No results when reading remote registry

[Jewtus]

I've been looking at @UEZ code for reading remote machine info (I'm trying to test locally right now) but I'm not getting results from the sample code. I've tried messing around with it a bit, but I'm definitely in over my head with registry stuff (I inherited some responsibilities that came with a list of registry entries to check/modify).

This is the code I have, and the domain check works, but I don't get a blank string on the registry value. I checked the registry and the path is correct, but I'm not getting any results

expandcollapse popup

Global Const $oErrorHandler = ObjEvent("AutoIt.Error", "ObjErrorHandler")

Local $sUser,$sPass
$sRegVal=WMI_GetRemoteRegVal(@ComputerName, "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion",$sUser,$sPass)
$sDomain=WMI_GetDomainName(@ComputerName,$sUser,$sPass)
MsgBox(0,"",$sRegVal)
MsgBox(0,"",$sDomain)

Func WMI_GetRemoteRegVal($sHost, $sRegPath, $sUser = "", $sPass = "") ;coded by UEZ build 2014-07-06
    If $sHost = "." Then $sHost = "localhost"
    Local $iPing = Ping($sHost, 250)
    If @error Then Return SetError(1, 0, "")
    Local $objWMILocator = ObjCreate("WbemScripting.SWbemLocator")
    Local $objWMIService = $objWMILocator.ConnectServer($sHost, "\\.\root\default", $sUser, $sPass, "", "", 128)
    If @error Then Return SetError(2, @error, "")
    Local $objReg = $objWMIService.Get("StdRegProv") ;http://msdn.microsoft.com/en-us/library/aa393664(v=vs.85).aspx
    If @error Then Return SetError(3, @error, "")
    Local Const $wbemImpersonationLevelImpersonate = 3, $wbemAuthenticationLevelPktPrivacy = 6
    $objReg.Security_.ImpersonationLevel = $wbemImpersonationLevelImpersonate
    $objReg.Security_.AuthenticationLevel = $wbemAuthenticationLevelPktPrivacy
    Local $nHKEY, $sPrefix = StringRegExpReplace($sRegPath, "(.+?)\\.*", "$1")
    Switch $sPrefix
        Case "HKEY_CLASSES_ROOT" Or "HKCR"
            $nHKEY = 0x80000000
        Case "HKEY_CURRENT_USER" Or "HKCU"
            $nHKEY = 0x80000001
        Case "HKEY_LOCAL_MACHINE" Or "HKLM"
            $nHKEY = 0x80000002
        Case "HKEY_USERS" Or "HKU"
            $nHKEY = 0x80000003
        Case "HKEY_CURRENT_CONFIG" Or "HKCC"
            $nHKEY = 0x80000005
;~      Case "HKEY_DYN_DATA" Or "HKDD" ;Windows 95/98 only
;~          $nHKEY = 0x80000006
        Case Else
            Return SetError(4, 0, "")
    EndSwitch
    Local $sRegKeyPath = StringRegExpReplace($sRegPath, "(?i)" & $sPrefix & "\\(.+)\\.*", "$1")
    If @error Or $sRegKeyPath = "" Then Return SetError(5, 0, "")
    Local $aSubKeys, $aTypes
    $objReg.EnumValues($nHKEY, $sRegKeyPath, $aSubKeys, $aTypes)
    If @error Then Return SetError(6, @error, "")
    Local Enum $iREG_SZ = 1, $iREG_EXPAND_SZ, $iREG_BINARY, $iREG_DWORD, $iREG_DWORD_BIG_ENDIAN, $iREG_LINK, $iREG_MULTI_SZ, $iREG_RESOURCE_LIST, $iREG_FULL_RESOURCE_DESCRIPTOR, $iREG_RESOURCE_REQUIREMENTS_LIST, $iREG_QWORD
    Local $i, $return, $sSearchValue = StringRegExpReplace($sRegPath, "(?i)" & $sPrefix & ".+\\(.+)", "$1")
    For $i = 0 To UBound($aSubKeys) - 1
        If $aSubKeys[$i] = $sSearchValue Then
            Switch $aTypes[$i]
                Case $iREG_SZ
                    $objReg.GetStringValue($nHKEY, $sRegKeyPath, $sSearchValue, $return)
                    Return $return
                Case $iREG_EXPAND_SZ
                    $objReg.GetExpandedStringValue($nHKEY, $sRegKeyPath, $sSearchValue, $return)
                    Return $return
                Case $iREG_BINARY
                    $objReg.GetBinaryValue($nHKEY, $sRegKeyPath, $sSearchValue, $return)
                    Return $return
                Case $iREG_DWORD
                    $objReg.GetDWORDValue($nHKEY, $sRegKeyPath, $sSearchValue, $return)
                    Return $return
                Case $iREG_MULTI_SZ
                    $objReg.GetMultiStringValue($nHKEY, $sRegKeyPath, $sSearchValue, $return)
                    Return $return
                Case $iREG_QWORD
                    $objReg.GetQWORDValue($nHKEY, $sRegKeyPath, $sSearchValue, $return)
                    Return $return
            EndSwitch
        EndIf
    Next
    Return SetError(7, 0, "")
EndFunc

