|
Mekinery
初级用户
积分 83
发帖 32
注册 2006-12-26
状态 离线
|
『楼 主』:
[已解决]请教,判断注册表键值是否存在?
使用 LLM 解释/回答一下
判断注册表下“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\”下有没有项值为“Sysin”,键值为Wins(字符串),类型为“REG_SZ”,值为“mondy”。
1.如果有就继续执行(跳到下条指令),没有就新建---(完全匹配,包括大小写)
例如项值为“Sysin”而不能为“sysin”或其他的,键值为“Wins”而不能为“wins”或其他的,值为“mondy”而不能为“Mondy”或其他的
2.如果有就继续执行(跳到下条指令),没有就新建---(不区分大小写)
急待解决,谢谢!
Last edited by Mekinery on 2007-12-24 at 09:36 PM ]
Determine whether there is an item with the value "Sysin" under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\" in the registry, the key value is "Wins" (string), the type is "REG_SZ", and the value is "mondy".
1. If it exists, continue to execute (jump to the next instruction), if not, create a new one --- (exact match, including case)
For example, the item value is "Sysin" and cannot be "sysin" or other, the key value is "Wins" and cannot be "wins" or other, the value is "mondy" and cannot be "Mondy" or other
2. If it exists, continue to execute (jump to the next instruction), if not, create a new one --- (case-insensitive)
Urgently need to be solved, thank you!
Last edited by Mekinery on 2007-12-24 at 09:36 PM ]
|
|
 2007-12-24 14:17 |
|
|
fastslz
铂金会员
DOS一根葱
积分 5493
发帖 2315
注册 2006-5-1
来自 上海
状态 离线
|
『第 2 楼』:
使用 LLM 解释/回答一下
@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Sysin" ||call :没有
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Wins" ||call :还是没有
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "mondy" ||goto 再没有
echo 这里继续
pause
:没有
reg add "HKLM\SOFTWARE\Microsoft\Windows\Sysin" /f /v "Wins" /t REG_SZ /d "mondy"
goto:eof
:还是没有
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Sysin" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Sysin" /f /v "Wins" /t REG_SZ /d "mondy"
goto:eof
:再没有
echo 找盖茨去 ◎_◎
pause
```batch
@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Sysin" ||call :No
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Wins" ||call :StillNo
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "mondy" ||goto :NoMore
echo Continue here
pause
:No
reg add "HKLM\SOFTWARE\Microsoft\Windows\Sysin" /f /v "Wins" /t REG_SZ /d "mondy"
goto:eof
:StillNo
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Sysin" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Sysin" /f /v "Wins" /t REG_SZ /d "mondy"
goto:eof
:NoMore
echo Go find Gates ◎_◎
pause
```
|
第一高手 第二高手
我的小站
 |
|
|
2007-12-24 15:54 |
|
|
Mekinery
初级用户
积分 83
发帖 32
注册 2006-12-26
状态 离线
|
『第 3 楼』:
使用 LLM 解释/回答一下
fastslz挺风趣的,首先还是谢谢fastslz,但是没有达到我想要的结果
可能我说的不够明白吧,那我再缩减点:
判断注册表下“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Sysin”下有没有键值为Wins(字符串),类型为“REG_SZ”,值为“mondy”
再次肯定下存在一个是个字符串,名称就是“Wins”,不是“wins,WIns,..”,还有类型绝对的“REG_SZ”,不是“ REG_DWORD, REG_MULTI_SZ, REG_BINARY,REG_EXPAND_SZ,...”,键值“Wins”的数据数值是"mondy",不是“Mondy,moNdy,...”
字符串 类型 REG_SZ
二进制值 类型 REG_BINARY
DWORD 类型 REG_DWORD
...
应该需要查找,还有判断吧?
如果其中有一项不匹配就要退出,如果都匹配就跳到要执行的命令段去
这样应该好理解些吧...
Last edited by Mekinery on 2007-12-24 at 07:08 PM ]
fastslz is quite humorous. First of all, thank you again for fastslz, but it didn't achieve the result I wanted.
Maybe I didn't explain it clearly enough, then I'll simplify it a bit more:
Check if there is a string value named Wins with type REG_SZ and value mondy under the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Sysin".
