(imported comment written by David_Chewning91)
Ben,
Thanks! That solved the issue. It is hard to explain what I am chasing. Let’s just call them “nasties”. However, when I chase them I need to be able to look at files and registries fairly quickly in parallel over a large number of systems. The Perl registry key was just an arbitrary key I picked to play with.
Again thanks and here is my complete, and long script to give you more insight into why I was asking:
action uses wow64 redirection false
if {not exists folder (pathname of parent folder of regapp “besclient.exe” & “\historical”)}
Folder Create “{pathname of parent folder of regapp “besclient.exe” & “\historical”}”
endif
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.bat”}”
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.txt”}”
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find_sha1.txt”}”
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_reg.txt”}”
delete __createfile
createfile until DAVID
@echo off
set regfile="{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_reg.txt”}"
rem ******************
rem uncomment the next line if you are only searchinhg the registry
rem goto registry
rem ******************
rem Example multiple file search
rem set search=test.doc “Test This.docx”
set search=junk.txt
set outfile="{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.txt”}"
:drivec
set search_drive=C:
set nextdrive=drived
goto search
:drived
set search_drive=D:
set nextdrive=drivee
goto search
:drivee
set search_drive=E:
set nextdrive=drivef
goto search
:drivef
set search_drive=F:
set nextdrive=driveg
goto search
:driveg
set search_drive=G:
set nextdrive=driveh
goto search
:driveh
set search_drive=H:
set nextdrive=drivei
goto search
:drivei
set search_drive=I:
set nextdrive=drivej
goto search
:drivej
set search_drive=J:
set nextdrive=drivek
goto search
:drivek
set search_drive=K:
set nextdrive=drivel
goto search
:drivel
set search_drive=L:
set nextdrive=drivem
goto search
:drivem
set search_drive=M:
set nextdrive=driven
goto search
:driven
set search_drive=N:
set nextdrive=driveo
goto search
:driveo
set search_drive=O:
set nextdrive=drivep
goto search
:drivep
set search_drive=P:
set nextdrive=driveq
goto search
:driveq
set search_drive=Q:
set nextdrive=driver
goto search
:driver
set search_drive=R:
set nextdrive=drives
goto search
:drives
set search_drive=S:
set nextdrive=drivet
goto search
:drivet
set search_drive=T:
set nextdrive=driveu
goto search
:driveu
set search_drive=U:
set nextdrive=drivev
goto search
:drivev
set search_drive=V:
set nextdrive=drivew
goto search
:drivew
set search_drive=W:
set nextdrive=drivex
goto search
:drivex
set search_drive=X:
set nextdrive=drivey
goto search
:drivey
set search_drive=Y:
set nextdrive=drivez
goto search
:drivez
set search_drive=Z:
set nextdrive=registry
goto search
:search
@net use | find “%search_drive%”
if not errorlevel 1 goto %nextdrive%
if not exist %search_drive%. goto %nextdrive%
%search_drive%
cd \
dir /s /b %search%>> %outfile%
goto %nextdrive%
:registry
rem REG QUERY KeyName [/v
/ve
[/s]
rem [/f Data [/k] [/d] [/c] [/e]] [/t Type] [/z] [/se Separator]
rem
rem KeyName [\Machine]FullKey
rem Machine - Name of remote machine, omitting defaults to the
rem current machine. Only HKLM and HKU are available on
rem remote machines
rem FullKey - in the form of ROOTKEY\SubKey name
rem ROOTKEY - [ HKLM | HKCU | HKCR | HKU | HKCC ]
rem SubKey - The full name of a registry key under the
rem selected ROOTKEY
rem
rem /v Queries for a specific registry key values.
rem If omitted, all values for the key are queried.
rem
rem Argument to this switch can be optional only when specified
rem along with /f switch. This specifies to search in valuenames only.
rem
rem /ve Queries for the default value or empty value name (Default).
rem
rem /s Queries all subkeys and values recursively (like dir /s).
rem
rem /se Specifies the separator (length of 1 character only) in
rem data string for REG_MULTI_SZ. Defaults to “\0” as the separator.
rem
rem /f Specifies the data or pattern to search for.
rem Use double quotes if a string contains spaces. Default is “*”.
rem
rem /k Specifies to search in key names only.
rem
rem /d Specifies the search in data only.
rem
rem /c Specifies that the search is case sensitive.
rem The default search is case insensitive.
rem
rem /e Specifies to return only exact matches.
rem By default all the matches are returned.
rem
rem /t Specifies registry value data type.
rem Valid types are:
rem REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ,
rem REG_DWORD, REG_BINARY, REG_NONE
rem Defaults to all types.
rem
rem /z Verbose: Shows the numeric equivalent for the type of the valuename.
rem
rem Examples:
rem
rem REG QUERY HKLM\Software\Microsoft\ResKit /v Version
rem Displays the value of the registry value Version
rem
rem REG QUERY \ABC\HKLM\Software\Microsoft\ResKit\Nt\Setup /s
rem Displays all subkeys and values under the registry key Setup
rem on remote machine ABC
rem
rem REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /se #
rem Displays all the subkeys and values with “#” as the seperator
rem for all valuenames whose type is REG_MULTI_SZ.
rem
rem REG QUERY HKLM /f SYSTEM /t REG_SZ /c /e
rem Displays Key, Value and Data with case sensitive and exact
rem occurrences of “SYSTEM” under HKLM root for the data type REG_SZ
rem
rem REG QUERY HKCU /f 0F /d /t REG_BINARY
rem Displays Key, Value and Data for the occurrences of “0F” in data
rem under HKCU root for the data type REG_BINARY
rem
rem REG QUERY HKLM\SOFTWARE /ve
rem Displays Value and Data for the empty value (Default)
rem under HKLM\SOFTWARE
rem Below is an example:
rem REG QUERY “HKLM\SOFTWARE\ActiveState\ActivePerl” /v “CurrentVersion” >> %regfile%
DAVID
move __createfile “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.bat”}”
delete __createfile
waithidden {pathname of system x32 folder & “\cmd.exe”} /c “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.bat”}”
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.bat”}”
delete __appendfile
if {exists file (pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.txt”)}
appendfile {concatenation “%0d%0a” of ((sha1 of it, pathname of it) of files ((lines of file (pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.txt”)) as string) as string)}
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find.txt”}”
move __appendfile “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find_sha1.txt”}”
delete __appendfile
endif
// set max size to 10971520 to prevent too much data. If the zip file is to bigger than 10MBs the upload won’t occur
setting “_BESClient_ArchiveManager_MaxArchiveSize”=“10971520” on “{parameter “action issue date” of action}” for client
setting “_BESClient_ArchiveManager_OperatingMode”=“2” on “{parameter “action issue date” of action}” for client
setting “_BESClient_ArchiveManager_FileSet-FIND”="{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find_sha1.txt”}" on “{parameter “action issue date” of action}” for client
setting “_BESClient_ArchiveManager_FileSet-REG”="{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_reg.txt”}" on “{parameter “action issue date” of action}” for client
// send results
archive now
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_find_sha1.txt”}”
delete “{pathname of parent folder of regapp “besclient.exe” & “\historical” & hostname & “_reg.txt”}”