Parsing Registry.pol (Local Group Policy) / Get numeric ASCII values of characters in a string?

Content Authoring
3

Some progress on parsing Registry.pol. As a reminder, this is UNICODE text (2-byte characters) with embedded binary values.
Explanation:

  1. Gets the lines out of Registry.pol and concatenates them together.
    1a) The file should “really” be one line. But BigFix splits it up into lines at 2,048 characters each, so those have to be concatenated back together. BigFix also splits if one of those binary values happens to be decimal 10, i.e. 0x0a, which is also the Newline character. So if one the line length is 2048 and was arbitrarily split by the “lines of file” inspector, just put it back together; but if the length is less than 2048, the inspector found a “%0a” which was removed and needs to be put back. ** Note - I don’t have a good way to handle cases where %0d%0a were both present and both were stripped out, but I haven’t encountered that in practice and I will ignore it for now.

  2. Split into substrings bounded by %00[ and %00], the two-byte characters for “[” and “]”. These are each Registry setting found in reg.pol, equivalent to each “line”

  3. Split each “line” into items, splitting at semicolons ( “%00;” ) - where item 0 is the Key Name, item 1 is the Value Name, item 2 is the Type, and item 3 is the Data. Note that I skip the third field - which corresponds to “size of data field”, because I can’t find an interesting use for that.

  4. Items 0 and 1 are String, so take out the UNICODE Nulls with "concatenation of substrings separated by “%00”.

  5. Item 3 may be a string, depending on the Data Type. So if the Data type corresponds to “REG_SZ” or “REG_EXPAND_SZ”, then also remove the NULLs from item 3. If the Data type corresponds to “REG_MULTI_SZ”, then split the data on double-nulls (which are the delimiter between the multiple String values), remove the NULLs from the individual strings, then put them back together again with a NULL separator.
    5a) Otherwise, Item 3 is some kind of a binary value, so just keep it as-is.

    (concatenation of substrings separated by “%00” of item 0 of it & “;” & concatenation of substrings separated by “%00” of item 1 of it & “;” & item 2 of it & “;” & (if (it = “%00%01%00%00” or it="%00%02%00%00") of item 2 of it then concatenation of substrings separated by “%00” of item 3 of it else item 3 of it)) of (preceding text of first “%00%00%00;” of it, preceding text of first “%00%00%00;” of following text of first “%00%00%00;” of it, preceding text of first “%00;” of following text of first “%00%00%00;” of following text of first “%00%00%00;” of it , following text of first “%00;” of following text of first “%00;” of following text of first “%00%00%00;” of following text of first “%00%00%00;” of it) of ( substrings separated by “%00[” of substrings separated by “%00]” of concatenation of (if length of it = 2048 then it else it & “%0a”) of lines of files “Registry.pol” of folders “GroupPolicy\Machine” of native system folder) whose (it as trimmed string contains “;”)

    A: Software\Microsoft\Windows\CurrentVersion\Policies\CredUI;EnumerateAdministrators;%00%04%00%00;%00%00%00%00
    A: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoPublishingWizard;%00%04%00%00;%00%01%00%00
    A: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoDriveTypeAutoRun;%00%04%00%00;%00%ff%00%00
    A: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoWebServices;%00%04%00%00;%00%01%00%00
    A: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;UseDefaultTile;%00%04%00%00;%00%01%00%00
    A: Software\Microsoft\Windows\CurrentVersion\Policies\Ext;**del.NoFirsttimeprompt;%00%01%00%00;
    A: Software\Microsoft\Windows\CurrentVersion\Policies\System;DisableStartupSound;%00%04%00%00;%00%01%00%00

      A: Software\Policies\Google\Chrome;AuthServerWhitelist;%00%01%00%00;*.mycompany.com


    T: 41.384 ms
    I: plural string

This lends itself to checking multiple Registry.pol entries in Fixlet Relevance; here, check that Local Group Policy is configured to turn on Windows Firewall and set the DefaultInboundAction to Drop:

q: (size of (set of ("Software\Policies\Microsoft\WindowsFirewall\PublicProfile;EnableFirewall;%00%04%00%00;%00%01%00%00";"Software\Policies\Microsoft\WindowsFirewall\PublicProfile;DefaultInboundAction;%00%04%00%00;%00%01%00%00") - it) = 0) of set of (concatenation of substrings separated by "%00" of item 0 of it & ";" & concatenation of substrings separated by "%00" of item 1 of it & ";" & item 2 of it & ";" & (if (it = "%00%01%00%00" or it="%00%02%00%00") of item 2 of it then concatenation of substrings separated by "%00" of item 3 of it else item 3 of it))  of (preceding text of first "%00%00%00;" of it, preceding text of first "%00%00%00;" of following text of first "%00%00%00;" of it, preceding text of first "%00;" of following text of first "%00%00%00;" of following text of first "%00%00%00;" of it , following text of first "%00;" of following text of first "%00;" of following text of first "%00%00%00;" of following text of first "%00%00%00;" of it) of ( substrings separated by "%00[" of substrings separated by "%00]" of concatenation of (if length of it = 2048 then it else it & "%0a") of lines of files "Registry.pol" of folders "GroupPolicy\Machine" of native system folder) whose (it as trimmed string contains ";")
A: True
T: 24.532 ms
I: singular boolean