Hello all,
I’m trying to write a relevance and regset command for a key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_04E7&PID_2003\ that could have a different sub key per machine.
On my test PC the exact key I’m trying to test with is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_04E7&PID_2003\7&2a6c6265&0&3\Device Parameters\SelectiveSuspendOn=0
I can get the part I want with this:
q: name of key of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_04E7&PID_2003” of (native registry)
A: 7&2a6c6265&0&3
But I can’t figure out how to build that into a relevance or action command dynamically.
Help!!
So do you want only the keys where the value “SelectiveSuspendOn” = 0?
If so, try
q: names of keys whose (value "SelectiveSuspendOn" of keys "Device Parameters" of it as integer = 0) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_04E7&PID_2003" of native registry
To update a value, you could either (a) assume there is only one matching subkey, or (b) build a batch file to loop through all matching keys. I prefer the second option as it’s less likely to encounter errors in case there are multiple results.
You didn’t give a lot of detail on what you’re trying to do, so I’ll make an assumption that you want to change the value of SelectiveSuspendOn from 0 to 1.
Relevance:
exists keys whose (value "SelectiveSuspendOn" of key "Device Parameters" of it as integer = 0) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_04E7&PID_2003" of native registry
Script:
delete __appendfile
appendfile {concatenation "%0d%0a" of ("reg.exe add %22" & pathname of it & "\DeviceParameters%22 /v SelectiveSuspendOn /t REG_DWORD /d 1 /F") of pathnames of keys whose (value "SelectiveSuspendOn" of key "Device Parameters" of it as integer = 0) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_04E7&PID_2003" of native registry}
delete updatekeys.cmd
move __appendfile updatekeys.cmd
waithidden cmd.exe /c updatekeys.cmd
2 Likes
Thanks for that info. It gives me what I need to get the job done, but now I have a few further questions just for my own edification!
So in this registry structure:
HKLM\SOFTWARE\TEST\xxx\1\2\
Using your relevance example - I can see down to the level of 1 without knowing the name of “xxx”, but I can’t see down into 2.
Is there a way to recurse down further than 1 while having a variable key like “xxx”?
Also, how would you write relevance to get the value of “myValue” in this structure:
HKLM\SOFTWARE\TEST\xxx\myVal=1
when “xxx” is unknown?
Thanks in advance for the information.
There is nothing built-in to the language to recurse down variable keys (like the “descendants” inspector on the filesystem), but you can get “keys of key” to read one level below the key, “keys of keys of key” to get two levels, and so on.
That could either be
keys "1\2" of keys of keys "HKLM\Software\TEST" of registry
or
keys of keys of keys of keys "HKLM\Software\TEST" of registry
(note on both of these - you may need to use “of registry”, “of x32 registry”, “of x64 registry”, or “of native registry” depending on how you want to handle the 32/64 bit registry redirection.
That depends somewhat on how you’re going to use it, and whether you need to handle the possibility of multiple keys XXX or no keys XXX.
One way to query, suitable for an Analysis where you can handle multiple / empty results, is
values "myVal" of keys of keys "HKLM\Software\TEST" of registry
(again, account for ‘registry/x32 registry/x64 registry/native registry’ differences
For Relevance, where you want it to be Relevant if a value exists and is equal to ‘1’, you can use
exists keys whose (value "MyVal" of it as integer = 1) of keys "HKLM\Software\TEST" of registry