Module: Msf::Post::Windows::Registry

Includes:
CliParse
Included in:
Dotnet, Priv, Services, UserProfiles
Defined in:
lib/msf/core/post/windows/registry.rb

Constant Summary collapse

REGISTRY_VIEW_NATIVE =

This is the default view. It reflects what the remote process would see natively. So, if you are using a remote 32-bit meterpreter session, you will see 32-bit registry keys and values.

0
REGISTRY_VIEW_32_BIT =

Access 32-bit registry keys and values regardless of whether the session is 32 or 64-bit.

1
REGISTRY_VIEW_64_BIT =

Access 64-bit registry keys and values regardless of whether the session is 32 or 64-bit.

2
REG_NONE =

Windows Registry Constants.

1
REG_SZ =
1
REG_EXPAND_SZ =
2
REG_BINARY =
3
REG_DWORD =
4
REG_LITTLE_ENDIAN =
4
REG_BIG_ENDIAN =
5
6
REG_MULTI_SZ =
7
HKEY_CLASSES_ROOT =
0x80000000
HKEY_CURRENT_USER =
0x80000001
HKEY_LOCAL_MACHINE =
0x80000002
HKEY_USERS =
0x80000003
HKEY_PERFORMANCE_DATA =
0x80000004
HKEY_CURRENT_CONFIG =
0x80000005
HKEY_DYN_DATA =
0x80000006

Instance Method Summary collapse

Methods included from CliParse

#win_parse_error, #win_parse_results

Instance Method Details

#meterpreter_registry_createkey(key, view) ⇒ Object (protected)

Create a new registry key


466
467
468
469
470
471
472
473
474
475
476
# File 'lib/msf/core/post/windows/registry.rb', line 466

def meterpreter_registry_createkey(key, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    open_key = session.sys.registry.create_key(root_key, base_key, perms)
    open_key.close
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_deletekey(key, view) ⇒ Object (protected)

Delete the registry key key


497
498
499
500
501
502
503
504
505
506
# File 'lib/msf/core/post/windows/registry.rb', line 497

def meterpreter_registry_deletekey(key, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    deleted = session.sys.registry.delete_key(root_key, base_key, perms)
    return deleted
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_deleteval(key, valname, view) ⇒ Object (protected)

Delete the registry value valname store in key


481
482
483
484
485
486
487
488
489
490
491
492
# File 'lib/msf/core/post/windows/registry.rb', line 481

def meterpreter_registry_deleteval(key, valname, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    open_key = session.sys.registry.open_key(root_key, base_key, perms)
    open_key.delete_value(valname)
    open_key.close
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_enumkeys(key, view) ⇒ Object (protected)

Enumerate the subkeys in key


511
512
513
514
515
516
517
518
519
520
521
522
523
524
# File 'lib/msf/core/post/windows/registry.rb', line 511

def meterpreter_registry_enumkeys(key, view)
  begin
    subkeys = []
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    keys = session.sys.registry.enum_key_direct(root_key, base_key, perms)
    keys.each { |subkey|
      subkeys << subkey
    }
    return subkeys
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_enumvals(key, view) ⇒ Object (protected)

Enumerate the values in key


529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
# File 'lib/msf/core/post/windows/registry.rb', line 529

def meterpreter_registry_enumvals(key, view)
  begin
    values = []
    vals = {}
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    vals = session.sys.registry.enum_value_direct(root_key, base_key, perms)
    vals.each { |val|
      values <<  val.name
    }
    return values
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_getvaldata(key, valname, view) ⇒ Object (protected)

Get the data stored in the value valname


548
549
550
551
552
553
554
555
556
557
558
559
# File 'lib/msf/core/post/windows/registry.rb', line 548

def meterpreter_registry_getvaldata(key, valname, view)
  begin
    value = nil
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    v = session.sys.registry.query_value_direct(root_key, base_key, valname, perms)
    value = v.data
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
  return value
end

#meterpreter_registry_getvalinfo(key, valname, view) ⇒ Object (protected)

Enumerate the type and data of the value valname


564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
# File 'lib/msf/core/post/windows/registry.rb', line 564

def meterpreter_registry_getvalinfo(key, valname, view)
  value = {}
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    open_key = session.sys.registry.open_key(root_key, base_key, perms)
    v = open_key.query_value(valname)
    value["Data"] = v.data
    value["Type"] = v.type
    open_key.close
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
  return value
end

