So as a follow-up to the CVE-2021-40444 situation from last week, I tried to use a dos command to delete the default value from the .doc key in HKEY_CLASSES_ROOT. It works locally on my vm, but fails when trying to execute as a BigFix task. I’m sure I am missing something, but here’s the command:
dos reg delete "HKCR\.doc\ShellEx\"{8895b1c6-b41f-4c1c-a562-0d564250836f}" /ve /f
Any help is always appreciated!
That key path does not look correct… missing some slashes?
You seem to have an extra doubleqoute in the middle
You probably need to escape the leading curly bracket {{.
Try
dos reg delete "HKEY_CLASSES_ROOT\.docx\ShellEx\{{8895b1c6-b41f-4c1c-a562-0d564250836f}" /ve /f
I just edited the post to use CODE tags. Some of the backslashes were lost due to HTML formatting and should appear correct now.
Yep as soon as I read your post, realized the curly bracket issue, thanks for the catch!
action uses wow64 redirection false
dos reg delete "\\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /v {{####} /f
it completes but the registry key is still there.
i tried adding
>> C:\Windows\Temp\delete_reg_key.log 2>&1
but after it says it completed the log file is not there either.
{{####} is a key, not a value, and the first line contains two incorrect slashes.
You can try and test the two methods I used below to remove the key.
dos reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{{0209823450DC-07BF-40CB-BA73-C443F0Cer2w1DE5F}" /f /reg:64
//Wait reg delete
if {x64 of operating system}
wait reg Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{{0209823450DC-07BF-40CB-BA73-C443F0Cer2w1DE5F}" /f /reg:64
else
wait reg Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{{0209823450DC-07BF-40CB-BA73-C443F0Cer2w1DE5F}" /f
Endif
4 Likes