Powershell Query

Question

HKU

\\<host>\HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run /s

Example:

for /f  "delims=\ tokens=2,*" %t in ('reg query HKU') do reg query HKU\%t         \Software\Microsoft\Windows\CurrentVersion\Run /s

HKLM

reg query \\<host>\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s

Example:

FOR /F %i in (hosts.txt) DO @echo [+] %i && 
@reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s 2>NUL > output.txt && 
FOR /F %n in (strings.txt) DO @type output.txt | findstr %n > NUL && 
echo [!] %n was found on %i!

Here are some examples that we have came up with at the office. But trying to figure out how to add in a psexec command to allow for us to query remote computers on the network.

So it would read the hosts from the hosts.txt file along with the strings from the strings.txt and possible add in a variable to change out the different registry keys. Then output it all into one text file.

Do you think this is too much to try in a batch file? What about a powershell script? Thanks

Edit your post and add 4 spaces to the start of every line of code. The editor has an option for code too. — foxidrive, May 26 '13 at 04:45
Thanks! Sorry I was using a XP machine and slow Internet at the time. — badbiddy, May 26 '13 at 05:32

score 1 · Answer 1 · answered May 26 '13 at 05:53

To query remote registry keys with PowerShell use OpenRemoteBaseKey:

[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'computer-name')

The first parameter is the hive name, a list of which can be found here. The second is the name of the computer to connect to.

This will return a Microsoft.Win32.RegistryKey object which you can use to list sub keys and read their values.

Here is an example of reading the run key values:

$path = "Software\Microsoft\Windows\CurrentVersion\Run"
$key = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'computer-name')
$subkey = $key.OpenSubKey($path)
$subkey.GetValueNames() | ForEach-Object {
    '{0} : {1}' -f $_, $subkey.GetValue($_)
}

+1 I think it's worth mentioning that the `RemoteRegistry` service must be running on the remote host, and IIRC admin privileges are required for accessing it. — Ansgar Wiechers, May 26 '13 at 08:35

score 0 · Answer 2 · answered May 26 '13 at 10:59

0

You can also try the PSRemoteRegistry module:

 Get-RegValue -Hive LocalMachine -Key Software\Microsoft\Windows\CurrentVersion\Run -ComputerName server1

answered May 26 '13 at 10:59

Shay Levy

121,444
32
184
206

Now I haven't wrote power shell ever. Would it be a better choice to do over a batch file? – badbiddy May 26 '13 at 15:21
In my option yes but I'm biased :) – Shay Levy May 26 '13 at 19:15
Good looking module Shay :) – Andy Arismendi May 26 '13 at 19:58
I'll try it tonight. Posting from my mobile phone – badbiddy May 26 '13 at 20:58
Thanks @AndyArismendi. The v3 version is available here http://psrr.codeplex.com (Connecting to the 32/64-bit section of the remote server registry) – Shay Levy May 27 '13 at 06:48
I would of thought `Get-RegValue` would return whatever the registry data is e.g. Multi-String=string array, DWORD=Int32, Binary=byte array. Like how Get-ItemProperty does it so you don't have to tell it what the type is before hand. – Andy Arismendi May 27 '13 at 07:56
Oh sry, I was reading through it and saw `if($v -like $Value -AND $vk -like $t)`. Now I see `$t` defaults to `*` and it's not mandatory. So it does do what I was thinking :). – Andy Arismendi May 27 '13 at 16:58

Powershell Query

2 Answers2