Once again, confirm that there is a string, the name is "Wins", not "wins, WIns, ..", and the type is definitely "REG_SZ", not "REG_DWORD, REG_MULTI_SZ, REG_BINARY, REG_EXPAND_SZ, ...", and the data value of the key "Wins" is "mondy", not "Mondy, moNdy, ..."
String Type REG_SZ
Binary value Type REG_BINARY
DWORD Type REG_DWORD
...
It should need to search and judge, right?
If any item doesn't match, it should exit. If all match, then jump to the command segment to be executed.
This should be easier to understand...
Last edited by Mekinery on 2007-12-24 at 07:08 PM ]
|
|
|
2007-12-24 19:04 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
 『第 4 楼』:
使用 LLM 解释/回答一下
完整的注册表操作方法
这是个演示用WMI操作注册表的实例,每弹一个对话框后查看注册表相应位置你会发现WMI对注册表所作的操作,全部执行完成后脚本会自动复原此脚本对注册表的所有操作。
①创建主键、创建各类型的键值。
②读取键值并分析键值类型。
③枚举主键及键值。
④判断键或键值是否存在。
⑤查询注册表键的操作权限。
⑥监视注册表根键、主键、键值,当发现变动时提示。
'''注册表查询/操作
On Error Resume Next
Const HKEY_CLASSES_ROOT = &H80000000'''设置注册表5大根键,HKCR-----------①
Const HKEY_CURRENT_USER = &H80000001'''HKCU
Const HKEY_LOCAL_MACHINE = &H80000002'''HKLM
Const HKEY_Users = &H80000003'''HKU
Const HKEY_Current_Config = &H80000005'''HKCC
Const REG_SZ = 1'''设置注册表键值类型,字符串型---------------------------②
Const REG_EXPAND_SZ = 2'''扩展字符串型
Const REG_BINARY = 3'''二进制型
Const REG_DWORD = 4'''双字节型
Const REG_MULTI_SZ = 7'''多字符串型
Const KEY_QUERY_VALUE = &H0001'''查询注册表权限,查询数值-----------------③
Const KEY_SET_VALUE = &H0002'''设置数值
Const KEY_CREATE_SUB_KEY = &H0004'''创建子项
Const DELETE = &H00010000'''删除项值
'''-----------------配置环境(路径)----------------------------------------00
strComputer = "."
Set WshShell = WScript.CreateObject("WScript.Shell")
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyRoot = HKEY_LOCAL_MACHINE
Regpath = "HKEY_LOCAL_MACHINE"
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
WshSHell.popup "设置路径【HKLM\Software\Microsoft\Windows\CurrentVersion\Run】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------创建主键"REG_KEY_SZ"----------------------------------01
strKeyPathNew = "Software\Microsoft\Windows\CurrentVersion\Run\User_baomaboy\"'''注意因为是新建主键,要多加个“\”
oReg.CreateKey strKeyRoot, strKeyPathNew
WshSHell.popup "创建主键【HKLM\Software\Microsoft\Windows\CurrentVersion\Run\User_baomaboy\】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------创建字符串值"REG_SZ"----------------------------------02
strValueName="1字符串名"
strValue="字符串值"
oReg.SetStringValue strKeyRoot, strKeyPath, strValueName, strValue
WshSHell.popup "创建字符串【HKLM\Software\Microsoft\Windows\CurrentVersion\Run\1字符串名】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------创建双字节值"REG_DWORD"--------------------------------
strValueName="2双字节名"
strValue=1
oReg.SetDWORDValue strKeyRoot, strKeyPath, strValueName, strValue
WshSHell.popup "创建双字节值【HKLM\Software\Microsoft\Windows\CurrentVersion\Run\2双字节名】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------创建多字符串"REG_MULTI_SZ"-----------------------------
strValueName="3多字符串名"
arrStringValues = Array("QQ25926183", "userbaomaboy","LLKJ", "玲珑科技")
oReg.SetMultiStringValue strKeyRoot, strKeyPath, strValueName, arrStringValues
WshSHell.popup "创建多字符串【HKLM\Software\Microsoft\Windows\CurrentVersion\Run\3多字符串名】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------创建扩展字符串"REG_EXPAND_SZ"--------------------------
strValueName = "4扩展字符串名"
strValue = "%PATHEXT%"
oReg.SetExpandedStringValue strKeyRoot, strKeyPath, strValueName, strValue
WshSHell.popup "创建扩展字符串【HKLM\Software\Microsoft\Windows\CurrentVersion\Run\4扩展字符串名】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------创建二进制值"REG_BINVRY_SZ"----------------------------
RegPathEr=Regpath&"\Software\Microsoft\Windows\CurrentVersion\Run\5二进制值"
WshSHell.RegWrite RegPathEr,1,"REG_BINARY"
WshSHell.popup "创建二进制值【HKLM\Software\Microsoft\Windows\CurrentVersion\Run\5二进制值】成功"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 读取字符串值"REG_VALUE"-------------------------------