#meterpreter_registry_key_exist?(key) ⇒ Boolean (protected)

Checks if a key exists on the target registry using a meterpreter session

Parameters:

  • key (String)

    the full path of the key to check

Returns:

  • (Boolean)

    true if the key exists on the target registry, false otherwise (also in case of error)


600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
# File 'lib/msf/core/post/windows/registry.rb', line 600

def meterpreter_registry_key_exist?(key)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
  rescue ArgumentError
    return false
  end

  begin
    check = session.sys.registry.check_key_exists(root_key, base_key)
  rescue Rex::Post::Meterpreter::RequestError, TimesoutError
    return false
  end

  check
end

#meterpreter_registry_loadkey(key, file) ⇒ Object (protected)

Load a registry hive stored in file into key


407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
# File 'lib/msf/core/post/windows/registry.rb', line 407

def meterpreter_registry_loadkey(key, file)
  begin
    client.sys.config.getprivs()
    root_key, base_key = session.sys.registry.splitkey(key)
    begin
      loadres = session.sys.registry.load_key(root_key, base_key, file)
    rescue Rex::Post::Meterpreter::RequestError => e
      case e.to_s
      when "stdapi_registry_load_key: Operation failed: 1314"
        #print_error("You appear to be lacking the SeRestorePrivilege. Are you running with Admin privs?")
        return false
      when "stdapi_registry_load_key: Operation failed: The system cannot find the path specified."
        #print_error("The path you provided to the Registry Hive does not Appear to be valid: #{file}")
        return false
      when "stdapi_registry_load_key: Operation failed: The process cannot access the file because it is being used by another process."
        #print_error("The file you specified is currently locked by another process: #{file}")
        return false
      when /stdapi_registry_load_key: Operation failed:/
        #print_error("An unknown error has occurred: #{loadres.to_s}")
        return false
      else
        return true
      end
    end

  rescue
    return false
  end
end

#meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

Meterpreter-specific registry manipulation methods


395
396
397
398
399
400
401
402
# File 'lib/msf/core/post/windows/registry.rb', line 395

def meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE)
  if view == REGISTRY_VIEW_32_BIT
    perms |= KEY_WOW64_32KEY
  elsif view == REGISTRY_VIEW_64_BIT
    perms |= KEY_WOW64_64KEY
  end
  perms
end

#meterpreter_registry_setvaldata(key, valname, data, type, view) ⇒ Object (protected)

Add the value valname to the key key with the specified type and data


583
584
585
586
587
588
589
590
591
592
593
# File 'lib/msf/core/post/windows/registry.rb', line 583

def meterpreter_registry_setvaldata(key, valname, data, type, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    session.sys.registry.set_value_direct(root_key, base_key,
      valname, session.sys.registry.type2str(type), data, perms)
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_unloadkey(key) ⇒ Object (protected)

Unload the hive file stored in key


440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
# File 'lib/msf/core/post/windows/registry.rb', line 440

def meterpreter_registry_unloadkey(key)
  begin
    client.sys.config.getprivs()
    root_key, base_key = session.sys.registry.splitkey(key)
    begin
      unloadres= session.sys.registry.unload_key(root_key,base_key)
    rescue Rex::Post::Meterpreter::RequestError => e
      case e.to_s
      when "stdapi_registry_unload_key: Operation failed: The parameter is incorrect."
        #print_error("The KEY you provided does not appear to match a loaded Registry Hive: #{key}")
        return false
      when /stdapi_registry_unload_key: Operation failed:/
        #print_error("An unknown error has occurred: #{unloadres.to_s}")
        return false
      else
        return true
      end
    end
  rescue
    return false
  end
end

#normalize_key(key) ⇒ Object (protected)

Normalize the supplied full registry key string so the root key is sane. For instance, passing “HKLMSoftwareDog” will return 'HKEY_LOCAL_MACHINESoftwareDog'


