'====================================================================
'= Enumerate Registry Run Key VBScript sample - Copyright © 2007, Dave Moats
'=
'= This sample is provided 'as-is', without any express or implied warranty.
'= In no event will the authors be held liable for any damages arising from
'= the use of this sample code.
'=
'= Permission is granted to anyone to use this sample code for any purpose,
'= including commercial applications, subject to the following restrictions:
'=
'= The origin of this code must not be misrepresented;
'= you must not claim that you wrote the original code.
'= If you use this code, an acknowledgment in the
'= documentation is requested - shown below:
'=
'= Portions Copyright © 2007, Dave Moats (http://www.davemoats.com/).
'=
'====================================================================
'====================================================================
'== enum_reg_values.vbs - script to enumerate all the values
'== located under the registry run key
'====================================================================
const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002
const REG_SZ = 1
const REG_EXPAND_SZ = 2
const REG_BINARY = 3
const REG_DWORD = 4
const REG_MULTI_SZ = 7
set fso = createobject ( "Scripting.FileSystemObject")
set regObj = getobject ( "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
keyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
indentStr = " "
wscript.echo vbcrlf & "Enumeration of HKEY_LOCAL_MACHINE Run Key:" & vbcrlf
enumRegValues HKEY_LOCAL_MACHINE, keyPath
wscript.echo vbcrlf
wscript.echo "Enumeration of HKEY_CURRENT_USER Run Key:" & vbcrlf
enumRegValues HKEY_CURRENT_USER, keyPath
set regObj = nothing
set fso = nothing
wscript.quit
'====================================================================
'== sub enumRegValues - enumerates all the registry values under
'== the run key in the registry
'====================================================================
sub enumRegValues ( regKey, keyPath )
regObj.EnumValues regKey, keyPath, arNames, arTypes
for i=0 to ubound ( arNames)
if arNames ( i) <> "" then
wscript.echo indentStr & "Registry Value Name: " & arNames ( i)
select case arTypes ( i)
case REG_SZ
regObj.GetStringValue regKey, keyPath, arNames ( i), regVal
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
case REG_EXPAND_SZ
regObj.GetExpandedStringValue regKey, keyPath, arNames ( i), regVal
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
case REG_BINARY
regObj.GetBinaryValue regKey, keyPath, arNames ( i), regVal
for j = lbound ( regVal) to ubound ( regVal)
wscript.echo indentStr & "Registry Value Data: " & regVal ( i)
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal ( i))) & vbcrlf
next
wscript.echo vbcrlf
case REG_DWORD
regObj.GetDWORDValue regKey, keyPath, arNames ( i), regVal
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
case REG_MULTI_SZ
regObj.GetMultiStringValue regKey, keyPath, arNames ( i), arrValues
for each regVal in arrValues
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
next
wscript.echo vbcrlf
end select
end if
next
end sub
'====================================================================
'==
'====================================================================
function getExePath ( regVal )
' remove any double quotes
regVal = replace ( regVal, """", "" )
' not get rid of any command line options leaving just the
' path to the exe
iLoc = instr ( 1, lcase ( regVal), ".exe" )
regVal = mid ( regVal, 1, iLoc + 3 )
if iLoc = 0 then regVal = ""
getExePath = regVal
end function
'====================================================================
'== function getFileInfo - get information about the file in
'== question
'==
'== Normal 0 Normal file. No attributes are set.
'== ReadOnly 1 Read-only file. Attribute is read/write.
'== Hidden 2 Hidden file. Attribute is read/write.
'== System 4 System file. Attribute is read/write.
'== Volume 8 Disk drive volume label. Attribute is read-only.
'== Directory 16 Folder or directory. Attribute is read-only.
'== Archive 32 File has changed since last backup. Attribute is read/write.
'== Alias 1024 Link or shortcut. Attribute is read-only.
'== Compressed 2048 Compressed file. Attribute is read-only.
'==
'====================================================================
function getFileInfo ( filePath)
if filePath = "" then
getFileInfo = ""
exit function
end if
on error resume next
dim fileObj, outMsg
set fileObj = fso.getfile ( filePath)
outMsg = ""
outMsg = outMsg & indentStr & " Created: " & fileObj.DateCreated & vbcrlf
outMsg = outMsg & indentStr & " Last Accessed: " & fileObj.DateLastAccessed & vbcrlf
outMsg = outMsg & indentStr & " Last Modified: " & fileObj.DateLastModified & vbcrlf
outMsg = outMsg & indentStr & " File Type: " & fileObj.Type & vbcrlf
if fileObj.attributes and 0 then
outMsg = outMsg & indentStr & " File Attributes: Normal file. No attributes are set"
else
outMsg = outMsg & indentStr & " File Attributes: "
if fileObj.attributes and 1 then
outMsg = outMsg & "Read Only "
end if
if fileObj.attributes and 2 then
outMsg = outMsg & "Hidden "
end if
if fileObj.attributes and 4 then
outMsg = outMsg & "System "
end if
if fileObj.attributes and 8 then
outMsg = outMsg & "Volume "
end if
if fileObj.attributes and 16 then
outMsg = outMsg & "Directory "
end if
if fileObj.attributes and 32 then
outMsg = outMsg & "Archive - File has changed since last backup "
end if
if fileObj.attributes and 1024 then
outMsg = outMsg & "Link or Shortcut "
end if
if fileObj.attributes and 2048 then
outMsg = outMsg & "Compressed "
end if
end if
set fileObj = nothing
getFileInfo = outMsg
end function
'= Enumerate Registry Run Key VBScript sample - Copyright © 2007, Dave Moats
'=
'= This sample is provided 'as-is', without any express or implied warranty.
