AutoHotkey Community

Posted: **17 Apr 2020, 12:10**

I have no idea why this doesn't work for me.

This is from the manual RegRead (and work)

RegRead, OutputVar, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, ProgramFilesDir
MsgBox, Program files are in: %OutputVar%

But this doesn't (the path is copied from RegEdit)

Code: Select all

; vKey := "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Elevate\StoppCommLog-UAC"
; RegRead vExist, %vKey%, Id
RegRead, vExist, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Elevate\StoppCommLog-UAC, Id
If ErrorLevel ; Should error if no key exists.
{	MsgBox 16, Rad %A_LineNumber% -> %A_ScriptName%,
	( LTrim
		KEY is missing!`n
		ErrorLevel .: %ErrorLevel% `n
		%vKey%
	)	
}

MsgBox % "Result .: " vExist

Posted: **17 Apr 2020, 13:12**

How is it failing? Is it showing the MsgBox that says, "KEY is missing!"? Or is it showing the result, but not the result you expect?

Posted: **17 Apr 2020, 13:19**

no result or error at all

Posted: **17 Apr 2020, 13:53**

I found the problem...
I must run RegRead as administrator... (sigh!)
How can some paths work without running the program as an administrator?

Posted: **19 Apr 2020, 15:49**

You are working within HKEY_LOCAL_MACHINE - the 'system-wide' hive - and there are different levels of restrictions that just aren't present in the HKEY_CURRENT_USER hive, i.e. the logged on user, irrespective of whether the logged on user is using a standard account or an account in the 'Administrators' group.

Even if you are logged on with an account in the 'Administrators' group AND you run your script elevated, there are still some keys within HKEY_LOCAL_MACHINE which you will not have access to. For those you will need to be elevated to 'System' or even 'Trusted Installer', the very highest level of privilege. This is particularly true of Windows 10 with its ever increasing number of services protected by a 'Security' sub-key in the registry to deter 'fiddlers'. (Use something like Nir Sofer's RegScanner - https://www.nirsoft.net/utils/regscanner.html - to search for 'Security' sub-keys then look at the parent key above to see what is being protected.)

Unfortunately MS do not give details (and I don't know a method to iterate through the HKEY_LOCAL_MACHINE hive listing privilege level) so you have to find out through trial and practice.

Posted: **20 Apr 2020, 05:19**

RickC wrote: ↑
19 Apr 2020, 15:49
… Use something like Nir Sofer's RegScanner - https://www.nirsoft.net/utils/regscanner.html - to search for 'Security' sub-keys ...

Thanks!
Have you used RegScanner?
(First I thought that this program can check if a key exists or not - check the program trigger by command - but it's wrong)
Actually, solve another of my questions Read and handle - WinReg (the Scheduler)
(maybe the trigger time is not for the scheduler is not in the winreg)

Posted: **20 Apr 2020, 05:38**

Albireo wrote: ↑
20 Apr 2020, 05:19
Have you used RegScanner?

I've used RegScanner many, many times. However, I may have given you the wrong impression. I meant... use RegScanner to search for instances of 'Security' to see how many registry keys are now protected using this method.

For example, to see how many services are now protected from 'fiddling', search for 'Security' then, in the results, scroll to HKLM\SYSTEM\CurrentControlSet\Services to see which services are protected. I've just checked on my test Win 10 Pro 1809 and 184 services now use this method of protection.

This means that if I want to make a change to a service from, say, 'Automatic' to 'Disabled' then I need to delete the 'Security' sub-key first so I can amend the service's Start value from 2 to 4. The default behaviour is that the 'Security' sub-key is re-created automatically. (Alternatively I suspect i could use something like WinAero's ExecTI to run Reg.exe as TrustedInstaller but I haven't yet had to do this.)

Hope this helps...

Posted: **20 Apr 2020, 05:57**

Thank you @RickC ! (You had a good explanation of the permissions and security in WinReg.)
When I saw that RegScanner could be used with commands - I was wondering if WinReg could be analyzed / changed with RegScanner

Posted: **20 Apr 2020, 06:02**

@Albireo - RegScanner is just a (very useful) search tool. it cannot be used to make changes.

Posted: **20 Apr 2020, 06:34**

@Albireo - Two thoughts... a) have you tried using Sysinternal's PsExec (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to elevate your AHK query to run as 'System' and; b) have you tried wrapping a PowerShell query in AHK to iterate through the scheduler entries?

I've just started trying to get my head around PowerShell as it sometimes lets me do things which I can't get AHK to do. However, PowerShell's GUI commands are unbelievably complex just to produce a very plain front-end so I use a combination of both, i.e. wrapping the PowerShell in AHK.

As an example of a wrapped PowerShell query, here's what I use to pull today's errors (i.e. level 2) from 'Application' and 'System' event logs:

Code: Select all

; https://4sysops.com/archives/search-the-event-log-with-the-get-winevent-powershell-cmdlet/
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory
#SingleInstance force
OutFile := A_Temp "\results.txt" ; Define file for piped output from Task Scheduler
IfExist %OutFile% ; If there's an existing file
	FileDelete % OutFile ; Delete the existing file

psScript =
(
Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } | select logname, timecreated, id, message > %OutFile%
)

RunWait PowerShell.exe -Command &{%psScript%} ,, hide
Run, C:\Windows\Notepad.exe %OutFile% ; Show the file in Notepad

; Use this call if you want to see PowerShell output
;Run powershell.exe -NoExit -Command %psScript%

I have absolutely no idea how I could duplicate this using plain AHK.

Hope this helps...

Posted: **20 Apr 2020, 07:46**

I have no idea what your "wrapped PowerShell Query" is supposed to perform

RickC wrote: ↑
20 Apr 2020, 06:34
a) have you tried using Sysinternal's PsExec (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to elevate your AHK query to run as 'System'

No! (but my desire works with the privileges AHK-administrator give me - right now)

RickC wrote: ↑
20 Apr 2020, 06:34
b) have you tried wrapping a PowerShell query in AHK to iterate through the scheduler entries?

No! Have also looked at PowerShell - a very powerful language in many respects. Enjoyed it, but the interaction with the programmer / user I thought was difficult. (and it is not easy to merge several program languages)
But, maybe PowerShell is the only way for me? (Right now I don't think so)

AutoHotkey Community

Read winreg by RegRead

Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead Topic is solved

Re: Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead

Re: Read winreg by RegRead