Func WMI_GetDomainName($sHost, $sUsr = "", $sPass = "")
    If $sHost = "." Then $sHost = @ComputerName
    Local $ping = Ping($sHost, 250)
    If @error Then Return SetError(1, 0, -1)
    Local $objWMILocator = ObjCreate("WbemScripting.SWbemLocator")
    Local $objWMIService = $objWMILocator.ConnectServer($sHost, "\root\cimv2", $sUsr, $sPass, "", "", 128)
    If @error Then Return SetError(2, 0, -1)
    Local $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", "WQL", 0x30)
    If IsObj($colItems) Then
        For $objItem In $colItems
            Return $objItem.Domain
        Next
    Else
        Return SetError(3, 0, -1)
    EndIf
    Return 0
EndFunc

Func ObjErrorHandler()
    ConsoleWrite(   "A COM Error has occured!" & @CRLF  & @CRLF & _
                                "err.description is: "    & @TAB & $oErrorHandler.description    & @CRLF & _
                                "err.windescription:"     & @TAB & $oErrorHandler & @CRLF & _
                                "err.number is: "         & @TAB & Hex($oErrorHandler.number, 8)  & @CRLF & _
                                "err.lastdllerror is: "   & @TAB & $oErrorHandler.lastdllerror   & @CRLF & _
                                "err.scriptline is: "     & @TAB & $oErrorHandler.scriptline     & @CRLF & _
                                "err.source is: "         & @TAB & $oErrorHandler.source         & @CRLF & _
                                "err.helpfile is: "       & @TAB & $oErrorHandler.helpfile       & @CRLF & _
                                "err.helpcontext is: "    & @TAB & $oErrorHandler.helpcontext & @CRLF _
                            )
EndFunc

 

 

This is the previous thread:

 

[UEZ]

Well, it doesn't work for me either anymore using Win10. Which OS do you use? 

$objReg.EnumValues($nHKEY, $sRegKeyPath, $aSubKeys, $aTypes)

Doesn't return an array -> $aSubKeys

Edited October 21, 2016 by UEZ

[Jewtus]

1 minute ago, UEZ said:

Well, it doesn't work for me either anymore using Win10. Which OS do you use? 

Win 10... Most of my remote hosts are windows server though... Maybe I'll take a shot with one of those machines.

 

(win server 2012 R2 might be an issue.. its a lot like win 10)

Edited October 21, 2016 by Jewtus

[Jewtus]

UPDATE:

I tried it on a Windows Server 2012 R2 Datacenter machine and had no results.

I then tried it on a Windows Server 2008 R2 Standard and still had no results.

Could this be related to the version of Autoit? I'm running v3.3.15.0.

[Jewtus]

This seems to work:

Func WMI_GetRemoteRegVal($sHost, $sRegPath, $sUser = "", $sPass = "")
    Local $strKeyPath='',$arrValueNames, $arrValueTypes, $strValue, $aReturn[0][2]
    $aString=StringSplit($sRegPath,"\")
    $sStringBase=$aString[1]
    For $x=2 to UBound($aString)-1
        If $strKeyPath='' then
            $strKeyPath=$aString[$x]
        Else
            $strKeyPath=$strKeyPath&'\'&$aString[$x]
        EndIf
    Next
    MsgBox(0,$sStringBase,$strKeyPath)
    If $sStringBase ="HKEY_CLASSES_ROOT" Or $sStringBase ="HKCR" Then $nHKEY = 0x80000000
    If $sStringBase ="HKEY_CURRENT_USER" Or $sStringBase ="HKCU" Then $nHKEY = 0x80000001
    If $sStringBase ="HKEY_LOCAL_MACHINE" Or $sStringBase ="HKLM" Then $nHKEY = 0x80000002
    If $sStringBase ="HKEY_USERS" Or $sStringBase ="HKU" Then $nHKEY = 0x80000003
    If $sStringBase ="HKEY_CURRENT_CONFIG" Or $sStringBase ="HKCC" Then $nHKEY = 0x80000005
    $objRegistry = ObjGet("winmgmts:\\" & $sHost & "\root\default:StdRegProv")
    $objRegistry.EnumValues($nHKEY, $strKeyPath, $arrValueNames, $arrValueTypes)
    For $i = 0 To UBound($arrValueNames) - 1
        $strValueName = $arrValueNames[$i]
        $objRegistry.GetStringValue($nHKEY, $strKeyPath, $strValueName, $strValue)
        _ArrayAdd($aReturn, $arrValueNames[$i] & "|" & $strValue)
    Next
    If UBound($aReturn) > 0 Then
        Return $aReturn
    Else
        Return -1
    EndIf
EndFunc

 

[MattHiggs]

By the way, for client devices, the "remote registry" service is disabled by default.  I would assume that to get this to work, you would need enable the service and ensure that it is running.

