Reading a Remote Registry Key Through Scripting

I’ve been working a lot lately with SCCM DCM (System Center Configuration Manager Desired Configuration Manager).

If you’ve worked with ConfigMgr you know how powerful the tool is. The DCM portion of ConfigMgr is particularly powerful when scanning collections for compliance against a set of baselines (comprised of configuration items).

The one thing that you quickly realize with either ConfigMgr or DCM is that you need to script a lot of stuff to get what you want. DCM will allow you to use three different scripting frameworks: PowerShell, JScript, or VBScript. For my situation, PowerShell is not an option because the target servers must have PowerShell installed, which is not a guarantee. So, I chose VBScript.

One of the scans we are performing is to check for the existence of a registry key and key value. The registry entry is the following:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Value: (Default)=@SYS:DoesNotExist

The above registry key and value is one of those Windows Secrets that prevents AutoRun attacks.

Note: Details of the AutoRun attack and how to prevent it is listed at the end of this article.

Reading the local registry via scripting is relatively straightforward. Using the WshShell object’s RegRead() method you can display the value located in the above registry hive by running the following VBScript.

Set ObjWshObject = WScript.CreateObject(“WScript.Shell”)
strResults = objWshObject.RegRead(“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf”)
WScript.echo strResults

If you’re wondering how to run the above script you can take the above green text and paste it into Notepad (or my favorite Notepad++) and save as RegRead.vbs and then execute it by double-clicking the vbs file.

Note: If this registry hive does not exist when you run the script you will receive an error.

The question now becomes how do you run this script against a remote system to see if this registry value exists? It’s too bad we can’t just wave our magic remote wand and make VBScript magically do this. If only it were that easy…

To get VBScript to work remotely you have to invoke WMI (Windows Management Interface). WMI is a massive topic and way beyond the scope of this article. Suffice it to say it is the magic you will invoke to gain access to remote stuff.

The first problem in trying to execute the above script against a remote system is that we are interrogating the registry for subkeys when we actually want the default value of the key.  The second problem is that WMI’s StdRegProv (WMI interface for remote registry access) is really hard to use.  It is full of all kinds of pitfalls because the results depend upon the type of data found in the registry.  For example, if the default value is not set it only returns a scalar value (single value) as opposed to returning an array (multiple values). Also, you need to determine the value’s data type before you can read that value.  That is to say every value type requires a different method to extract its value. Wow that just turned difficult fast. Microsoft should examine this portion of StdRegProv because it is unreasonably complicated. However, my belief is that Microsoft’s focus is more on PowerShell as a solution as opposed to using VBScript so it is what it is…

In our example, life is a bit easier because we already know that the default value is going to be a string value.

Cobbling all of this extraneous information into a script to gain what we need looks like this:

const HKEY_LOCAL_MACHINE = &H80000002

ExistOrNot = “Key does not exists”

strComputer = “.”

Set objReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)

strKeyPath= “SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf”

objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, “”, strValue
if instr(strValue, “@SYS:DoesNotExist”) <> 0 then
ExistOrNot = “Key exists”
else
ExistOrNot = “Key does not exist”
end if
WScript.echo ExistOrNot

Without going into the gory details of the script the magic really happens in the last section when we issue the following function : if instr(strValue,”@SYS:DoesNotExist”) <> 0.

The Function will return the position of the first occurence of @SYS:DoesNotExist within the variable strValue. The Function will return a value of zero if @SYS:DoesNotExist is not found. Therefore, if the value returned is not zero then our key exists as our script shows above.

Scripting is akin to playing an instrument. Just like in anything the more you do it the better you become at it.

One quick trick prevents AutoRun attacks
http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks

Notepad++
http://notepad-plus-plus.org/

Microsoft Script Center
http://technet.microsoft.com/en-us/scriptcenter/bb410849.aspx

Advertisement