Using VBScript to Manage the Windows Registry
At the heart of Microsoft Windows is the registry. It's not always pretty, but it is powerful, and if you are serious about taking control of Windows, you need to know how to hack the registry. In this article I'll show you a few techniques for reading and modifying the registry via VBScript.
The most common registry data types are REG_DWORD and REG_SZ. The first is typically used to store numeric data, whilst the second is used for storing single-valued text strings. It is easy to read and write these data types using the RegRead and RegWrite methods of the WshShell object, as demonstrated via the following code snippet. The script creates a new REG_SZ value named NewSzValue and assigns it the data "A String". It also creates a new REG_DWORD value named NewDwordValue and assigns it the number 20 (decimal). It then reads the two newly created values and outputs the data to the console window. Finally, the script cleans up and deletes the two values. Note: If the registry entries already exist their values will be overwritten.
Set oShell = CreateObject("WScript.Shell")
sSzValuePath = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NewSzValue"
sDwordValuePath = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NewDwordValue"
oShell.RegWrite sSzValuePath, "A String", "REG_SZ"
oShell.RegWrite sDwordValuePath, 20, "REG_DWORD"
WScript.Echo "String: " & oShell.RegRead(sSzValuePath)
WScript.Echo "Dword: " & oShell.RegRead(sDwordValuePath)
oShell.RegDelete sSzValuePath
oShell.RegDelete sDwordValuePath
You can also use RegWrite to modify REG_EXPAND and REG_BINARY data types. However, I recommend using the WMI class StdRegProv if you need to work with binary values, as RegWrite is limited to writing one DWORD, or four bytes of binary data. And if you need to modify REG_MULTI_SZ (multi-valued strings) you have no choice but to use WMI. The following example uses WMI to first create a REG_MULTI_SZ value with two data items under HKEY_CURRENT_USER. It then creates a REG_BINARY value under HKEY_LOCAL_MACHINE using the ASCII codes of the letters A, B and C. The script then reads the two newly created values and outputs the data to the console window. Finally, the script cleans up and deletes the two values.
Const HKCU = &H80000001
Const HKLM = &H80000002
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
sKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"
oRegistry.SetMultiStringValue HKCU, sKeyPath, "NewMultiSzValue", Array("First Value", "Second Value")
oRegistry.SetBinaryValue HKLM, sKeyPath, "NewBinaryValue", Array(65,66,67)
oRegistry.GetMultiStringValue HKCU, sKeyPath, "NewMultiSzValue", cMultiSzData
oRegistry.GetBinaryValue HKLM, sKeyPath, "NewBinaryValue", cBinaryData
For Each sSzData In cMultiSzData
i = i + 1
WScript.Echo "String " & i & ": " & sSzData
Next
For Each sBinaryData In cBinaryData
j = j + 1
WScript.Echo "Binary " & j & ": " & Chr(sBinaryData)
Next
oRegistry.DeleteValue HKCU, sKeyPath, "NewMultiSzValue"
oRegistry.DeleteValue HKLM, sKeyPath, "NewBinaryValue"
You may occasionally need to create a new registry entry that is named after a fully qualified file path. The Application Compatibility entries serve as a good example. Under Windows 7, the following key includes an entry for each executable that has been configured with an Application Compatibility flag: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted. Each entry is named after the path to the relevant executable. For example: C:\Temp\vlc-1.0.0-win32.exe. It is not possible to create this entry using RegWrite, as it will treat the backslash separated components of the file path as registry keys, and actually create a value named vlc-1.0.0-win32.exe under a key named Temp, which in turn is under a key named C:\. Once again, this issue can be overcome with WMI.
A word of warning: it's important you check for the existence of the key under which a value will be written when using StdRegProv, as unlike RegWrite, it will not create any keys that are missing from the key path. The simplest way to check for the existence of a key is to use the EnumKeys method. If the method returns a non-zero value, the key does not exist, and can be safely created prior to adding the new registry value.
Const HKCU = &H80000001
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
sKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted"
sValue = "C:\Temp\vlc-1.0.0-win32.exe"
If oRegistry.EnumKey(HKCU, sKeyPath, cKeys) <> 0 Then
oRegistry.CreateKey HKCU, sKeyPath
End If
oRegistry.SetDWORDValue HKCU, sKeyPath, sValue, 1
oRegistry.GetDWORDValue HKCU, sKeyPath, sValue, sData
WScript.Echo "Data: " & sData
oRegistry.DeleteValue HKCU, sKeyPath, sValue
To use any of the scripts, save the code snippets, one at a time, into a file named C:\Temp\regtest.vbs. Open a command prompt, navigate to C:\Temp, and enter the following command:
cscript.exe regtest.vbs