Help combining registry searches

(imported topic written by NelsonEW91)

Hello all,

I’m at a bit of a loss. I’m trying to search for multiple versions of websphere installed in multiple ways. One of the ways is looking in the registry. What I’m playing with currently is getting the version of the software, but there are several different values with the word version in them with different numbers. I want to return all of them, but to organize it I also want the name of the value. In my ingorance, I can only seem to get one or the other, but not both in the same relevance statement. here is what I’m looking at. Any help would be appreciated. Thanks.:

q: values whose (name of it as lowercase contains “version”) of keys of keys whose (name of it as lowercase contains “websphere”) of keys of key “hklm\software” of registry

A: 6

A: 6

A: 0

A: 0

A: 0

A: 6

q: (name of it) of values whose (name of it as lowercase contains “version”) of keys of keys whose (name of it as lowercase contains “websphere”) of keys of key “hklm\software” of registry

A: MajorVersion

A: MajorVersion

A: MinorVersion

A: MaintenanceVersion

A: UpdateVersion

A: MajorVersion

(imported comment written by NoahSalzman)

Here is a simplified query that might point you in the right direction:

(names of it, it) of (values of key “” of registry) whose (name of it is “Version”)

(imported comment written by NelsonEW91)

Thank you. That is so obvious I feel dumb.

(imported comment written by SystemAdmin)

If I could expand on the question a little bit?

I’m trying to do a registry search of the CURRENT_USER to locate a registry key that may or may not exist in “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” I need to return the values of any keys that exist under \DisabledItems" search their values for a keyword, then return the name of that key and delete it. At the moment I’m doing this as an Analysis but will change it to a task for the deletion. My relevance is to check if the “\DisabledItems” key exists:

exists key "Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems" of current user keys (logged on users) of registry OR exists key "Software\Microsoft\Office\12.0\Outlook\Resiliency\DisabledItems" of current user keys (logged on users) of registry

I’m having difficulty with the name return and deletion. I’ve been able to convert the value of the key somewhat to a string but missing the next step to delete the key.

hexadecimal string ( concatenation of firsts 2 of following texts of positions whose ( it mod 4 = 0 ) of (Values of key "Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems" of current user keys (logged on users) of registry as string))

Any ideas on how to handle the search and delete? The logic would be

If value contains “keyword” then delete key

Thanks

(imported comment written by SystemAdmin)

Quick follow-up. The key type I’m looking for is a REG_BINARY and the key name is a unique generated number that is different on every computer.

(imported comment written by SystemAdmin)

Using the Registry Wizard I’ve been able to get this far:

delete __createfile delete wizardedit.reg   createfile until @end_create_reg_file Windows Registry Editor Version 5.00   [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems] 
"1A71871"=- @end_create_reg_file   move __createfile wizardedit.reg prefetch RunAsCurrentUser.exe sha1:ee47505ebfb2790b9da8a20ed70e67158e9753d0 size:342528 http:
//software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe utility __Download\RunAsCurrentUser.exe waithidden 
"__Download\RunAsCurrentUser.exe" --w regedit /s 
"wizardedit.reg"

But my issue is that the key I need to delete (shown here as “1A71871”) is a randomly generated key name by Microsoft Outlook. The key’s data is the same (a long binary value) however. How would I change the hard coded key name to a relevance expression that would return the value of the key name based on a matching binary code? I tried plugging in the code below but the action failed to remove the key.

(name of it) of values whose (it as string as lowercase contains 
"010000005a0000005a00000063003a005c00700072006f006700720061006d002000660069006c00650073005c007a0061006e00740061007a005c00650061007300200063006c00690065006e0074005c007a006f006c00650078002e0064006c006c00000063003a005c00700072006f006700720061006d002000660069006c00650073005c007a0061006e00740061007a005c00650061007300200063006c00690065006e0074005c007a006f006c00650078002e0064006c006c000000") of it of key 
"Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems" of current user keys (logged on users) of registry

Also, if the user is running Outlook 2007 the path becomes Office\12.0\Outlook. Is it possible to do an if then else if statement in the action script?

(imported comment written by NoahSalzman)

Does this come back as true?

value of key “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of current user keys (logged on users) of registry as string = “blah”

(Change “blah” to be your long binary value.)

(imported comment written by SystemAdmin)

When running it in QnA returns “Singular expression refers to nonexistent object”. But I’d imagine that’s because it’s running as a user. Should the “of current user keys” work in QnA?

I’ve got the code working to remove a key and I’ve got the code working to return the necessary key name (as posted previous) I’m just having trouble plugging the key name code into the delete regkey code.

