none
Run key data RRS feed

  • Question

  • All,

    I am having problems retrieving the correct information from the HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ key.  I am using the following command to query it:

    $objRunKey = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

    The data is stored in the variable as:

    PS H:\> $objRunKey


    PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    PSChildName  : Run
    PSDrive      : HKLM
    PSProvider   : Microsoft.PowerShell.Core\Registry
    DagentUI     : C:\Program Files\Altiris\Dagent\dagentui.exe
    SynTPEnh     : C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    SysTrayApp   : C:\Program Files\IDT\WDM\sttray64.exe
    IgfxTray     : C:\Windows\system32\igfxtray.exe
    HotKeysCmds  : C:\Windows\system32\hkcmd.exe
    Persistence  : C:\Windows\system32\igfxpers.exe

    What I need to do is extract the actual applications, registry values and path for all applications that start under this key.  Since this script will be used on many different systems I can't do something easy like:

    $objRunKey.Persistence

    &

    $objRunKey.Name

    $objRunKey.Type

    $objRunKey.Data

    do not work.

    Ideally I would like output like the following reg command displays:

    PS H:\> reg query hklm\software\microsoft\windows\currentversion\run

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
        DagentUI    REG_SZ    C:\Program Files\Altiris\Dagent\dagentui.exe
        SynTPEnh    REG_EXPAND_SZ    %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
        SysTrayApp    REG_EXPAND_SZ    C:\Program Files\IDT\WDM\sttray64.exe
        IgfxTray    REG_SZ    C:\Windows\system32\igfxtray.exe
        HotKeysCmds    REG_SZ    C:\Windows\system32\hkcmd.exe
            REG_SZ    C:\Windows\system32\igfxpers.exe

    This way I can send it to a log in the following format:

    Name          Type          Data

    Persistence   REG_SZ      C:\Windows\system32\igfxpers.exe

    If this is possible any help would be greatly appreciated.

    Thursday, July 21, 2011 5:02 PM

Answers

  • See if this works for you...

     

    $reg3 = @("name,type,data")
    $reg = reg query hklm\software\microsoft\windows\currentversion\run
    $reg = $reg | select-string -pattern "REG_"
    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "  ", ","});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}
    $reg3 | out-file temp.csv
    $reg3 = Import-Csv .\temp.csv
    del .\temp.csv
    $reg3 | ft -autosize

    Thursday, July 21, 2011 10:11 PM
    Moderator

All replies

  • See if this works for you...

     

    $reg3 = @("name,type,data")
    $reg = reg query hklm\software\microsoft\windows\currentversion\run
    $reg = $reg | select-string -pattern "REG_"
    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "  ", ","});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}
    $reg3 | out-file temp.csv
    $reg3 = Import-Csv .\temp.csv
    del .\temp.csv
    $reg3 | ft -autosize

    Thursday, July 21, 2011 10:11 PM
    Moderator
  • Thank you for your help, it is greatly appreciated.  The snippet above apprears to do everything I need however the output does not contain the Type and Data values.  So I remarked the del .\temp.csv line and analyzed the output csv file and found it had a ,, between the values.  Then I went and changed line 4 from:

    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "  ", ","});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}

    to

    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "  ", " "});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}

    and it worked quite well.  Now the output is exactly what I need:

    PS G:\scripts\powershell\ps snippets> ./RetrieveComplexRegKeyData.ps1

    name                                                                 type data
    ----                                                                 ---- ----
    DagentUI  REG_SZ  C:\Program Files\Altiris\Dagent\dagentui.exe
    SynTPEnh  REG_EXPAND_SZ  %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    SysTrayApp  REG_EXPAND_SZ  C:\Program Files\IDT\WDM\sttray64.exe
    IgfxTray  REG_SZ  C:\Windows\system32\igfxtray.exe
    HotKeysCmds  REG_SZ  C:\Windows\system32\hkcmd.exe
    Persistence  REG_SZ  C:\Windows\system32\igfxpers.exe

    Thank you once again for your help.

    Friday, July 22, 2011 1:29 PM
  • Ok this is rather strange.  When I place the code in its own PS script it runs fine.  When I copy it into the script I am working on and make it a function I get the following error:

    The values contained in this systems HKLM\SOFTWAREMicrosoft\Windows\CurrentVersion\Run key are:
    Exception calling "Substring" with "2" argument(s): "startIndex cannot be larger than length of string.
    Parameter name: startIndex"
    At G:\scripts\powershell\dev\forensicscript\RetrieveSystemInfo.ps1:125 char:108
    + foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "  ", ","});$reg3 = $reg3 + $reg2.substring <<<< (1,$
    reg2.length-1)}
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException

    Here is how I modified the code:

    Function GetRunKey {

    $reg3 = @("name,type,data")
    $reg = reg query hklm\software\microsoft\windows\currentversion\run
    $reg = $reg | select-string -pattern "REG_"
    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "  ", ","});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}
    $reg3 | out-file temp.csv
    $reg3 = Import-Csv .\temp.csv
    #del .\temp.csv
    $reg3 | ft -autosize

    }

    Any suggestions?

    Friday, July 22, 2011 5:39 PM
  • Replace

    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "    ", ","});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}

    to

    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "    ", ","});write-host "REG2 VALUE = " $reg2 "Reg2 SIZE = " $reg2.LENGTH "`n"; $reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}

    So you can see $reg2 information before substring takes place and take the appropriate action depending on $REG2 value.


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Friday, July 22, 2011 6:27 PM
    Moderator
  • Getting close, I added it to the script and get the following output when it executes:

    There are a number of Registry values that will now be analyzed:
    REG2 VALUE =   Reg2 SIZE =  0

    Exception calling "Substring" with "2" argument(s): "startIndex cannot be larger than length of string.
    Parameter name: startIndex"
    At G:\scripts\powershell\dev\forensicscript\RetrieveSystemInfo.ps1:130 char:177
    + foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "    ", " "});write-host "REG2 VALUE = " $reg2 "Reg2
    SIZE = " $reg2.LENGTH "`n"; $reg3 = $reg3 + $reg2.substring <<<< (1,$reg2.length-1)}
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : DotNetMethodException

    Friday, July 22, 2011 6:40 PM
  • It looks like there are rows/lines returned by command $reg = reg query hklm\software\microsoft\windows\currentversion\run which are blank...

    You can bypass these rows/lines by replacing

    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "    ", ","});$reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}

    to

    foreach ($reg1 in $reg) { $reg2 = ($reg1 | foreach {$_ -replace "    ", ","});if ($reg2.length -ne 0) { $reg3 = $reg3 + $reg2.substring(1,$reg2.length-1)}}

     


    Thanks, Wilson Souza - MSFT This posting is provided "AS IS" with no warranties, and confers no rights
    Friday, July 22, 2011 6:47 PM
    Moderator
  • Wilson,

    My apologies for not posting sooner, things have been pretty busy.  The last line of code you suggested work perfectly in the script.  Thank you once again for your help.

    Wednesday, August 3, 2011 4:27 PM