Command line question

Shenanigans 2021-09-13 15:25:27 UTC #1

So as a follow-up to the CVE-2021-40444 situation from last week, I tried to use a dos command to delete the default value from the .doc key in HKEY_CLASSES_ROOT. It works locally on my vm, but fails when trying to execute as a BigFix task. I’m sure I am missing something, but here’s the command:

dos reg delete "HKCR\.doc\ShellEx\"{8895b1c6-b41f-4c1c-a562-0d564250836f}" /ve /f

Any help is always appreciated!

brolly33 2021-09-13 15:54:16 UTC #2

That key path does not look correct… missing some slashes?
You seem to have an extra doubleqoute in the middle
You probably need to escape the leading curly bracket {{.

Try
dos reg delete "HKEY_CLASSES_ROOT\.docx\ShellEx\{{8895b1c6-b41f-4c1c-a562-0d564250836f}" /ve /f

JasonWalker 2021-09-13 15:55:01 UTC #3

I just edited the post to use CODE tags. Some of the backslashes were lost due to HTML formatting and should appear correct now.

Shenanigans 2021-09-13 17:12:05 UTC #4

Yep as soon as I read your post, realized the curly bracket issue, thanks for the catch!