Skip navigation
Currently Being Moderated

Working With Registry Keys in a Batch File

VERSION 3  Click to view document history
Created on: Jan 28, 2008 9:27 AM by Jared Barneck - Last Modified:  Oct 1, 2008 1:07 PM by Jared Barneck

Description

There are many options for deploying a Registry key:

 

  • Batch Files (The topic of this article.)

  • Package Builder Executable

  • Custom Vulnerability

  • VBScript

 

Before modifying or querying a registry key, it is important to understand the options available to you for doing so.

 

This document focuses on working with Registry keys in a batch file.

 

Accessing Registry Keys

 

All registry keys are accessible at all times through the following hives:

 

HKEY_LOCAL_MACHINE

HKEY_USERS

 

While there appear to be other hives, these are actually just reference locations that already exist under the above two hives.

 

What does it mean to reference another hive?  It means that if hive X references hive Y, then both hives are the exact same hive with just different names pointing to the same place.  Making a change to either hive X or Hive Y modifies the same hive since they both are just name references for the same hive.

 

Accessing the User's hive (HKEY_CURRENT_USER)

There is the misconception that the only way to modify a user's registry key is to modify HKEY_CURRENT_USER, which is not the case.  Each user's registry hive is available under HKEY_USERS.  HKEY_CURRENT_USER actually references the hive under HKEY_USERS. 

 

If the process is run by Local System, the HKEY_CURRENT_USER hive references the HKEY_USERS\.DEFAULT user hive, which is a reference to the HKEY_USERS\S-1-5-18 hive.

 

If the process is run by a logged in local or Domain user, then the HKEY_CURRENT_USER hive references that of the current logged in user.  The HKEY_USERS equivalent would be something like the following:

HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031

 

The long string is a Security ID or SID. 

 

Matching Security IDs (SIDS) with Usernames

Microsoft explains that the easiest way to determine which SID belongs to which username is to do the following:

 

  1. Open Regedit.
     

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList
     

  3. Under the ProfileList key, you will see the SIDs. By selecting each one individually, you can look at the value of the ProfileImagePath string and see what user name is associated with that particular SID by looking at the folder that is used in Documents and Settings.

 

Sometimes you will see different folders for a user as follows:

Administrator 
Administrator.ComputerName
Administrator.Domain

 

If a username has a .Computername or .DomainName, it is not part of the username, but the .computername or .domain is used to differentiate a local user and a domain user that have the same name.  The first user to login gets the name without a .Domain or a .ComputerName.  If a domain user then logs in second and has the same name, a .domain extension is added.  If a local user logs in second and has the same name, a .computername extension is added. This is important to note when parsing user names with a batch file, vbscript, or other coding tool.

 

The _Classes keys can be ignored.  There will be a similar registry key that looks as follows:

HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031_Classes

 

Notice it ends in _Classes. This registry key is not a user hive, but is just another reference to a key inside the same user hive:

HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031\Software\Classes.

 

Modifying the Registry within a Batch File

Now that you know how all registry keys can be accessed from HKEY_LOCAL_MACHINE and HKEY_USERS, and how to find out which user key is which, it is now time to determine the best method for updating a registry key.

 

Accessing the Registry with a Batch File

The way a batch file is written to deploy as a Distribution Package is different than the way it would be written to be run by a user who double clicks on it.  In fact, a batch file that works by double-clicking on it is probably not going to work in a Distribution Package.  Before writing a batch file to deploy as a Distribution Package in LANDesk, it is beneficial to read the following document to avoid common errors.

Understanding Batch File Distribution Packages

 

Batch files can be deployed with LANDesk and run as Local System if using either a Push Delivery Method. If using a Policy Delivery Method but the user is not a local administrator to their workstation, the batch file also runs as Local System. If using a Policy Delivery Method and the user is a local administrator to their workstation, the batch file will run as that user. A tool called StartAsUser.exe can be called in the script to run commands as a user despite using either a Push Delivery Method or Policy Delivery Method to a user who is not a local administrator.  However, the user must be logged in and must have permissions to perform the command for it to be successful.  In LDMS 8.8 and later, the distribution package has an option to run as the logged in user, which automatically launches the batch file using StartAsUser.exe. 

 

Using Regedit to Add, Change, or Remove a Registry Key

Regedit.exe can add, change, or remove registry keys, however, it cannot simply query them.  It also cannot alter Registry key permissions.

 

This example uses Regedit.exe to add a simple registry key.  It requires one additional file.  When creating the LANDesk Batch File Distribution Package, make the batch file the primary package and make sure to add the .reg file as an additional file.

 

REM Add a registry key and values with Regedit.exe 
REM and a .reg file
REM 
REM /s is used to avoid an "Are you sure" prompt

regedit.exe /s somefile.reg

 

The somefile.reg would look something like this.  For more information on the syntax of a .reg file, including the syntax for deleting a registry key or registry value, see this site:

http://support.microsoft.com/kb/310516

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\SomeRegKey]
"SomeDWORD"=dword:00000001
"SomeString"="Hello, World!"

 

The additional file can be avoided by having the batch file create the additional file when it runs, like this:

 

REM Add a registry key and values with Regedit.exe 
REM and a .reg file

REM Create the Registry key
 > "%temp%\somefile.reg" ECHO Windows Registry Editor Version 5.00
>> "%temp%\somefile.reg" ECHO.
>> "%temp%\somefile.reg" ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\SomeRegKey]
>> "%temp%\somefile.reg" ECHO "SomeDWORD"=dword:00000001
>> "%temp%\somefile.reg" ECHO "SomeString"="Hello, World!"

