Deleting 64bit registry key not just 32bit

system · January 31, 2013, 3:58am

(imported topic written by SystemAdmin)

Try to remove some 64 and 32bit keys. I have tried two methods below however only the 32 bit keys under Wow6432Node are removed, it doesn’t make a difference. Even running just

-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec

for example removes the key under Wow6432Node.

Any clues??

Thanks alot.

delete __appendfile

delete regdel.reg

appendfile Windows Registry Editor Version 5.00

appendfile

-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec

appendfile

-HKEY_CURRENT_USER\SOFTWARE\Symantec

appendfile

-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec

appendfile

-HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Symantec

move __appendfile regdel.reg

wait regedit /s regdel.reg

OR

delete __createfile

delete regdel.reg

createfile until @end_create_reg_file

Windows Registry Editor Version 5.00

-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec

-HKEY_CURRENT_USER\SOFTWARE\Symantec

-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec

-HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Symantec

@end_create_reg_file

move __createfile regdel.reg

wait regedit /s regdel.reg

system · January 31, 2013, 5:36am

(imported comment written by SystemAdmin)

This is complex. The client runs as a 32 bit process so it is automatically redirected to the 32 bit portion of the registry and I think you will also have the same problem with the wait command spawn as it will inherit the environment of the client.

There is an actionscript command that turns off this redirection, but you will have to move the file you constructed out of the directory you are using to a known safe directory (such as C:\Windows\Temp) as before executing this “C:\Program Files…” references “C:\Program Files (x86)…” and after it does not.

If you constructed the file you have and moved it to another directory then run the actionscript command:

move __appendfile C:\Windows\Temp\regdel.reg action uses wow64 redirection 

false wait regedit /s C:\Windows\Temp\regdel.reg action uses wow64 redirection 

true

Then I believe your registry deletion will work as intended. Be cautious when using the redirection when file or registry locations are involved! Note that saying “false” turns “off” the redirection (enabling a 64 bit app view of everything) and “true” turns it back on. It will also revert to normal at the end of the action.

See Link:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx

for information on File Redirection and Link:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384232(v=vs.85).aspx

for information on Registry redirection.

system · January 31, 2013, 7:47am

(imported comment written by SystemAdmin)

Thanks AlanM this works for redirection.

Strange issue is that only the keys under Local Machine are removed, not under Current User. This is for both 32 and 64 nodes.

However if I run the action in Fixlet debugger, it is perfect.

Any clues?

// Enter your action script here

delete __appendfile

delete C:\Temp\regdel.reg

appendfile Windows Registry Editor Version 5.00

appendfile

-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec

appendfile

-HKEY_CURRENT_USER\SOFTWARE\Symantec

appendfile

-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec

appendfile

-HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Symantec

move __appendfile C:\Temp\regdel.reg

action uses wow64 redirection false

wait regedit /s C:\Temp\regdel.reg

action uses wow64 redirection true

delete C:\Temp\regdel.reg

system · January 31, 2013, 8:39am

(imported comment written by SystemAdmin)

Editing HKCU is a different beast. The debugger was launched under your user and therefore sees your HKCU. The TEM agent runs as SYSTEM and therefore doesn’t have an HKCU. Take a look here for how to access HKCU using relevance substitution:

http://forum.bigfix.com/viewtopic.php?pid=8413#p8413