620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
# File 'lib/msf/core/post/windows/registry.rb', line 620

def normalize_key(key)
  keys = split_key(key)
  if (keys[0] =~ /HKLM|HKEY_LOCAL_MACHINE/)
    keys[0] = 'HKEY_LOCAL_MACHINE'
  elsif (keys[0] =~ /HKCU|HKEY_CURRENT_USER/)
    keys[0] = 'HKEY_CURRENT_USER'
  elsif (keys[0] =~ /HKU|HKEY_USERS/)
    keys[0] = 'HKEY_USERS'
  elsif (keys[0] =~ /HKCR|HKEY_CLASSES_ROOT/)
    keys[0] = 'HKEY_CLASSES_ROOT'
  elsif (keys[0] =~ /HKCC|HKEY_CURRENT_CONFIG/)
    keys[0] = 'HKEY_CURRENT_CONFIG'
  elsif (keys[0] =~ /HKPD|HKEY_PERFORMANCE_DATA/)
    keys[0] = 'HKEY_PERFORMANCE_DATA'
  elsif (keys[0] =~ /HKDD|HKEY_DYN_DATA/)
    keys[0] = 'HKEY_DYN_DATA'
  else
    raise ArgumentError, "Cannot normalize unknown key: #{key}"
  end
  print_status("Normalized #{key} to #{keys.join("\\")}") if $blab
  return keys.join("\\")
end

#registry_createkey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Create the given registry key


101
102
103
104
105
106
107
# File 'lib/msf/core/post/windows/registry.rb', line 101

def registry_createkey(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_createkey(key, view)
  else
    shell_registry_createkey(key, view)
  end
end

#registry_deletekey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Delete a given registry key

returns true if succesful


127
128
129
130
131
132
133
# File 'lib/msf/core/post/windows/registry.rb', line 127

def registry_deletekey(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_deletekey(key, view)
  else
    shell_registry_deletekey(key, view)
  end
end

#registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Deletes a registry value given the key and value name

returns true if succesful


114
115
116
117
118
119
120
# File 'lib/msf/core/post/windows/registry.rb', line 114

def registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_deleteval(key, valname, view)
  else
    shell_registry_deleteval(key, valname, view)
  end
end

#registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return an array of subkeys for the given registry key


138
139
140
141
142
143
144
# File 'lib/msf/core/post/windows/registry.rb', line 138

def registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_enumkeys(key, view)
  else
    shell_registry_enumkeys(key, view)
  end
end

#registry_enumvals(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return an array of value names for the given registry key


149
150
151
152
153
154
155
# File 'lib/msf/core/post/windows/registry.rb', line 149

def registry_enumvals(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_enumvals(key, view)
  else
    shell_registry_enumvals(key, view)
  end
end

#registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return the data of a given registry key and value


160
161
162
163
164
165
166
# File 'lib/msf/core/post/windows/registry.rb', line 160

def registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_getvaldata(key, valname, view)
  else
    shell_registry_getvaldata(key, valname, view)
  end
end

#registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return the data and type of a given registry key and value


171
172
173
174
175
176
177
# File 'lib/msf/core/post/windows/registry.rb', line 171

def registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_getvalinfo(key, valname, view)
  else
    shell_registry_getvalinfo(key, valname, view)
  end
end

#registry_hive_lookup(hive) ⇒ Object

Lookup registry hives by key.


55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/msf/core/post/windows/registry.rb', line 55

def registry_hive_lookup(hive)
  case hive
  when 'HKCR'
    HKEY_LOCAL_MACHINE
  when 'HKCU'
    HKEY_CURRENT_USER
  when 'HKLM'
    HKEY_LOCAL_MACHINE
  when 'HKU'
    HKEY_USERS
  when 'HKPD'
    HKEY_PERFORMANCE_DATA
  when 'HKCC'
    HKEY_CURRENT_CONFIG
  when 'HKDD'
    HKEY_DYN_DATA
  else
    HKEY_LOCAL_MACHINE
  end
end

#registry_key_exist?(key) ⇒ Boolean

Checks if a key exists on the target registry

Parameters:

  • key (String)

    the full path of the key to check

Returns:

  • (Boolean)

    true if the key exists on the target registry, false otherwise (also in case of error)


197
198
199
200
201
202
203
# File 'lib/msf/core/post/windows/registry.rb', line 197

def registry_key_exist?(key)
  if session_has_registry_ext
    meterpreter_registry_key_exist?(key)
  else
    shell_registry_key_exist?(key)
  end
end

#registry_loadkey(key, file) ⇒ Object

Load a hive file


79
80
81
82
83
84
85
# File 'lib/msf/core/post/windows/registry.rb', line 79

def registry_loadkey(key, file)
  if session_has_registry_ext
    meterpreter_registry_loadkey(key, file)
  else
    shell_registry_loadkey(key, file)
  end
end

#registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Sets the data for a given value and type of data on the target registry

returns true if succesful


184
185
186
187
188
189
190
# File 'lib/msf/core/post/windows/registry.rb', line 184

def registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_setvaldata(key, valname, data, type, view)
  else
    shell_registry_setvaldata(key, valname, data, type, view)
  end
end

#registry_unloadkey(key) ⇒ Object

Unload a hive file


90
91
92
93
94
95
96
# File 'lib/msf/core/post/windows/registry.rb', line 90

def registry_unloadkey(key)
  if session_has_registry_ext
    meterpreter_registry_unloadkey(key)
  else
    shell_registry_unloadkey(key)
  end
end

#session_has_registry_extObject (protected)

Determines whether the session can use meterpreter registry methods


210
211
212
213
214
215
216
# File 'lib/msf/core/post/windows/registry.rb', line 210

def session_has_registry_ext
  begin
    return !!(session.sys and session.sys.registry)
  rescue NoMethodError
    return false
  end
end

#shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

Generic registry manipulation methods based on reg.exe


223
224
225
226
227
228
229
230
231
# File 'lib/msf/core/post/windows/registry.rb', line 223

def shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE)
  cmd = "cmd.exe /c reg"
  if view == REGISTRY_VIEW_32_BIT
    cmd += " /reg:32"
  elsif view == REGISTRY_VIEW_64_BIT
    cmd += " /reg:64"
  end
  cmd_exec("#{cmd} #{suffix}")
end

#shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)


233
234
235
236
# File 'lib/msf/core/post/windows/registry.rb', line 233

def shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE)
  results = shell_registry_cmd(suffix, view);
  results.include?('The operation completed successfully')
end

#shell_registry_createkey(key, view) ⇒ Object (protected)

Use reg.exe to create a new registry key


257
258
259
260
261
# File 'lib/msf/core/post/windows/registry.rb', line 257

def shell_registry_createkey(key, view)
  key = normalize_key(key)
  # REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
  shell_registry_cmd_result("add /f \"#{key}\"", view)
end

#shell_registry_deletekey(key, view) ⇒ Object (protected)

Use reg.exe to delete key and all its subkeys and values


275
276
277
278
279
# File 'lib/msf/core/post/windows/registry.rb', line 275

def shell_registry_deletekey(key, view)
  key = normalize_key(key)
  # REG DELETE KeyName [/v ValueName | /ve | /va] [/f]
  shell_registry_cmd_result("delete \"#{key}\" /f", view)
end

#shell_registry_deleteval(key, valname, view) ⇒ Object (protected)

Use reg.exe to delete valname in key


266
267
268
269
270
# File 'lib/msf/core/post/windows/registry.rb', line 266

def shell_registry_deleteval(key, valname, view)
  key = normalize_key(key)
  # REG DELETE KeyName [/v ValueName | /ve | /va] [/f]
  shell_registry_cmd_result("delete \"#{key}\" /v \"#{valname}\" /f", view)
end

#shell_registry_enumkeys(key, view) ⇒ Object (protected)

Use reg.exe to enumerate all the subkeys in key


284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
# File 'lib/msf/core/post/windows/registry.rb', line 284

def shell_registry_enumkeys(key, view)
  key = normalize_key(key)
  subkeys = []
  reg_data_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|'
  reg_data_types << 'REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ|REG_LINK|REG_FULL_RESOURCE_DESCRIPTOR'
  bslashes = key.count('\\')
  results = shell_registry_cmd("query \"#{key}\"", view)
  unless results.include?('Error')
    results.each_line do |line|
      # now let's keep the ones that have a count = bslashes+1
      # feels like there's a smarter way to do this but...
      if (line.count('\\') == bslashes+1 && !line.ends_with?('\\'))
        #then it's a first level subkey
        subkeys << line.split('\\').last.chomp # take & chomp the last item only
      end
    end
  end
  subkeys
end

#shell_registry_enumvals(key, view) ⇒ Object (protected)