REM /s is used to avoid an "Are you sure" prompt

regedit.exe /s "%temp%\somefile.reg"

 

Using Reg.exe

Reg.exe is another tool that can access the registry, however, as well as add, modify, or delete Registry values, it can query, copy, compare, import, export, and more. It cannot alter Registry key permissions.  Reg.exe is included by default Windows XP and later Operating Systems but is not included by default in Windows 2000 or earlier Operating Systems and had to be added from the Windows 2000 Resource Kit.

 

More information on Reg.exe can be found by searching REG command on Microsoft's web site or going to this Technet site: http://technet.microsoft.com/en-us/library/bb490984.aspx

 

The options to Reg.exe can be seen by running Reg.exe /? at a command prompt.

 

C:\>reg /?

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved


REG Operation [Parameter List]

  Operation  [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

  0 - Successful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?

C:\>

 

Using Reg.exe to Add Registry Keys and Values

To add the same Registry keys as shown in the Regedit example, the following batch file could be used.

 

REM Add a registry key and values with Reg.exe

REG ADD HKLM\Software\SomeRegKey
REG ADD HKLM\Software\SomeRegKey /v SomeDWORD /t REG_DWORD /d 1
REG ADD HKLM\Software\SomeRegKey /v SomeString /t REG_SZ /d "Hello, World"

 

Create a Batch File Distribution Package and deploy the batch file with any Delivery Method.

 

Using Reg.exe to Query Registry Keys

Registry keys can also be queried and the values can be accessed and used in a batch file.

 

Example 1

The LDClient directory may be in different places on different agent workstations.  Some XP embedded workstations don't even have a C drive.  So calling c:\program files\LANDesk\LDClient with a hard set path may not work for all your devices.  Here is a simple example of how to query the registry key to get the LDClient directory.

 

@ECHO OFF
REM
REM Copyright Jared Barneck
REM

GOTO main

:f_ldmain
  REM This :f_ldmain works as a function and can be run in :main using this syntax:
  REM call :f_ldmain
  REM It has an "f_" beginning to mark it as a function.

  REM Get the correct path to the managementsuite directory.
  REM "tokens 2* makes token 2 and 3, with 3 having all remaining data on the line, including spaces/
  FOR /F "tokens=2*" %%a in ('REG QUERY HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient /v Path ^|FINDSTR Path') DO SET ldclientdir=%%b
GOTO end


:main
  CALL :f_ldmain
  ECHO "The LDClient directory is here:"
  ECHO %ldclientdir%
  ECHO .
GOTO end

:end

 

 

Example 2

Here is another example to get a list of SIDs from HKEY_USERS the REG QUERY command can be used as shown.

 

C:\>REG QUERY HKU

! REG.EXE VERSION 3.0

HKEY_USERS

HKEY_USERS\.DEFAULT

HKEY_USERS\S-1-5-19

HKEY_USERS\S-1-5-19_Classes

HKEY_USERS\S-1-5-20

HKEY_USERS\S-1-5-20_Classes

HKEY_USERS\S-1-5-21-1715567821-879983540-682003330-36408

HKEY_USERS\S-1-5-21-1715567821-879983540-682003330-36408_Classes

HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031

HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031_Classes

HKEY_USERS\S-1-5-18

 

While this command only provides a list of subkeys in HKEY_USERS and is not useful by itself in a batch file deployed by LANDesk, it can be used with other commands in batch file and become more useful.  For example, if a registry must be added to all the users registry keys, this output can be parsed to list the valid users that can login (since some of the SIDs are for the Network Service or other accounts that are not login accounts).

 

Parsing the output above is not easy. The output has a bunch of unneeded spaces and is not very clean.  The first addition we can make to the REG QUERY command is to pipe it to Findstr to get only the HKEY_USERS\.DEFAULT and any valid SIDs for users.  The Findstr syntax can be seen by running Findstr /? at a command prompt.  If you do not understand the Regular Expressions used in the Findst command, don't worry, just copy the syntax used in the example.

 

The following is an example output of this command on a workstation with only two valid login users.

 

C:\>REG QUERY HKU |Findstr /R "DEFAULT S-1-5-[0-9]*-[0-9-]*$"
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-21-1715567821-879983540-682003330-36408
HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031

 

Now we have a simple output that can be parsed with advanced batch file commands to make a Registry modification to the .DEFAULT hive, and each login user's hive.  By changing the .DEFAULT, all future new users will get the change, but the current users will not, so they have to be modified explicitly.

 

The following batch file will find all login users and add a Registry key to their hives as well as add the same Registry key to the .DEFAULT hive.

 

REM Modify a registry key in for all logged in users
REM Also modify it in the .DEFAULT hive so future users get it.
REM
REM Copyright Jared Barneck
REM

GOTO main

:modkey
  REM %1 is the value of %a that is passed.
  REG Add HKU\%1\SomeRegKey
  REG ADD HKU\%1\SomeRegKey /v SomeDWORD /t REG_DWORD /d 1
  REG ADD HKU\%1\SomeRegKey /v SomeString /t REG_SZ /d "Hello, World"
  REM Going to :end here only ends this instance of the call to the 
  REM :modkey label. It does not end the whole batch file.
GOTO end

:main
  FOR /F "tokens=2* delims=\" %%a IN ('REG QUERY HKU ^|Findstr /R "DEFAULT S-1-5-[0-9]*-[0-9-]*$"') DO CALL :modkey %%a
  REM Going to :end here ends the whole batch file.
GOTO end

:end

 

 

Comments (22)
LANDESK Community powered by Jive SBS® 4.5.7.1  |  Legal Notices  |  Privacy Policy  |  Icon 

TweeterOn Twitter  |  Icon FacebookOn Facebook © 2007 LANDESK Software