Deleting MultiString value from Registry

veluri · January 17, 2024, 9:00am

Hi All,

I have tried to create Fixlet by using Wizard to delete the Multistring value from following path

“Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002”

Value is : TLS_RSA_WITH_3DES_EDE_CBC_SHA
Multistring Value Name is : Functions

But the fixlet is completing with Exit code :1

The following action script created when I used Wizard and attached image steps

========================================

action uses wow64 redirection false

delete __createfile
delete wizardedit.reg

createfile until @end_create_reg_file
Windows Registry Editor Version 5.00

[“Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions”]
““TLS_RSA_WITH_3DES_EDE_CBC_SHA””
@end_create_reg_file

move __createfile wizardedit.reg

if {(exists value “CurrentVersion” of it AND ((relative significance place ((number of characters of (it as floating point as integer as string)) as integer ) of ( it as floating point)) of ((value “CurrentVersion” of it) as string )as floating point > 6)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion” of native registry}

parameter "keyname"=""Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions""
parameter "valuename"=""TLS_RSA_WITH_3DES_EDE_CBC_SHA""

override wait
hidden=true
wait reg.exe delete {parameter "keyname"} /v {parameter "valuename"} /f

else
waithidden regedit /s “wizardedit.reg”
endif

=========================================================

Note: When I select Deletion option all the appropriate buttons got disabled hence added the value data in value name

Kindly suggest

SLB · January 17, 2024, 9:55am

The format of your registry path is wrong, remove the leading “COMPUTER\”.

Possibly the easier method is to use the regdelete actionscript command, passing the key name and the value name to the command to delete the value.

regdelete "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]" "Functions"

veluri · January 17, 2024, 10:39am

I would like to delete the value data “TLS_RSA_WITH_3DES_EDE_CBC_SHA” inside the Functions value name ? can you help me

SLB · January 17, 2024, 10:50am

You should be able to use regset to create/replace the existing value with a new value. You will need to covert your desired value into its hex equivalent e.g. (you may want the use a different value name to test this )

regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]" "Functions"=hex(7):4c,00,69,00,6e,00,65,00,31,00,00,00,4c,00,69,00,6e,00,65,00,32,00,00,00,00,00

vk.khurava · January 17, 2024, 11:51am

If you don’t want to add anything at all, you can use the same technique as @SLB described and just set that to blank feed.

regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]" "Functions"=""

SLB · January 17, 2024, 12:00pm

Though that may recreate it as a REG_SZ value. Use a test value first but to empty it and keep it as REG_MULTI_SZ, maybe use

regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]" "Functions"=hex(7):

SLB · January 17, 2024, 12:14pm

I learn something new today too. Using =hex(n) allows you to produce any of the respective registry value types. https://www.chemtable.com/blog/en/types-of-registry-data.htm

REG_NONE						= hex(0)
REG_SZ							= hex(1)
REG_EXPAND_SZ					= hex(2)
REG_BINARY						= hex(3)
REG_DWORD						= hex(4)
REG_DWORD_BIG_ENDIAN 			= hex(5)
REG_LINK						= hex(6)
REG_MULTI_SZ					= hex(7)
REG_RESOURCE_LIST				= hex(8)
REG_FULL_RESOURCE_DESCRIPTOR	= hex(9)
REG_RESOURCE_REQUIREMENTS_LIST	= hex(a)
REG_QWORD						= hex(b)

veluri · January 17, 2024, 1:48pm

using
Regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]” “Functions”=Value name option its NOT delete the value under Multi string path

SLB · January 17, 2024, 1:53pm

regdetelte deletes a value, not the data of the value. Could you be a bit more specific on your use case here? It sounds more like you want to modify the data of a value, not delete the value. That being so, you would need to first parse the current data from the value, search/replace the substring you want to remove then use regset to modify the data with the modified data

veluri · January 18, 2024, 4:46am

@SLB sir,

I would like to delete the data value"TLS_RSA_WITH_3DES_EDE_CBC_SHA" from following path

“Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002”

Mutli string name is : Functions
Data value is : TLS_RSA_WITH_3DES_EDE_CBC_SHA

Note: there are multiple data values exist under Function’s but I would like to delete only the above data value

SLB · January 18, 2024, 1:09pm

I would recommend first testing this in your environment by writing to an alternative registry value so you can validate the format is correct. This basically parses the existing registry value data, removes the string “TLS_RSA_WITH_3DES_EDE_CBC_SHA%00” converts the modified string back to hex and will write it as value “FunctionsTest” using regset. Just change FunctionsTest to Functions once you have thoroughly tested

parameter "newdata" = "{concatenation ",00,00,00," of ((concatenation ",00," of (it as hexadecimal) of characters of it) of (substrings separated by "%00" of concatenation "" of substrings separated by "TLS_RSA_WITH_3DES_EDE_CBC_SHA%00" of (preceding text of last "%00%00" of (value "Functions" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of native registry as string | "")))) & ",00,00,00,00,00"}"
regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]" "FunctionsTest"=hex(7):{(parameter "newdata")}

A breakdown of the logic

Parse the current value data
Q: (preceding text of last "%00%00" of (value "Functions" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of native registry as string | ""))

Search and replace your unwanted value
Q: (substrings separated by "%00" of concatenation "" of substrings separated by "TLS_RSA_WITH_3DES_EDE_CBC_SHA%00" of (preceding text of last "%00%00" of (value "Functions" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of native registry as string | "")))

Covert each substring into the hex formats nessesary to write using regset
Q: (concatenation ",00," of (it as hexadecimal) of characters of it) of (substrings separated by "%00" of concatenation "" of substrings separated by "TLS_RSA_WITH_3DES_EDE_CBC_SHA%00" of (preceding text of last "%00%00" of (value "Functions" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of native registry as string | "")))

Join the substrings back into a single hex string that can be written using regset.
Q: concatenation ",00,00,00," of ((concatenation ",00," of (it as hexadecimal) of characters of it) of (substrings separated by "%00" of concatenation "" of substrings separated by "TLS_RSA_WITH_3DES_EDE_CBC_SHA%00" of (preceding text of last "%00%00" of (value "Functions" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" of native registry as string | "")))) & ",00,00,00,00,00"