[Jewtus]

2 hours ago, MattHiggs said:

By the way, for client devices, the "remote registry" service is disabled by default.  I would assume that to get this to work, you would need enable the service and ensure that it is running.

Anyway to push the command to do that to a remote machine

 

Otherwise I will probably make a script.

[MattHiggs]

run following two commands in command prompt:

sc \\computername config remoteregistry start= auto

sc \\computername start remoteregistry

Edited October 21, 2016 by MattHiggs

[UEZ]

Is it working now with enabled and started remote registry service (code from post#1)?

Edited October 21, 2016 by UEZ

[Jewtus]

EDIT:

Ok this seems to work with the service off..

Func WMI_GetRemoteRegVal($sHost, $sRegPath, $sUser = "", $sPass = "")
    Local $strKeyPath = '', $arrValueNames, $arrValueTypes, $strValue, $aReturn[0][2]
    $aString = StringSplit($sRegPath, "\")
    $sStringBase = $aString[1]
    For $x = 2 To UBound($aString) - 1
        If $strKeyPath = '' Then
            $strKeyPath = $aString[$x]
        Else
            $strKeyPath = $strKeyPath & '\' & $aString[$x]
        EndIf
    Next
    If $sStringBase = "HKEY_CLASSES_ROOT" Or $sStringBase = "HKCR" Then $nHKEY = 0x80000000
    If $sStringBase = "HKEY_CURRENT_USER" Or $sStringBase = "HKCU" Then $nHKEY = 0x80000001
    If $sStringBase = "HKEY_LOCAL_MACHINE" Or $sStringBase = "HKLM" Then $nHKEY = 0x80000002
    If $sStringBase = "HKEY_USERS" Or $sStringBase = "HKU" Then $nHKEY = 0x80000003
    If $sStringBase = "HKEY_CURRENT_CONFIG" Or $sStringBase = "HKCC" Then $nHKEY = 0x80000005
    $objSWbemLocator = ObjCreate("WbemScripting.SWbemLocator")
    If $sHost='locahost' Then
        $objSWbemServices = $objSWbemLocator.ConnectServer($sHost, "root\CIMV2")
    Else
        $objSWbemServices = $objSWbemLocator.ConnectServer($sHost, "root\CIMV2", $sUser, $sPass)
    EndIf
    $objRegistry = $objSWbemServices.Get("StdRegProv")
    $objRegistry.EnumValues($nHKEY, $strKeyPath, $arrValueNames, $arrValueTypes)
    For $i = 0 To UBound($arrValueNames) - 1
        $strValueName = $arrValueNames[$i]
        $objRegistry.GetStringValue($nHKEY, $strKeyPath, $strValueName, $strValue)
        _ArrayAdd($aReturn, $arrValueNames[$i] & "|" & $strValue)
    Next
    If UBound($aReturn) > 0 Then
        Return $aReturn
    Else
        Return -1
    EndIf
EndFunc   ;==>WMI_GetRemoteRegVal

 

Edited October 24, 2016 by Jewtus

[UEZ]

I found the bug in the function! The issue was within the switch/case statements ->

Switch $sPrefix
        Case "HKEY_CLASSES_ROOT" Or "HKCR"
            $nHKEY = 0x80000000
        Case "HKEY_CURRENT_USER" Or "HKCU"
            $nHKEY = 0x80000001
        Case "HKEY_LOCAL_MACHINE" Or "HKLM"
            $nHKEY = 0x80000002
        Case "HKEY_USERS" Or "HKU"
            $nHKEY = 0x80000003
        Case "HKEY_CURRENT_CONFIG" Or "HKCC"
            $nHKEY = 0x80000005
;~      Case "HKEY_DYN_DATA" Or "HKDD" ;Windows 95/98 only
;~          $nHKEY = 0x80000006
        Case Else
            Return SetError(4, 0, "")
    EndSwitch

It must be

Switch $sPrefix
        Case "HKEY_CLASSES_ROOT", "HKCR"
            $nHKEY = 0x80000000
        Case "HKEY_CURRENT_USER", "HKCU"
            $nHKEY = 0x80000001
        Case "HKEY_LOCAL_MACHINE", "HKLM"
            $nHKEY = 0x80000002
        Case "HKEY_USERS", "HKU"
            $nHKEY = 0x80000003
        Case "HKEY_CURRENT_CONFIG", "HKCC"
            $nHKEY = 0x80000005
;~      Case "HKEY_DYN_DATA", "HKDD" ;Windows 95/98 only
;~          $nHKEY = 0x80000006
        Case Else
            Return SetError(4, 0, "")
    EndSwitch

 

Case "HKEY_CLASSES_ROOT" Or "HKCR" is always true and thus wrong $nHKEY was set.