'= In no event will the authors be held liable for any damages arising from
'= the use of this sample code.
'=
'= Permission is granted to anyone to use this sample code for any purpose,
'= including commercial applications, subject to the following restrictions:
'=
'= The origin of this code must not be misrepresented;
'= you must not claim that you wrote the original code.
'= If you use this code, an acknowledgment in the
'= documentation is requested - shown below:
'=
'= Portions Copyright © 2007, Dave Moats (http://www.davemoats.com/).
'=
'====================================================================
'====================================================================
'== enum_reg_values.vbs - script to enumerate all the values
'== located under the registry run key
'====================================================================
const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002
const REG_SZ = 1
const REG_EXPAND_SZ = 2
const REG_BINARY = 3
const REG_DWORD = 4
const REG_MULTI_SZ = 7
set fso = createobject ( "Scripting.FileSystemObject")
set regObj = getobject ( "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
keyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
indentStr = " "
wscript.echo vbcrlf & "Enumeration of HKEY_LOCAL_MACHINE Run Key:" & vbcrlf
enumRegValues HKEY_LOCAL_MACHINE, keyPath
wscript.echo vbcrlf
wscript.echo "Enumeration of HKEY_CURRENT_USER Run Key:" & vbcrlf
enumRegValues HKEY_CURRENT_USER, keyPath
set regObj = nothing
set fso = nothing
wscript.quit
'====================================================================
'== sub enumRegValues - enumerates all the registry values under
'== the run key in the registry
'====================================================================
sub enumRegValues ( regKey, keyPath )
regObj.EnumValues regKey, keyPath, arNames, arTypes
for i=0 to ubound ( arNames)
if arNames ( i) <> "" then
wscript.echo indentStr & "Registry Value Name: " & arNames ( i)
select case arTypes ( i)
case REG_SZ
regObj.GetStringValue regKey, keyPath, arNames ( i), regVal
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
case REG_EXPAND_SZ
regObj.GetExpandedStringValue regKey, keyPath, arNames ( i), regVal
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
case REG_BINARY
regObj.GetBinaryValue regKey, keyPath, arNames ( i), regVal
for j = lbound ( regVal) to ubound ( regVal)
wscript.echo indentStr & "Registry Value Data: " & regVal ( i)
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal ( i))) & vbcrlf
next
wscript.echo vbcrlf
case REG_DWORD
regObj.GetDWORDValue regKey, keyPath, arNames ( i), regVal
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
case REG_MULTI_SZ
regObj.GetMultiStringValue regKey, keyPath, arNames ( i), arrValues
for each regVal in arrValues
wscript.echo indentStr & "Registry Value Data: " & regVal
wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
next
wscript.echo vbcrlf
end select
end if
next
end sub
'====================================================================
'==
'====================================================================
function getExePath ( regVal )
' remove any double quotes
regVal = replace ( regVal, """", "" )
' not get rid of any command line options leaving just the
' path to the exe
iLoc = instr ( 1, lcase ( regVal), ".exe" )
regVal = mid ( regVal, 1, iLoc + 3 )
if iLoc = 0 then regVal = ""
getExePath = regVal
end function
'====================================================================
'== function getFileInfo - get information about the file in
'== question
'==
'== Normal 0 Normal file. No attributes are set.
'== ReadOnly 1 Read-only file. Attribute is read/write.
'== Hidden 2 Hidden file. Attribute is read/write.
'== System 4 System file. Attribute is read/write.
'== Volume 8 Disk drive volume label. Attribute is read-only.
'== Directory 16 Folder or directory. Attribute is read-only.
'== Archive 32 File has changed since last backup. Attribute is read/write.
'== Alias 1024 Link or shortcut. Attribute is read-only.
'== Compressed 2048 Compressed file. Attribute is read-only.
'==
'====================================================================
function getFileInfo ( filePath)
if filePath = "" then
getFileInfo = ""
exit function
end if
on error resume next
dim fileObj, outMsg
set fileObj = fso.getfile ( filePath)
outMsg = ""
outMsg = outMsg & indentStr & " Created: " & fileObj.DateCreated & vbcrlf
outMsg = outMsg & indentStr & " Last Accessed: " & fileObj.DateLastAccessed & vbcrlf
outMsg = outMsg & indentStr & " Last Modified: " & fileObj.DateLastModified & vbcrlf
outMsg = outMsg & indentStr & " File Type: " & fileObj.Type & vbcrlf
if fileObj.attributes and 0 then
outMsg = outMsg & indentStr & " File Attributes: Normal file. No attributes are set"
else
outMsg = outMsg & indentStr & " File Attributes: "
if fileObj.attributes and 1 then
outMsg = outMsg & "Read Only "
end if
if fileObj.attributes and 2 then
outMsg = outMsg & "Hidden "
end if
if fileObj.attributes and 4 then
outMsg = outMsg & "System "
end if
if fileObj.attributes and 8 then
outMsg = outMsg & "Volume "
end if
if fileObj.attributes and 16 then
outMsg = outMsg & "Directory "
end if
if fileObj.attributes and 32 then
outMsg = outMsg & "Archive - File has changed since last backup "
end if
if fileObj.attributes and 1024 then
outMsg = outMsg & "Link or Shortcut "
end if
if fileObj.attributes and 2048 then
outMsg = outMsg & "Compressed "
end if
end if
set fileObj = nothing
getFileInfo = outMsg
end function
Copyright © 2010 Dave Moats. All rights reserved. Links: Copyright © by their respective owners.
NO WARRANTIES EXTENDED. Void where prohibited by law. Please report any issues or broken links.
You may link to this site freely from your own site. You may quote from this site, but please include a link to the original source on the originating site.