~A >NUL
		(
			(
				REM Ping the machine once with a 200 millisecodn timeout to see if it responds before attempt to delete the registry key.
				PING -n 1 -w 200 %%~A >NUL
			) &&(
				(
					REM When Ping of a system works, Attempt to delete the rgistry key on that machine.
					REG DELETE "\\%%~A\HKLM\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\DATALOSS1000" /f
				) && (
					REM When Ping of a system works, and the command to delete the registry key succeeds, write to the log and screen to record that info.
					%Write-Output% %%~A - PING SUCCESS! - DATALOSS1000 Delete SUCCESS!
				)
			) || (
				REM When Ping of a system works, but the attempt to delete the registry key failrs, write to the log and screen to record that info for an administrator to handle.
				%Write-Output% %%~A - PING SUCCESS! - DATALOSS1000 Delete FAILED!
			)
		) || (
			REM When Ping of a system fails, we will take no further action on that host, so write to the log and screen to record that info for an administrator to handle.
			%Write-Output% %%~A - PING FAILED! - Check by hand!
		)
	)
GOTO :EOF

REM This function writes to the screen and a log file.
:OutEcho
	REM ECHO to the screen
	ECHO.%*
	REM ECHO to the Logfile.
	ECHO.%*>>"%_LogFile%"
GOTO :EOF

REM This function gets the date and formats it.
:GetDateTime
	FOR /F "Tokens=1-7 delims=MTWFSmtwfsouehrandit:-\/. " %%A IN ("%DATE% %TIME: =0%") DO (
		FOR /F "Tokens=2-4 Skip=1 Delims=(-)" %%a IN ('ECHO.^| DATE') DO (
			SET "%%~a=%%~A"
			SET "%%~b=%%~B"
			SET "%%~c=%%~C"
			SET "HH=%%~D"
			SET "Mn=%%~E"
			SET "SS=%%~F"
			SET "Ms=%%~G"
		)
	)
	SET "TTime=%HH%.%Mn%.%SS%"
	SET "IsoTime=%HH%.%Mn%.%SS%.%Ms%"
	SET "TDate=%yy%-%mm%-%dd%"
	SET "IsoDate=%yy%-%mm%-%dd%"
GOTO :EOF

Open in new window

Hi McKnife, Ben,

Thank you both...

McKnife - Just to clarify, it is not my domain to be worked on. Attempting to help out a customer with a particular predicament. I will have them look at their GPO abilities also. Thank you.

Ben, I will read through  this. Thank you so much for taking the time to do this. Much appreciated.


I will post back later with an update.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Glad to help, you can message me directly if you have any questions too.  Looking forward to them :)