oReg.GetStringValue strKeyRoot, strKeyPath, "1字符串名", strRunCommand
WshSHell.popup "读取字符串值:"&vbcrlf&vbcrlf&strRunCommand&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 读取双字节值"REG_DWORD"-------------------------------
oReg.GetDWORDValue strKeyRoot, strKeyPath, "2双字节名", strRunCommand
WshSHell.popup "读取双字节值:"&vbcrlf&vbcrlf&strRunCommand&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 读取多字符串值"REG_MULTI_SZ"--------------------------
oReg.GetMultiStringValue strKeyRoot, strKeyPath, "3多字符串名", arrValues
For Each strValue In arrValues
DuoString=DuoString&vbcrlf&strValue
Next
WshSHell.popup "读取多字符串值:"&vbcrlf&vbcrlf&DuoString&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 读取扩展字符串"REG_EXPAND_SZ"-------------------------
oReg.GetExpandedStringValue strKeyRoot, strKeyPath, "4扩展字符串名", strValue
WshSHell.popup "读取扩展字符串值:"&vbcrlf&vbcrlf&strValue&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 读取二进制值"REG_BINVRY_SZ"----------------------------
oReg.GetBinaryValue strKeyRoot, strKeyPath, "5二进制值", strValue
For i = lBound(strValue) to uBound(strValue)
ErString=ErString&strValue(i)
Next
WshSHell.popup "读取二进制值:"&vbcrlf&vbcrlf&ErString&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 枚举主键"SUB_KEY"--------------------------------------
oReg.EnumKey strKeyRoot, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
ArrSubKeyStr=ArrSubKeyStr&vbcrlf&subkey
Next
WshSHell.popup "枚举主键:"&vbcrlf&vbcrlf&ArrSubKeyStr&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 枚举键值和键值类型"KEY_Value_Types"--------------------
oReg.EnumValues strKeyRoot, strKeyPath, arrValueNames, arrValueTypes
For i=0 To UBound(arrValueNames)
If Len(arrValueNames(i)) > 0 Then
Select Case arrValueTypes(i)
Case REG_SZ ValueType=" >>>是:字符串值"
Case REG_EXPAND_SZ ValueType=" >>>是:扩展字符串值"
Case REG_BINARY ValueType=" >>>是:二进制值"
Case REG_DWORD ValueType=" >>>是:双字节值"
Case REG_MULTI_SZ ValueType=" >>>是:多字符串值"
End Select
arrValueStr=arrValueStr&vbcrlf&arrValueNames(i)&ValueType
End If
Next
WshSHell.popup "枚举键值和类型:"&vbcrlf&vbcrlf&arrValueStr&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 枚举键值和键值内容一"KEY_Value_Contenct"----------------
oReg.EnumValues strKeyRoot, strKeyPath, arrValueNames, arrValueTypes
For i=0 To UBound(arrValueNames)
If Len(arrValueNames(i)) > 0 Then
oReg.GetStringValue strKeyRoot,strKeyPath,arrValueNames(i),strValue'''适应于字符串型
ValueStr=ValueStr&vbcrlf&arrValueNames(i)&vbcrlf&strValue
end if
Next
WshSHell.popup "枚举键值和内容一:"&vbcrlf&vbcrlf&ValueStr&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 枚举键值和键值内容二"KEY_Value_Contenct"----------------
oReg.EnumValues strKeyRoot, strKeyPath, arrValueNames, arrValueTypes
i=0
For Each strValue in arrValueNames
If Len(strValue) > 0 Then
i=i+1
oReg.GetStringValue strKeyRoot,strKeyPath,strValue,strRunCommand'''适应于字符串型
intLength = Len(strRunCommand)
if intLength > 35 then'''美化回显,(可再加代码判路径是否包含断汉字)
strRunCommand = Left(strRunCommand, 20)&"……"&Right(strRunCommand, 13)
end if
StrRoot= i&".【"&strValue&"】"&vbCRLF&" "&strRunCommand
ARoot=ARoot&vbCRLF&StrRoot
End If
Next
WshSHell.popup "枚举键值和内容二:"&vbcrlf&vbcrlf&ARoot&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 删除键值"REG_VALUE"-------------------------------------
oReg.DeleteValue strKeyRoot, strKeyPath, "5二进制值"
WshSHell.popup "删除键值:"&vbcrlf&vbcrlf&Regpath&"\"&strKeyPath&"\5二进制值"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''----------------- 删除主键"SUB_KEY"---------------------------------------
oReg.DeleteKey strKeyRoot, strKeyPathNew
WshSHell.popup "删除主键:"&vbcrlf&vbcrlf&Regpath&"\"&strKeyPathNew&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----------------判断键值是否存在-----------------------------------------
strValue="""病毒"""
oReg.GetStringValue strKeyRoot,strKeyPath,strValue,strRunCommand
If IsNull(strRunCommand) Then