Use reg.exe to enumerate all the values in key


307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
# File 'lib/msf/core/post/windows/registry.rb', line 307

def shell_registry_enumvals(key, view)
  key = normalize_key(key)
  values = []
  reg_data_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|'
  reg_data_types << 'REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ|REG_LINK|REG_FULL_RESOURCE_DESCRIPTOR'
  # REG QUERY KeyName [/v ValueName | /ve] [/s]
  results = shell_registry_cmd("query \"#{key}\"", view)
  unless results.include?('Error')
    if values = results.scan(/^ +.*[#{reg_data_types}].*/)
      # yanked the lines with legit REG value types like REG_SZ
      # now let's parse out the names (first field basically)
      values.collect! do |line|
        t = line.split(' ')[0].chomp #chomp for good measure
        # check if reg returned "<NO NAME>", which splits to "<NO", if so nil instead
        t = nil if t == "<NO"
        t
      end
    end
  end
  values
end

#shell_registry_getvaldata(key, valname, view) ⇒ Object (protected)

Returns the data portion of the value valname


332
333
334
335
# File 'lib/msf/core/post/windows/registry.rb', line 332

def shell_registry_getvaldata(key, valname, view)
  a = shell_registry_getvalinfo(key, valname, view)
  a["Data"] || nil
end

#shell_registry_getvalinfo(key, valname, view) ⇒ Object (protected)

Enumerate the type and data stored in the registry value valname in key


341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
# File 'lib/msf/core/post/windows/registry.rb', line 341

def shell_registry_getvalinfo(key, valname, view)
  key = normalize_key(key)
  value = {}
  value["Data"] = nil # defaults
  value["Type"] = nil
  # REG QUERY KeyName [/v ValueName | /ve] [/s]
  results = shell_registry_cmd("query \"#{key}\" /v \"#{valname}\"", view)
  if match_arr = /^ +#{valname}.*/i.match(results)
    # pull out the interesting line (the one with the value name in it)
    # and split it with ' ' yielding [valname,REGvaltype,REGdata]
    split_arr = match_arr[0].split(' ')
    value["Type"] = split_arr[1]
    value["Data"] = split_arr[2]
    # need to test to ensure all results can be parsed this way
  end
  value
end

#shell_registry_key_exist?(key) ⇒ Boolean (protected)

Checks if a key exists on the target registry using a shell session

Parameters:

  • key (String)

    the full path of the key to check

Returns:

  • (Boolean)

    true if the key exists on the target registry, false otherwise, even if case of error (invalid arguments) or the session hasn't permission to access the key


376
377
378
379
380
381
382
383
384
385
386
387
388
389
# File 'lib/msf/core/post/windows/registry.rb', line 376

def shell_registry_key_exist?(key)
  begin
    key = normalize_key(key)
  rescue ArgumentError
    return false
  end

  results = shell_registry_cmd("query \"#{key}\"")
  if results =~ /ERROR: /i
    return false
  else
    return true
  end
end

#shell_registry_loadkey(key, file) ⇒ Object (protected)

Use reg.exe to load the hive file file into key


241
242
243
244
# File 'lib/msf/core/post/windows/registry.rb', line 241

def shell_registry_loadkey(key, file)
  key = normalize_key(key)
  shell_registry_cmd_result("load \"#{key}\" \"#{file}\"")
end

#shell_registry_setvaldata(key, valname, data, type, view) ⇒ Object (protected)

Use reg.exe to add a value valname in the key key with the specified type and data


363
364
365
366
367
368
# File 'lib/msf/core/post/windows/registry.rb', line 363

def shell_registry_setvaldata(key, valname, data, type, view)
  key = normalize_key(key)
  # REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
  # /f to overwrite w/o prompt
  shell_registry_cmd_result("add /f \"#{key}\" /v \"#{valname}\" /t \"#{type}\" /d \"#{data}\" /f", view)
end

#shell_registry_unloadkey(key) ⇒ Object (protected)

Use reg.exe to unload the hive in key


249
250
251
252
# File 'lib/msf/core/post/windows/registry.rb', line 249

def shell_registry_unloadkey(key)
  key = normalize_key(key)
  shell_registry_cmd_result("unload \"#{key}\"")
end

#split_key(str) ⇒ Object (protected)

Split the supplied full registry key string into its root key and base key. For instance, passing “HKLMSoftwareDog” will return [ 'HKEY_LOCAL_MACHINE', 'SoftwareDog' ]


648
649
650
651
652
653
654
# File 'lib/msf/core/post/windows/registry.rb', line 648

def split_key(str)
  if (str =~ /^(.+?)\\(.*)$/)
    [ $1, $2 ]
  else
    [ str, nil ]
  end
end