Binary registry values

(imported topic written by SystemAdmin)

I am retrieving values from the registry and with one version of the related application, I retrieve a nice, clean string value (stored as REG_SZ). With a later version of the application, the value is now a REG_BINARY which comes back as hexadecimal. Any ideas on how to retrieve that as a string?

I’ve been able to convert any two characters using the “hexadecimal string” method, but to convert a variable-length value would be extremely long and kludgy given the need to check for existance, etc.

Has anyone done this before?

Jim

(imported comment written by SystemAdmin)

Hi Jim,

I think this convert a binary registry value into an integer. Works in my tests at least.

(bit set (value "test" of key "HKLM" of registry as string)) as integer

You mention that is is storing a hexadecimal though? Could you provide an example of what you are seeing to help if the above doesn’t work?

(imported comment written by SystemAdmin)

The largest integer allowed is 2^63 - 1, so if the binary value involves more than 64 bits you’d get a ‘Singular expression refers to non-existant object’ error using that convert to integer trick.

Could you provide a little bit more information on how you want to convert the binary values?

(imported comment written by BenKus)

Actually… I think this will work better:

hexadecimal string (value "test" of key "HKLM" of registry as string)

(imported comment written by SystemAdmin)

Sorry for the late reply… here’s what i’ve got.

I am reading the registry values that determine which PST files a user has registered within Outlook. Outlook 2k and XP use string values as mentioned above, and 2003 uses REG_BINARY.

For example, Using Outlook, I have created a PST file for Outlook and it resides here:

D:\My Documents\Desktop\Personal Folders(1).pst

In the registry, this shows up as:

44003a005c004d007900200044006f00630075006d0065006e00740073005c004400650073006b0074006f0070005c0050006500720073006f006e0061006c00200046006f006c0064006500720073002800310029002e007000730074000000

using this relevance:

( values “001f6700” of keys of keys of key “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry )

Using my trusty Excel, you can traslate this string into this (only the first 7 characters shown for your sanity)

0044   003a   005c   004d   0079   0020   0044 68     58     92     77     121    32     68 D      :      \      M      y             D

To make matters worse, the string is in Unicode, which is byte-swapped.

Using hexadecimal string, i get just the first hex byte “D”.

I could look for the PST files by name, but I was hoping not to force the users desktops to churn too much and we have too many of them turn off their machines at night, so the only time to do this is when they are there.

Ok, the more I describe this, the more futile it seems to be. Maybe just drop a quick vbs on the machine and let it do the work would be best.

Thanks

Jim

(imported comment written by SystemAdmin)

Well… you can do this in relevance for sure if you sort of ignore the unicode part. You could use:

Q: hexadecimal string ( concatenation of firsts 2 of following texts of positions whose ( it mod 4 = 0 ) of “44003a005c004d007900200044” )

A: D:\My D

This will take the first 2 characters of every group of 4 characters in the string and convert it into a character. If you have characters that use both bytes then this will not convert them properly, so maybe relevance is not ideal for this.

(imported comment written by SystemAdmin)

Thanks Brian, that’s great. I had a feeling that there was a way to do it, but hadn’t figured it out yet.

I created a version that byte-swaps correctly and corrects by coverting to integer and back. It will probably fail on non-english language, but I had to do it. I guess I’ll have to load up a non-english system and see what happens.

Q: hexadecimal string (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose ( it mod 4 = 0 ) of “44003a005c004d007900200044006f00630075006d0065006e00740073005c004400650073006b0074006f0070005c0050006500720073006f006e0061006c00200046006f006c0064006500720073002800310029002e00700073007400000”)

A: D:\My Documents\Desktop\Personal Folders(1).pst

Thanks again!

Jim

(imported comment written by SystemAdmin)

Continuing off of jnharry I needed the pathnames of archives for both Outlook 2003 and prior versions. The following relevance checks the version of outlook.exe first to determine how to retrieve the archive information.

if version of regapp “outlook.exe” <= “10” then (if (exists values whose (it as string as lowercase contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) then ((values whose (it as string contains “.pst”) of keys of keys of key “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry) as string) else (“No archive”)) else if version of regapp “outlook.exe” = “11” then (if (exists (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) then ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose ( it mod 4 = 0 )of it)) of (preceding texts of lasts “0” of (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string))as string) else (“No Archive”)) else “Outlook <= 2003 !Installed”

This version also returns the archives’ sizes but will not work if the archives are stored on a network drive:

if version of regapp “outlook.exe” <= “10” then (if (exists values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) then ((pathname of it & " - " & (size of it /(10241024)) as string & “Mb”) of files ((values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) as string)) else (“No archive”)) else if version of regapp “outlook.exe” = “11” then (if (exists (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) then (((pathname of it & " - " & (size of it /(10241024)) as string & “MB”) of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose ( it mod 4 = 0 )of it)) of (preceding texts of lasts “0” of (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string))as string))) else (“No Archive”)) else “Outlook <= 2003 !Installed”

(imported comment written by BenKus)

Cool!

As a quick note, it doesn’t work on my new Office 2007 computer… Who wants to figure that piece out?

Ben

(imported comment written by SystemAdmin)

I wanted to revist this so I took the latest version from Hexadecimal1256 and tweaked just by using the same code for v11 and v12. (changed the 'version of regappp “outlook.exe” = “11” to >= “11” and it is working on my Outlook 2007 system. I created both a 2007 and a 2002 personal folder and both come back:

C:\Users\jnharry\AppData\Local\Microsoft\Outlook\Test Outlook 07 Personal Folder File.pst - 0MB
C:\Users\jnharry\AppData\Local\Microsoft\Outlook\Test Outlook XP Personal Folder File.pst - 0MB

Evaluation time: 11.338 ms
Evaluates to plural object of type string

Updated relevance:

if exists regapp “outlook.exe” then if version of regapp “outlook.exe” = “10” then (if (exists values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) then ((pathname of it & " - " & (size of it / (10241024)) as string & “Mb”) of files ((values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) as string)) else (“No archive”)) else if version of regapp “outlook.exe” >= “11” then (if (exists (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) then (((pathname of it & " - " & (size of it / (10241024)) as string & “MB”) of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts “0” of (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) as string))) else (“No Archive”)) else “Outlook < XP installed” else “Outlook not installed”

Anyone have any ideas why this is working now? I would appreciate anyone with Outlook 2007 testing it and posting their results…

Thanks!

Jim

(imported comment written by BenKus)

Actually, your relevance seems to be working for me too… I think probably when I tested it last time, I didn’t have a local .pst file.

Ben

(imported comment written by SystemAdmin)

This script was a huge help! Thanks jnharry.

I’m hoping though to take this one step further. Now that the PST files registered in Outlook have been identified I would like to remove them from Outlook. Any chance you had to do this as well?