'====================================================================
'= Enumerate Registry Run Key VBScript sample - Copyright © 2007, Dave Moats
'=
'= This sample is provided 'as-is', without any express or implied warranty.
'= In no event will the authors be held liable for any damages arising from
'= the use of this sample code.
'=
'= Permission is granted to anyone to use this sample code for any purpose,
'= including commercial applications, subject to the following restrictions:
'=
'= The origin of this code must not be misrepresented;
'=       you must not claim that you wrote the original code.
'=       If you use this code, an acknowledgment in the
'=       documentation is requested - shown below:
'=
'= Portions Copyright © 2007, Dave Moats (http://www.davemoats.com/).
'=
'====================================================================
'====================================================================
'== enum_reg_values.vbs       -    script to enumerate all the values
'==                                        located under the registry run key
'====================================================================
const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002

const REG_SZ = 1
const REG_EXPAND_SZ = 2
const REG_BINARY = 3
const REG_DWORD = 4
const REG_MULTI_SZ = 7

set fso = createobject ( "Scripting.FileSystemObject")
set regObj = getobject ( "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

keyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
indentStr = "          "

wscript.echo vbcrlf & "Enumeration of HKEY_LOCAL_MACHINE Run Key:" & vbcrlf
enumRegValues HKEY_LOCAL_MACHINE, keyPath

wscript.echo vbcrlf

wscript.echo "Enumeration of HKEY_CURRENT_USER Run Key:" & vbcrlf
enumRegValues HKEY_CURRENT_USER, keyPath

set regObj = nothing
set fso = nothing

wscript.quit

'====================================================================
'== sub enumRegValues    -    enumerates all the registry values under
'==                                     the run key in the registry
'====================================================================
sub enumRegValues ( regKey, keyPath )

   regObj.EnumValues regKey, keyPath, arNames, arTypes
  
   for i=0 to ubound ( arNames)
        
         if arNames ( i) <> "" then
  
            wscript.echo indentStr & "Registry Value Name: " & arNames ( i)
     
            select case arTypes ( i)
                  case REG_SZ
                        regObj.GetStringValue regKey, keyPath, arNames ( i), regVal
                        wscript.echo indentStr & "Registry Value Data: " & regVal
                        wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
                  case REG_EXPAND_SZ
                        regObj.GetExpandedStringValue regKey, keyPath, arNames ( i), regVal
                        wscript.echo indentStr & "Registry Value Data: " & regVal
                        wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
                  case REG_BINARY
                        regObj.GetBinaryValue regKey, keyPath, arNames ( i), regVal
                        for j = lbound ( regVal) to ubound ( regVal)
                           wscript.echo    indentStr & "Registry Value Data: " & regVal ( i)
                           wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal ( i))) & vbcrlf
                        next
                        wscript.echo vbcrlf
                  case REG_DWORD
                        regObj.GetDWORDValue regKey, keyPath, arNames ( i), regVal
                        wscript.echo indentStr & "Registry Value Data: " & regVal
                        wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
                  case REG_MULTI_SZ
                        regObj.GetMultiStringValue regKey, keyPath, arNames ( i), arrValues
                        for each regVal in arrValues
                           wscript.echo indentStr & "Registry Value Data: " & regVal
                           wscript.echo indentStr & "File Information: " & vbcrlf & getFileInfo ( getExePath ( regVal)) & vbcrlf
                        next
                        wscript.echo vbcrlf
            end select
      end if
   next
  
end sub

'====================================================================
'==
'====================================================================
function getExePath ( regVal )

   ' remove any double quotes
   regVal = replace ( regVal, """", "" )
  
   ' not get rid of any command line options leaving just the
   ' path to the exe
   iLoc = instr ( 1, lcase ( regVal), ".exe" )
   regVal = mid ( regVal, 1, iLoc + 3 )
  
   if iLoc = 0 then regVal = ""

   getExePath = regVal

end function

'====================================================================
'==    function getFileInfo    -    get information about the file in
'==                                        question
'==
'==    Normal          0       Normal file. No attributes are set.
'==    ReadOnly       1       Read-only file. Attribute is read/write.
'==    Hidden          2       Hidden file. Attribute is read/write.
'==    System          4       System file. Attribute is read/write.
'==    Volume          8       Disk drive volume label. Attribute is read-only.
'==    Directory    16       Folder or directory. Attribute is read-only.
'==    Archive       32       File has changed since last backup. Attribute is read/write.
'==    Alias          1024    Link or shortcut. Attribute is read-only.
'==    Compressed    2048    Compressed file. Attribute is read-only.
'==
'====================================================================
function getFileInfo ( filePath)

   if filePath = "" then
         getFileInfo = ""
         exit function
   end if

   on error resume next

   dim fileObj, outMsg

   set fileObj = fso.getfile ( filePath)
  
   outMsg = ""

   outMsg = outMsg & indentStr & "    Created: " & fileObj.DateCreated    & vbcrlf

   outMsg = outMsg & indentStr & "    Last Accessed: " & fileObj.DateLastAccessed & vbcrlf

   outMsg = outMsg & indentStr & "    Last Modified: " & fileObj.DateLastModified & vbcrlf

   outMsg = outMsg & indentStr & "    File Type: " & fileObj.Type & vbcrlf
  
   if fileObj.attributes and 0 then

         outMsg = outMsg & indentStr & "    File Attributes:    Normal file. No attributes are set"

   else
  
         outMsg = outMsg & indentStr & "    File Attributes:    "

         if fileObj.attributes and 1 then
            outMsg = outMsg & "Read Only "
         end if

         if fileObj.attributes and 2 then
            outMsg = outMsg & "Hidden "
         end if

         if fileObj.attributes and 4 then
            outMsg = outMsg & "System "
         end if

         if fileObj.attributes and 8 then
            outMsg = outMsg & "Volume "
         end if

         if fileObj.attributes and 16 then
            outMsg = outMsg & "Directory "
         end if

         if fileObj.attributes and 32 then
            outMsg = outMsg & "Archive - File has changed since last backup "
         end if

         if fileObj.attributes and 1024 then
            outMsg = outMsg & "Link or Shortcut "
         end if

         if fileObj.attributes and 2048 then
            outMsg = outMsg & "Compressed "
         end if

   end if
  
   set fileObj = nothing

   getFileInfo = outMsg

end function



Copyright © 2005 - 2013 Dave Moats.  All rights reserved.  Links: Copyright © by their respective owners.
NO WARRANTIES EXTENDED.  Void where prohibited by law.  Please report any issues or broken links.
You may link to this site freely from your own site.  You may quote from this site, but please include a link to the original source on the originating site.