WshSHell.popup strValue&"此注册表键值不存在."&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
Else
WshSHell.popup strValue&"注册表中存在此键值."&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
End If
'''----------------- 检查注册表访问权限"Check Up Extent Of Power"------------
oReg.CheckAccess strKeyRoot, strKeyPath, KEY_QUERY_VALUE, bHasAccessRight
If bHasAccessRight = True Then
aaa="可以查询数值"
Else
aaa="不可查询数值"
End If
oReg.CheckAccess strKeyRoot, strKeyPath, KEY_SET_VALUE, bHasAccessRight
If bHasAccessRight = True Then
bbb="可以设置数值"
Else
bbb="不可设置数值"
End If
oReg.CheckAccess strKeyRoot, strKeyPath, KEY_CREATE_SUB_KEY, bHasAccessRight
If bHasAccessRight = True Then
ccc="可以创建主键"
Else
ccc="不可创建主键"
End If
oReg.CheckAccess strKeyRoot, strKeyPath, DELETE, bHasAccessRight
If bHasAccessRight = True Then
ddd="可以删除键值"
Else
ddd="不可删除键值"
End If
WshSHell.popup "注册表访问权限:"&vbcrlf&vbcrlf&Regpath&"\"&strKeyPath&vbcrlf&vbcrlf&aaa&vbcrlf&bbb&vbcrlf&ccc&vbcrlf&ddd&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"5 秒钟后本窗口将自动关闭!", 5, "QQ:25926183", 0 + 64
'''-----恢复注册表原样--------
oReg.DeleteValue strKeyRoot, strKeyPath, "4扩展字符串名"
oReg.DeleteValue strKeyRoot, strKeyPath, "3多字符串名"
oReg.DeleteValue strKeyRoot, strKeyPath, "2双字节名"
oReg.DeleteValue strKeyRoot, strKeyPath, "1字符串名"
'''-----------------监视注册表键值"REG_KEY_SZ"-------------------------------
'''用以对注册表中HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1字符串名"分支下的所有更改内容进行监视。
'Set wmiServices = GetObject("winmgmts:root/default")
'Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
'wmiServices.ExecNotificationQueryAsync wmiSink, _
'"SELECT * FROM RegistryValueChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
'"KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' AND ValueName='1字符串名'"
'WScript.Echo "开始监视注册表HKLM_Run主键键值的值的变化......" & vbCrLf
'While(1)
'WScript.Sleep 1000
'Wend
'Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
'WScript.Echo ".........注册表改变......" & vbCrLf & _
'"----------监视注册表键值的值变化-----------" & vbCrLf & _
'wmiObject.GetObjectText_()
'WScript.Quit(0)'''用作发现修改则提示后退出
'End Sub
'''-----------------监视注册表主键"REG_SubKey_SZ"-----------------------------
'''监视注册表,以发现对 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 的任何更改。
'Set wmiServices = GetObject("winmgmts:root/default")
'Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
'wmiServices.ExecNotificationQueryAsync wmiSink, _
'"SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
'"KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
'WScript.Echo "开始监视注册表HKLM_Run主键的键值变化......" & vbCrLf
'While(1)
'WScript.Sleep 1000
'Wend
'Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
'WScript.Echo ".........注册表改变......" & vbCrLf & _
'"----------监视注册表主键键值变化-----------" & vbCrLf & _
'wmiObject.GetObjectText_()
'WScript.Quit(0)'''用作发现修改则提示后退出
'End Sub
'''-----------------监视注册表根键"REG_RootKey_SZ"----------------------------
'''监视注册表,以发现对 HKLM 的任何更改。
Set wmiServices = GetObject("winmgmts:root/default")
Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
wmiServices.ExecNotificationQueryAsync wmiSink, _
"SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath=''"
WScript.Echo "开始监视注册表HKLM根键的所有变化......" & vbCrLf
While(1)
WScript.Sleep 1000
Wend
Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
WScript.Echo ".........注册表改变......" & vbCrLf & _
"----------监视注册表根键所有变化-----------" & vbCrLf & _
wmiObject.GetObjectText_()
WScript.Quit(0)'''用作发现修改则提示后退出
End Sub
Complete Registry Operation Methods
This is a demonstration example of WMI operating the registry. After each dialog box pops up, you will find the operations of WMI on the registry by checking the corresponding location in the registry. After all operations are completed, the script will automatically restore all operations of this script on the registry.
① Create primary keys, create key values of various types.
② Read key values and analyze key value types.