(imported comment written by SystemAdmin)

Here is what I have for the deletion of the registry key:

action uses wow64 redirection 

false   delete __createfile delete wizardedit.reg   createfile until @end_create_reg_file Windows Registry Editor Version 5.00   [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems] 
"1A71871"=- @end_create_reg_file   move __createfile wizardedit.reg prefetch RunAsCurrentUser.exe sha1:ee47505ebfb2790b9da8a20ed70e67158e9753d0 size:342528 http:
//software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe utility __Download\RunAsCurrentUser.exe waithidden 
"__Download\RunAsCurrentUser.exe" --w regedit /s 
"wizardedit.reg"

My issue is that I need to repace “1A71871” with a search that returns the name of the key that contains a given binary value as the value is the same for each user but the key name is different. (randomly created by outlook)

I’m using the search for the key value as my relevance. Code is below:

(exists it of values whose (it as string as lowercase contains 
"010000005a0000005a00000...........") of it of key 
"Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems" of current user keys (logged on users) of registry

I’m unable to figure out how it include the search that will return the key name into may action. Is there a way I could do the search, return the key name to a variable and then use the variable in the reg key delete?

(imported comment written by NoahSalzman)

Please install QnA on a target machine (where the relevance will be applicable) and run:

value of key “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of current user keys (logged on users) of registry as string = “”

and also

value of key “hkey_current_user\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of registry as string = “”

Then let us know if the result is true.

(imported comment written by SystemAdmin)

For the first one:

If I put in the entire long value it errors out saying “This expression has a very long string” If I remove half of the string and only use half of the long value the result is “Singular expression refers to nonexistent object”

For the second one:

Using the entire string returns the same error “THis expression has a very long sting”. Removing half of it returns the answer “False”

(imported comment written by SystemAdmin)

Any updates? I really need to get this working… thanks

(imported comment written by SystemAdmin)

Is is possible to assign the output of the code that finds the name of key of the disabled item and assign it to a ‘variable’ to be used in the script to remove it from the registry?

E.g.

‘Var1’=(name of it) of values whose (it as string as lowercase contains “010000005a0000005a00000063003a005c00700072006f006700720061006d002000660069006c00650073005c007a0061006e00740061007a005c00650061007300200063006c00690065006e0074005c007a006f006c00650078002e0064006c006c00000063003a005c00700072006f006700720061006d002000660069006c00650073005c007a0061006e00740061007a005c00650061007300200063006c00690065006e0074005c007a006f006c00650078002e0064006c006c000000”) of it of key “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of current user keys (logged on users) of registry

createfile until @end_create_reg_file

Windows Registry Editor Version 5.00

http://HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems

“Var1”=-

@end_create_reg_file

(imported comment written by SystemAdmin)

Or could I include the whole search infront of the =- using {}??

(imported comment written by NoahSalzman)

I’m looking at a random string in my Registry, trying to figure out a way to deal with the “long string” issue. One ugly way to deal with long strings is this:

q: (value 
"ModemProfile" of key 
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000" of registry as string) = concatenation of (
"00b500000001000000010000000000000000000000000000000000000000000000000000803e0000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" & 
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" &
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"  & 
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" & 
"0000000000000000000000000000000000002b0d0a080332022d0e37328a000030462849a246000a0a000007000203286b0101071b1f5f072f022300021eff00001e0000000005000a0a0600810f0f00002b0d0a080332022d0e37328a000030462849a246000a0a000007000203286b0101071b1f5f072f022300021eff00001e0000000005000a0a0600810f0f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" & 
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" & 
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000072cc0000924f0000") A: True

(imported comment written by NoahSalzman)

BTW… j2johnson’s issue was resolved off list… It was just a matter of getting the relevance substation syntax correct.

(imported comment written by SystemAdmin)

Here is the key part of the action script:

createfile until @end_create_reg_file

Windows Registry Editor Version 5.00

http://HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems

“{(name of it) of values whose (it as string as lowercase contains “010000005a0000005a00000063003a005c00700072006f006700720061006d002000660069006c00650073005c007a0061006e00740061007a005c00650061007300200063006c00690065006e0074005c007a006f006c00650078002e0064006c006c00000063003a005c00700072006f006700720061006d002000660069006c00650073005c007a0061006e00740061007a005c00650061007300200063006c00690065006e0074005c007a006f006c00650078002e0064006c006c000000”) of it of key “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of current user keys (logged on users) of registry}”=-

@end_create_reg_file