Search and replace registry

system · September 7, 2010, 7:33pm

(imported topic written by cstoneba)

I’m trying to find a string value of “abc” with a value of “1” and replace the value with a “2”. The actual keys are:

HKLM\SOFTWARE\1234\1\abc = 1

HKLM\SOFTWARE\1234\2\abc = 1

HKLM\SOFTWARE\1234\3\abc = 1

My action below isn’t quite right. Any suggestions?

regset “” “abc”=“1”

Noah · September 7, 2010, 7:53pm

(imported comment written by NoahSalzman)

The ActionScript command

regset

can only work on one registry key at a time.

system · September 7, 2010, 7:56pm

(imported comment written by cstoneba)

thanks Noah. How can I search and replace a registry key?

system · September 7, 2010, 10:01pm

(imported comment written by SystemAdmin)

cstoneba,

You’d need to have your action create a .reg file and launch regedit to import the new settings. You can create a .reg file from 1 single relevance, but you can’t use regset with multiple values.

I’ll assume that “abc” is a string value and you want to change any subkey that has abc=1 to abc=2.

%0d%0a is a CRLF

%22 is a double quote

You could write the action as…

delete __appendfile

appendfile Windows Registry Editor Version 5.00

appendfile

appendfile {("%0d%0a" & “%22abc%22=%222%22%0d%0a”) of keys whose (value “abc” of it = “1”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\1234” of native registry}

move __appendfile cstoneba_fix.reg

wait regedit -s cstoneba_fix.reg

system · September 7, 2010, 10:25pm

(imported comment written by cstoneba)

excellent, works great Paul. thanks

system · December 3, 2010, 5:45pm

(imported comment written by tscott91)

Can I get some help with a fine / replace in the registry as well please?

We use environment variables (

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

) to map our network drives… Below is a sample reg export. The above sample from Paul looks at the key name but I don’t care about the key names… I just care about the values… I want to be able to change the values of the “SERVERNAME” to something else.

Thanks in advance!

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"CBSDRIVE"="\\\\SERVERNAME\\CBSAPPS"
"HOME-FS"="\\\\SERVERNAME\\CBSApps"
"PRT2"="\\\\SERVERNAME\\HP2300"

system · December 3, 2010, 10:39pm

(imported comment written by SystemAdmin)

Simple enough… Let’s say you’re changing SERVERNAME to SOMETHINGELSE. You want to find all of the values that start with \SERVERNAME\ in the relevance.

In the action, we create a .reg file to specify the beginning of the .reg (heading and the key), then all of the values the way you want them. If the server’s name was actually SERVERNAME, each value would begin with the same 13 characters. We simply hard-code the new \SOMETHINGELSE\ and then take all of the characters following position 13 (length of \SERVERNAME)

We use “escape of” because the .reg needs to be in unicode format with the doubled up backslashes.

Note that I lowercase the values when checking, but not when re-writing the values back out. So I’m ok if the data started with \SERVERNAME\ or \SErverName\

-Paul

Relevance:

exists value
whose
(
it as string as lowercase starts with “\servername”
)
of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry

Action:

delete __appendfile
delete servername_fix.reg

appendfile Windows Registry Editor Version 5.00
appendfile
appendfile HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
appendfile {("%22" & name of it & “%22=%22” & escape of ("\SOMETHINGELSE" & following text of position 13 of it & “%22%0d%0a”) of (it as string)) of values whose (it as string as lowercase starts with “\servername”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry}

move __appendfile servername_fix.reg
wait regedit -s servername_fix.reg

system · December 6, 2010, 6:24pm

(imported comment written by tscott91)

Thanks so much for the reply… The relevance is returning false, however… Screnshot attached.

http://img834.imageshack.us/img834/1127/110116103632snagitcaptu.jpg

system · December 6, 2010, 6:27pm

(imported comment written by cstoneba)

your need to have your FPB-PDC in lowercase if your querey asks"it as string as lowercase"

system · December 6, 2010, 6:30pm

(imported comment written by SystemAdmin)

Ah… you beat me to it. I was just about to say that.

If you leave it as uppercase, you could also change the relevance from “it as string as lowercase” to “it as string as uppercase”. Just be consistant either way. Also, don’t forget to correct your action.

-Paul

system · December 6, 2010, 6:30pm

(imported comment written by tscott91)

Awesome, thanks fellas…

*Bonus- Is it possible to create a popup input box asking for the find / replace values?

system · December 6, 2010, 6:33pm

(imported comment written by cstoneba)

yes, it’s called an Action Parameter Query. When you take the action, you can enter your text into a popup box.

pg 41, http://support.bigfix.com/fixlet/documents/WinActions-2007-09-08.pdf

system · December 6, 2010, 6:45pm

(imported comment written by SystemAdmin)

I always thought the 3rd example on the top of pg 42 wasn’t documented well. Also when to use “and with default” vs. “with default”.

system · December 6, 2010, 6:49pm

(imported comment written by cstoneba)

good point Paul. tscott, this looks to be a good example: In your console, look up task “BES Relay / BES Server Setting: Download Cache Size”

system · December 6, 2010, 10:23pm

(imported comment written by tscott91)

The only issue I forsee is the “position” factor… When I use an action parameter query then that value will change all the time…

Wondering… Can you use the action parameter query more than one time in a fixlet? I can have an input for the “Find” value, one for the “Replace” value, and one for the “amount of characters” (to fulfill the position value).

system · December 6, 2010, 10:25pm

(imported comment written by cstoneba)

yes, you can. As long as they have different action parameter query names.

system · December 6, 2010, 10:30pm

(imported comment written by tscott91)

Unless I’m doing something wrong you can’t test this with the debugger?

system · December 6, 2010, 10:33pm

(imported comment written by cstoneba)

no, i don’t think the action debugger will show action parameter queries.

system · December 6, 2010, 10:35pm

(imported comment written by tscott91)

Bummer!!!

system · December 6, 2010, 11:14pm

(imported comment written by tscott91)

I’m trying to figure this out but the issue I believe I am having is inserting relevance using the brackets { }…

Working line with static value:

appendfile {("%22" & name of it & “%22=%22” & escape of ("\SOMETHINGELSE" & following text of position 13 of it & “%22%0d%0a”) of (it as string)) of values whose (it as string as lowercase starts with “\servername”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry}

Nonworking with action parameter:

appendfile {("%22" & name of it & “%22=%22” & escape of ("\SOMETHINGELSE" & following text of position 13 of it & “%22%0d%0a”) of (it as string)) of values whose (it as string as lowercase starts with

{parameter “_FindServer” of action}

) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry}

I think it’s because I’m not using the { brackets correctly… Being that there is already one starting that line and I think the issue is after my "of action} it sees that as the end and is jacking it all up…