③ Enumerate primary keys and key values.
④ Determine whether a key or key value exists.
⑤ Query the operation permissions of the registry key.
⑥ Monitor the registry root key, primary key, and key value, and prompt when changes are found.
'''Registry Query/Operation
On Error Resume Next
Const HKEY_CLASSES_ROOT = &H80000000'''Set the 5 major root keys of the registry, HKCR-----------①
Const HKEY_CURRENT_USER = &H80000001'''HKCU
Const HKEY_LOCAL_MACHINE = &H80000002'''HKLM
Const HKEY_Users = &H80000003'''HKU
Const HKEY_Current_Config = &H80000005'''HKCC
Const REG_SZ = 1'''Set the registry key value type, string type---------------------------②
Const REG_EXPAND_SZ = 2'''Expanded string type
Const REG_BINARY = 3'''Binary type
Const REG_DWORD = 4'''Double-byte type
Const REG_MULTI_SZ = 7'''Multi-string type
Const KEY_QUERY_VALUE = &H0001'''Registry permission query, query value-----------------③
Const KEY_SET_VALUE = &H0002'''Set value
Const KEY_CREATE_SUB_KEY = &H0004'''Create sub-item
Const DELETE = &H00010000'''Delete item value
'''-----------------Configure environment (path)----------------------------------------00
strComputer = "."
Set WshShell = WScript.CreateObject("WScript.Shell")
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyRoot = HKEY_LOCAL_MACHINE
Regpath = "HKEY_LOCAL_MACHINE"
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
WshSHell.popup "Setting path successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Create primary key "REG_KEY_SZ"----------------------------------01
strKeyPathNew = "Software\Microsoft\Windows\CurrentVersion\Run\User_baomaboy\"'''Note that because it is a new primary key, add an extra "\"
oReg.CreateKey strKeyRoot, strKeyPathNew
WshSHell.popup "Creating primary key successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Create string value "REG_SZ"----------------------------------02
strValueName="1 String name"
strValue="String value"
oReg.SetStringValue strKeyRoot, strKeyPath, strValueName, strValue
WshSHell.popup "Creating string successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Create double-byte value "REG_DWORD"--------------------------------
strValueName="2 Double-byte name"
strValue=1
oReg.SetDWORDValue strKeyRoot, strKeyPath, strValueName, strValue
WshSHell.popup "Creating double-byte value successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Create multi-string "REG_MULTI_SZ"-----------------------------
strValueName="3 Multi-string name"
arrStringValues = Array("QQ25926183", "userbaomaboy","LLKJ", "Linglong Technology")
oReg.SetMultiStringValue strKeyRoot, strKeyPath, strValueName, arrStringValues
WshSHell.popup "Creating multi-string successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Create expanded string "REG_EXPAND_SZ"--------------------------
strValueName = "4 Expanded string name"
strValue = "%PATHEXT%"
oReg.SetExpandedStringValue strKeyRoot, strKeyPath, strValueName, strValue
WshSHell.popup "Creating expanded string successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Create binary value "REG_BINVRY_SZ"----------------------------
RegPathEr=Regpath&"\Software\Microsoft\Windows\CurrentVersion\Run\5 Binary value"
WshSHell.RegWrite RegPathEr,1,"REG_BINARY"
WshSHell.popup "Creating binary value successfully"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Read string value "REG_VALUE"-------------------------------
oReg.GetStringValue strKeyRoot, strKeyPath, "1 String name", strRunCommand
WshSHell.popup "Reading string value:"&vbcrlf&vbcrlf&strRunCommand&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Read double-byte value "REG_DWORD"-------------------------------
oReg.GetDWORDValue strKeyRoot, strKeyPath, "2 Double-byte name", strRunCommand
WshSHell.popup "Reading double-byte value:"&vbcrlf&vbcrlf&strRunCommand&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Read multi-string value "REG_MULTI_SZ"--------------------------
