ben.hamilton.id.au

I’m often writing scripts to do stuff. It makes my job easier. I’ve often wanted to be able to script the discovery of registry values in the Windows Registry.

Thus here is a short example on using the vanilla windows command line to find the value of a Windows registry key. From my testing these commands are all present by default in Windows XP, Vista, 7, Server 2003 and Server 2008.

Assume we want to find the Microsoft Windows Common Files directory. Using Regedit we can find that here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir

So the first thing we want to do is query the registry, we do that with the command line tool reg as follows (more about reg):

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion /v CommonFilesDir >1.tmp

This will spit out the following into the text file 1.tmp:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion    
CommonFilesDir    REG_SZ    C:\Program Files\Common Files

However, this isn’t of much use in a script. Really, we just want the value of the folder itself, not all the extra info.

So what we do is use the command line tool ‘findstr’ which essentially is a windows regex tool (more about findstr). We use it to do this:

findstr /r REG_SZ 1.tmp >2.tmp

This spits out just the line that contains REG_SZ and puts it into the text file 2.tmp. Now that we’ve just just the one line, we want to strip the first 32 characters off it. We do this by first setting it as an enviroment variale and then trimming it down using the following two commands (more on set):

set /p CommFiles=<2.tmp

And then we shorten that (more on trimming):

set CommFiles=%CommFiles:~32%

Then we can echo the result to the screen using:

Echo The Common Files directory is: %CommFiles%

And here it is all in one easy to copy set:

Set CommFiles=C:\Temp  
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion /v CommonFilesDir >1.tmp  
findstr /r REG_SZ 1.tmp >2.tmp  
set /p CommFiles=<2.tmp  
set CommFiles=%CommFiles:~32%  
Echo The Common Files directory is: %CommFiles%

With a little editing I’m sure that you can turn this to your own uses, pulling out the value of registry keys and using them in script files. You’re not limited to this registry key, you can use it to access all sorts of registry keys.

Please do tell me what uses you put this to.

Enjoy.

Occasionally you may want to know the SID of a windows user. If that made no sense to you, read no futher, this snippet is not for you.

Open up REGEDIT and browse to this key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Here you will find a list of SID’s, under each is a subkey containing the name of the user it is associated with. Run through them until you find the username you’re looking for and bingo, it’s parent key is that users SID.

Found via petri.co.il

Bonus link

Just had need of this article, method #2 describes how to turn of Microsoft Internet Explorer Enhanced Security Configuration.

Spotted this great list of open source tools for system administrators: 24 Great Open Source Apps for Admins & Technicians.

I can personally vouch for a number of these:

• Angry IP Scanner
• PuTTY
• DBAN
• DeltaCopy

For some tools that are not open source but free, you can’t go past live.sysinternals.com (details here) – now owned by Microsoft themselves these tools make a Windows Sysadmin job much easier.

A Terminal Server I was attempting to work on today gave quite a lot of grief. The first hint was that users were unable to login to it. When I then tried to login, it gave an error message of: Login Failed
You are connected to the remote computer. Howerver, an error occured while an initial user program was starting, so you are being logged off. Contact the system administrator for assistance.

So I rebooted it remotely using the command shutdown /r /f /m \TSERVER1 while having a continuous ping running, from the ping results I could see it go down, come back up. However on trying to login now, after entering a username/password I could see the logon script run, but no taskbar, start button appeared. Right clicking the desktop didn’t give any menu.

I could however navigate to the hard drive on that machine by pointing My Computer to \tserver1\c$\.

Copying some of the tools at live.sysinternals.com I was able to view the event logs, no issues apparent, check status of various services, all ok.

So I connected via RDP once more (mstsc /v:tserver1 /console) and viewed the background (still no start button or taskbar) and pressed CTRL-ALT-END which allowed me to start the Task Manager. This allowed me to run a new task (File | New tas (run...)) so now I was able to copy the sysinternals autoruns program to the root of the C: partition, and run it from the affected terminal server. Running c:\windows\explorer.exe didn’t work tho.

Delving into it’s depths I found an entry for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer – renaming this entry then allowed Explorer to run. So I’ve exported the key (in case I do want it sometime) and then deleted it.

Rebooted the server once more and bingo, it lets everyone log in. Very satisfying after a couple of hours of mad hair tearing.

I don’t have this, but I certainly would use it. A simple utility to do search and replace in the Microsoft Windows registry.

Ideally it would do the following:

• Specify a list of values to delete – it would then remove ALL those values
• Specify a value and what to replace it with
• Specify a key and what key to replace it with
• Specify a key and what value to make it

My immediate use is removing entries that a virus (WORM actually) has entered in. Using regedit is a pain pain pain!

I’m now running Ubuntu 7.10 on my personal laptop (it dual boots with MS Vista Ultimate, but defaults to Ubuntu). Of course I want to do it all, including connecting to MS Windows VPN’s.

The short set of instructions over at tipotheday were spot-on.

My only addition would be to have the Ubuntu 7.10 install CD (or ISO) handy. Personally I used the command line (CLI) version, worked a treat.