Topic
  • 6 replies
  • Latest Post - ‏2014-05-14T20:14:09Z by jgstew
J@BCBSSC
J@BCBSSC
3 Posts

Pinned topic How to find a value within multiple registry keys

‏2014-05-13T20:09:31Z |

First, let me say that I am extremely new to writing Fixlets and this is my first real shot at writing relevance.

I'm trying to find the following:

((it mod 2048) - (it mod 1024)) of (value "State" of key "HKU\*\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of registry as integer) != 0

Please take careful note of "HKU\*"  Obviously, the * doesn't work, but that's effectively what I need.  I can put a static string in there such as ".DEFAULT" or "S-1-5-19" and it works just fine.  However, I can't possibly know *all* the people who have logged into the machine, so I can't just manually list all the possible SIDs.

I started going this direction:

(names of keys of key "HKU" of registry) whose (it does not end with "Classes")

Which gives me an object of type "plural string" with the SID part of the key (basically the wildcard filler), but then I would need to prepend "HKU\" and append "\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" to the results.  I have no idea how to do that to every element in a plural string.  Even then, were I able to do that, I would have to find a way to actually look at all the key values, and.. well... you can see how complicated it gets very quickly.

If someone could either point me in a better direction or push me further down the path I've chosen, I would be grateful.

 - J

  • J@BCBSSC
    J@BCBSSC
    3 Posts
    ACCEPTED ANSWER

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T19:51:57Z  

    I found the answer elsewhere.  Apparently it's a lot more complicated than anyone thought.  The worst part is that almost all of the key operations used here do not exist in any documentation that IBM provides for this product.

    not exists 1 whose ((conjunction of (item 0 of it = item 1 of it) of (number of current user keys (logged on users) of it, number of values "State" whose ((it as integer) of ((it as bit set) of (it as integer) of concatenation of (if it ends with "%00%00" then preceding text of last "%00%00" of it else if it ends with "%00" then preceding text of last "%00" of it else it) of (it as string) of it * (it as bit set) of (("1024") as integer)) = (("1024") as integer)) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of current user keys (logged on users) of it) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry)) and (conjunction of (item 0 of it = item 1 of it) of (number of current user keys (logged on users) of it, number of values "State" whose ((it as integer) of ((it as bit set) of (it as integer) of concatenation of (if it ends with "%00%00" then preceding text of last "%00%00" of it else if it ends with "%00" then preceding text of last "%00" of it else it) of (it as string) of it * (it as bit set) of (("2048") as integer)) = (("2048") as integer)) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of current user keys (logged on users) of it) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry))

  • jgstew
    jgstew
    410 Posts

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T19:42:48Z  

     

    values "State" of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of keys of key "HKEY_USERS" of registry

     

    values "State" whose((it mod 2048 - it mod 1024) != 0) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of keys of key "HKEY_USERS" of registry

  • J@BCBSSC
    J@BCBSSC
    3 Posts

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T19:50:46Z  
    • jgstew
    • ‏2014-05-14T19:42:48Z

     

    values "State" of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of keys of key "HKEY_USERS" of registry

     

    values "State" whose((it mod 2048 - it mod 1024) != 0) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of keys of key "HKEY_USERS" of registry

    This will not work because you are ignoring the wildcard (*) instead of dealing with it.  Pretending it doesn't exist does not solve the problem.

  • J@BCBSSC
    J@BCBSSC
    3 Posts

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T19:51:57Z  

    I found the answer elsewhere.  Apparently it's a lot more complicated than anyone thought.  The worst part is that almost all of the key operations used here do not exist in any documentation that IBM provides for this product.

    not exists 1 whose ((conjunction of (item 0 of it = item 1 of it) of (number of current user keys (logged on users) of it, number of values "State" whose ((it as integer) of ((it as bit set) of (it as integer) of concatenation of (if it ends with "%00%00" then preceding text of last "%00%00" of it else if it ends with "%00" then preceding text of last "%00" of it else it) of (it as string) of it * (it as bit set) of (("1024") as integer)) = (("1024") as integer)) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of current user keys (logged on users) of it) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry)) and (conjunction of (item 0 of it = item 1 of it) of (number of current user keys (logged on users) of it, number of values "State" whose ((it as integer) of ((it as bit set) of (it as integer) of concatenation of (if it ends with "%00%00" then preceding text of last "%00%00" of it else if it ends with "%00" then preceding text of last "%00" of it else it) of (it as string) of it * (it as bit set) of (("2048") as integer)) = (("2048") as integer)) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of current user keys (logged on users) of it) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry))

  • jgstew
    jgstew
    410 Posts

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T20:06:19Z  
    • J@BCBSSC
    • ‏2014-05-14T19:50:46Z

    This will not work because you are ignoring the wildcard (*) instead of dealing with it.  Pretending it doesn't exist does not solve the problem.

     

    My solution should work. I am not ignoring the wild card. 

     

    This will return all User hives:

    keys of key "HKEY_USERS" of registry

     

  • jgstew
    jgstew
    410 Posts

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T20:12:02Z  
    • J@BCBSSC
    • ‏2014-05-14T19:51:57Z

    I found the answer elsewhere.  Apparently it's a lot more complicated than anyone thought.  The worst part is that almost all of the key operations used here do not exist in any documentation that IBM provides for this product.

    not exists 1 whose ((conjunction of (item 0 of it = item 1 of it) of (number of current user keys (logged on users) of it, number of values "State" whose ((it as integer) of ((it as bit set) of (it as integer) of concatenation of (if it ends with "%00%00" then preceding text of last "%00%00" of it else if it ends with "%00" then preceding text of last "%00" of it else it) of (it as string) of it * (it as bit set) of (("1024") as integer)) = (("1024") as integer)) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of current user keys (logged on users) of it) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry)) and (conjunction of (item 0 of it = item 1 of it) of (number of current user keys (logged on users) of it, number of values "State" whose ((it as integer) of ((it as bit set) of (it as integer) of concatenation of (if it ends with "%00%00" then preceding text of last "%00%00" of it else if it ends with "%00" then preceding text of last "%00" of it else it) of (it as string) of it * (it as bit set) of (("2048") as integer)) = (("2048") as integer)) of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of current user keys (logged on users) of it) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry))

     

    That is too complicated, you need to try this:

     

    values "State" of keys "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" of keys of key "HKEY_USERS" of registry

     

  • jgstew
    jgstew
    410 Posts

    Re: How to find a value within multiple registry keys

    ‏2014-05-14T20:14:09Z  

     

    Can you explain this part:

    ((it mod 2048) - (it mod 1024))

     

    Assuming you can get the "State" value, what is it that you are doing to this value?