oReg.GetMultiStringValue strKeyRoot, strKeyPath, "3 Multi-string name", arrValues
For Each strValue In arrValues
DuoString=DuoString&vbcrlf&strValue
Next
WshSHell.popup "Reading multi-string value:"&vbcrlf&vbcrlf&DuoString&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Read expanded string "REG_EXPAND_SZ"-------------------------
oReg.GetExpandedStringValue strKeyRoot, strKeyPath, "4 Expanded string name", strValue
WshSHell.popup "Reading expanded string value:"&vbcrlf&vbcrlf&strValue&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Read binary value "REG_BINVRY_SZ"----------------------------
oReg.GetBinaryValue strKeyRoot, strKeyPath, "5 Binary value", strValue
For i = lBound(strValue) to uBound(strValue)
ErString=ErString&strValue(i)
Next
WshSHell.popup "Reading binary value:"&vbcrlf&vbcrlf&ErString&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Enumerate primary key "SUB_KEY"--------------------------------------
oReg.EnumKey strKeyRoot, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
ArrSubKeyStr=ArrSubKeyStr&vbcrlf&subkey
Next
WshSHell.popup "Enumerating primary key:"&vbcrlf&vbcrlf&ArrSubKeyStr&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Enumerate key value and key value type "KEY_Value_Types"--------------------
oReg.EnumValues strKeyRoot, strKeyPath, arrValueNames, arrValueTypes
For i=0 To UBound(arrValueNames)
If Len(arrValueNames(i)) > 0 Then
Select Case arrValueTypes(i)
Case REG_SZ ValueType=" >>>Is: String value"
Case REG_EXPAND_SZ ValueType=" >>>Is: Expanded string value"
Case REG_BINARY ValueType=" >>>Is: Binary value"
Case REG_DWORD ValueType=" >>>Is: Double-byte value"
Case REG_MULTI_SZ ValueType=" >>>Is: Multi-string value"
End Select
arrValueStr=arrValueStr&vbcrlf&arrValueNames(i)&ValueType
End If
Next
WshSHell.popup "Enumerating key values and types:"&vbcrlf&vbcrlf&arrValueStr&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Enumerate key value and key value content one "KEY_Value_Contenct"----------------
oReg.EnumValues strKeyRoot, strKeyPath, arrValueNames, arrValueTypes
For i=0 To UBound(arrValueNames)
If Len(arrValueNames(i)) > 0 Then
oReg.GetStringValue strKeyRoot,strKeyPath,arrValueNames(i),strValue'''Suitable for string type
ValueStr=ValueStr&vbcrlf&arrValueNames(i)&vbcrlf&strValue
end if
Next
WshSHell.popup "Enumerating key values and content one:"&vbcrlf&vbcrlf&ValueStr&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Enumerate key value and key value content two "KEY_Value_Contenct"----------------
oReg.EnumValues strKeyRoot, strKeyPath, arrValueNames, arrValueTypes
i=0
For Each strValue in arrValueNames
If Len(strValue) > 0 Then
i=i+1
oReg.GetStringValue strKeyRoot,strKeyPath,strValue,strRunCommand'''Suitable for string type
intLength = Len(strRunCommand)
if intLength > 35 then'''Aesthetic echo, (can add more code to judge whether the path contains broken Chinese characters)
strRunCommand = Left(strRunCommand, 20)&"……"&Right(strRunCommand, 13)
end if
StrRoot= i&".【"&strValue&"】"&vbCRLF&" "&strRunCommand
ARoot=ARoot&vbCRLF&StrRoot
End If
Next
WshSHell.popup "Enumerating key values and content two:"&vbcrlf&vbcrlf&ARoot&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Delete key value "REG_VALUE"-------------------------------------
oReg.DeleteValue strKeyRoot, strKeyPath, "5 Binary value"
WshSHell.popup "Deleting key value:"&vbcrlf&vbcrlf&Regpath&"\"&strKeyPath&"\5 Binary value"&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''----------------- Delete primary key "SUB_KEY"---------------------------------------
oReg.DeleteKey strKeyRoot, strKeyPathNew
WshSHell.popup "Deleting primary key:"&vbcrlf&vbcrlf&Regpath&"\"&strKeyPathNew&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----------------Judge whether the key value exists-----------------------------------------
strValue="""Virus"""
oReg.GetStringValue strKeyRoot,strKeyPath,strValue,strRunCommand
If IsNull(strRunCommand) Then
WshSHell.popup strValue&"This registry key value does not exist."&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
Else
WshSHell.popup strValue&"This key value exists in the registry."&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
End If
'''----------------- Check registry access permission "Check Up Extent Of Power"------------
oReg.CheckAccess strKeyRoot, strKeyPath, KEY_QUERY_VALUE, bHasAccessRight
If bHasAccessRight = True Then
aaa="Can query value"
Else
aaa="Cannot query value"
End If
oReg.CheckAccess strKeyRoot, strKeyPath, KEY_SET_VALUE, bHasAccessRight
If bHasAccessRight = True Then
bbb="Can set value"
Else
bbb="Cannot set value"
End If
oReg.CheckAccess strKeyRoot, strKeyPath, KEY_CREATE_SUB_KEY, bHasAccessRight
If bHasAccessRight = True Then
ccc="Can create primary key"
Else
ccc="Cannot create primary key"
End If
oReg.CheckAccess strKeyRoot, strKeyPath, DELETE, bHasAccessRight
If bHasAccessRight = True Then
ddd="Can delete key value"
Else
ddd="Cannot delete key value"
End If
WshSHell.popup "Registry access permission:"&vbcrlf&vbcrlf&Regpath&"\"&strKeyPath&vbcrlf&vbcrlf&aaa&vbcrlf&bbb&vbcrlf&ccc&vbcrlf&ddd&vbcrlf&vbcrlf&vbcrlf&vbcrlf&vbcrlf&"The window will close automatically after 5 seconds!", 5, "QQ:25926183", 0 + 64
'''-----Restore registry to original state--------
oReg.DeleteValue strKeyRoot, strKeyPath, "4 Expanded string name"
oReg.DeleteValue strKeyRoot, strKeyPath, "3 Multi-string name"
oReg.DeleteValue strKeyRoot, strKeyPath, "2 Double-byte name"
oReg.DeleteValue strKeyRoot, strKeyPath, "1 String name"
'''-----------------Monitor registry key value "REG_KEY_SZ"-------------------------------
'''Used to monitor all changes in the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 String name" branch in the registry.
'Set wmiServices = GetObject("winmgmts:root/default")
'Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
'wmiServices.ExecNotificationQueryAsync wmiSink, _
'"SELECT * FROM RegistryValueChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
'"KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' AND ValueName='1 String name'"
'WScript.Echo "Start monitoring changes in the value of the HKLM_Run primary key value in the registry......" & vbCrLf
'While(1)
'WScript.Sleep 1000
'Wend
'Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
'WScript.Echo ".........Registry changed......" & vbCrLf & _
'"----------Monitor changes in the value of the registry key value-----------" & vbCrLf & _
'wmiObject.GetObjectText_()
'WScript.Quit(0)'''Used to exit after prompting if a change is found
'End Sub
'''-----------------Monitor registry primary key "REG_SubKey_SZ"-----------------------------
'''Monitor the registry to find any changes to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
'Set wmiServices = GetObject("winmgmts:root/default")
'Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
'wmiServices.ExecNotificationQueryAsync wmiSink, _
'"SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
'"KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
'WScript.Echo "Start monitoring changes in the key value of the HKLM_Run primary key in the registry......" & vbCrLf
'While(1)
'WScript.Sleep 1000
'Wend
'Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
'WScript.Echo ".........Registry changed......" & vbCrLf & _
'"----------Monitor changes in the primary key value of the registry-----------" & vbCrLf & _
'wmiObject.GetObjectText_()
'WScript.Quit(0)'''Used to exit after prompting if a change is found
'End Sub
'''-----------------Monitor registry root key "REG_RootKey_SZ"----------------------------
'''Monitor the registry to find any changes to HKLM.
Set wmiServices = GetObject("winmgmts:root/default")
Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")
wmiServices.ExecNotificationQueryAsync wmiSink, _
"SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath=''"
WScript.Echo "Start monitoring all changes in the HKLM root key in the registry......" & vbCrLf
While(1)
WScript.Sleep 1000
Wend
Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)
WScript.Echo ".........Registry changed......" & vbCrLf & _
"----------Monitor all changes in the registry root key-----------" & vbCrLf & _
wmiObject.GetObjectText_()
WScript.Quit(0)'''Used to exit after prompting if a change is found
End Sub
|
好多菩提树,好多明镜台。本来好多物,好多的尘埃。 |
|
|
2007-12-24 19:40 |
|
|
Mekinery
初级用户
积分 83
发帖 32
注册 2006-12-26
状态 离线
|
『第 5 楼』:
使用 LLM 解释/回答一下
不懂vbs呀,万一系统禁用的vbs那不等于没有用了吗?
还是批处理好点吧?
能用批处理实现就好了,还在等呀~~~
Don't understand VBS. If the system disables VBS, then it's useless, right? Still, batch processing is better. It would be great if batch processing could be implemented. Still waiting~~~
|
|
|
2007-12-24 19:55 |
|
|
balinger
中级用户
积分 356
发帖 115
注册 2004-7-27
状态 离线
|
『第 6 楼』:
使用 LLM 解释/回答一下
@echo off
for /f "delims=" %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows') do (if "%%i"=="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Sysin" goto 1)
goto no
:1
for /f "tokens=1,2,*" %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Sysin') do (if "%%i%%j%%k"=="WinsREG_SZmondy" goto yes)
:no
echo no
goto end
:yes
echo yes
:end
pause
@echo off
for /f "delims=" %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows') do (if "%%i"=="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Sysin" goto 1)
goto no
:1
for /f "tokens=1,2,*" %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Sysin') do (if "%%i%%j%%k"=="WinsREG_SZmondy" goto yes)
:no
echo no
goto end
:yes
echo yes
:end
pause
|
|
|
2007-12-24 20:48 |
|
|
fastslz
铂金会员
DOS一根葱
积分 5493
发帖 2315
注册 2006-5-1
来自 上海
状态 离线
|
『第 7 楼』:
使用 LLM 解释/回答一下
确实2楼的只是演示给你看,其实很简单的了啦只要1个不匹配就退出
@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows|find "Sysin"||echo 没有
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Wins"|find "REG_SZ"|find "mondy"||echo 没有
pause
或者
@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows|find "Sysin"&® query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Wins"|find "REG_SZ"|find "mondy"||echo 没有
pause
Indeed, the second floor is just for demonstration. Actually, it's very simple. As long as there's one mismatch, it exits.
@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows|find "Sysin"||echo No
reg query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Wins"|find "REG_SZ"|find "mondy"||echo No
pause
Or
@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows|find "Sysin"&® query HKLM\SOFTWARE\Microsoft\Windows\Sysin|find "Wins"|find "REG_SZ"|find "mondy"||echo No
pause
|
第一高手 第二高手
我的小站
|
|
|
2007-12-24 21:27 |
|
|
Mekinery
初级用户
积分 83
发帖 32
注册 2006-12-26
状态 离线
|
『第 8 楼』:
使用 LLM 解释/回答一下
谢谢各位,又学了新的知识,呵呵~~
Thanks everyone, learned new knowledge again, hehe~~
|
|
|
2007-12-24 21:36 |
|
|
