Module: Msf::Post::Windows::Registry

Includes:
CliParse
Included in:
Dotnet, Priv, Services, UserProfiles, Scripts::Meterpreter::Common
Defined in:
lib/msf/core/post/windows/registry.rb

Constant Summary collapse

REGISTRY_VIEW_NATIVE =

This is the default view. It reflects what the remote process would see natively. So, if you are using a remote 32-bit meterpreter session, you will see 32-bit registry keys and values.

0
REGISTRY_VIEW_32_BIT =

Access 32-bit registry keys and values regardless of whether the session is 32 or 64-bit.

1
REGISTRY_VIEW_64_BIT =

Access 64-bit registry keys and values regardless of whether the session is 32 or 64-bit.

2
REG_NONE =

Windows Registry Constants.

1
REG_SZ =
1
REG_EXPAND_SZ =
2
REG_BINARY =
3
REG_DWORD =
4
REG_LITTLE_ENDIAN =
4
REG_BIG_ENDIAN =
5
6
REG_MULTI_SZ =
7
HKEY_CLASSES_ROOT =
0x80000000
HKEY_CURRENT_USER =
0x80000001
HKEY_LOCAL_MACHINE =
0x80000002
HKEY_USERS =
0x80000003
HKEY_PERFORMANCE_DATA =
0x80000004
HKEY_CURRENT_CONFIG =
0x80000005
HKEY_DYN_DATA =
0x80000006

Instance Method Summary collapse

Methods included from CliParse

#win_parse_error, #win_parse_results

Instance Method Details

#meterpreter_registry_createkey(key, view) ⇒ Object (protected)

Create a new registry key


467
468
469
470
471
472
473
474
475
476
477
# File 'lib/msf/core/post/windows/registry.rb', line 467

def meterpreter_registry_createkey(key, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    open_key = session.sys.registry.create_key(root_key, base_key, perms)
    open_key.close
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_deletekey(key, view) ⇒ Object (protected)

Delete the registry key key


498
499
500
501
502
503
504
505
506
507
# File 'lib/msf/core/post/windows/registry.rb', line 498

def meterpreter_registry_deletekey(key, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    deleted = session.sys.registry.delete_key(root_key, base_key, perms)
    return deleted
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_deleteval(key, valname, view) ⇒ Object (protected)

Delete the registry value valname store in key


482
483
484
485
486
487
488
489
490
491
492
493
# File 'lib/msf/core/post/windows/registry.rb', line 482

def meterpreter_registry_deleteval(key, valname, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    open_key = session.sys.registry.open_key(root_key, base_key, perms)
    open_key.delete_value(valname)
    open_key.close
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_enumkeys(key, view) ⇒ Object (protected)

Enumerate the subkeys in key


512
513
514
515
516
517
518
519
520
521
522
523
524
525
# File 'lib/msf/core/post/windows/registry.rb', line 512

def meterpreter_registry_enumkeys(key, view)
  begin
    subkeys = []
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    keys = session.sys.registry.enum_key_direct(root_key, base_key, perms)
    keys.each { |subkey|
      subkeys << subkey
    }
    return subkeys
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_enumvals(key, view) ⇒ Object (protected)

Enumerate the values in key


530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
# File 'lib/msf/core/post/windows/registry.rb', line 530

def meterpreter_registry_enumvals(key, view)
  begin
    values = []
    vals = {}
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    vals = session.sys.registry.enum_value_direct(root_key, base_key, perms)
    vals.each { |val|
      values <<  val.name
    }
    return values
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_getvaldata(key, valname, view) ⇒ Object (protected)

Get the data stored in the value valname


549
550
551
552
553
554
555
556
557
558
559
560
# File 'lib/msf/core/post/windows/registry.rb', line 549

def meterpreter_registry_getvaldata(key, valname, view)
  begin
    value = nil
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    v = session.sys.registry.query_value_direct(root_key, base_key, valname, perms)
    value = v.data
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
  return value
end

#meterpreter_registry_getvalinfo(key, valname, view) ⇒ Object (protected)

Enumerate the type and data of the value valname


565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
# File 'lib/msf/core/post/windows/registry.rb', line 565

def meterpreter_registry_getvalinfo(key, valname, view)
  value = {}
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    open_key = session.sys.registry.open_key(root_key, base_key, perms)
    v = open_key.query_value(valname)
    value["Data"] = v.data
    value["Type"] = v.type
    open_key.close
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
  return value
end

#meterpreter_registry_key_exist?(key) ⇒ Boolean (protected)

Checks if a key exists on the target registry using a meterpreter session

Parameters:

  • key (String)

    the full path of the key to check

Returns:

  • (Boolean)

    true if the key exists on the target registry, false otherwise (also in case of error)


601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
# File 'lib/msf/core/post/windows/registry.rb', line 601

def meterpreter_registry_key_exist?(key)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
  rescue ArgumentError
    return false
  end

  begin
    check = session.sys.registry.check_key_exists(root_key, base_key)
  rescue Rex::Post::Meterpreter::RequestError, TimesoutError
    return false
  end

  check
end

#meterpreter_registry_loadkey(key, file) ⇒ Object (protected)

Load a registry hive stored in file into key


408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
# File 'lib/msf/core/post/windows/registry.rb', line 408

def meterpreter_registry_loadkey(key, file)
  begin
    client.sys.config.getprivs()
    root_key, base_key = session.sys.registry.splitkey(key)
    begin
      loadres = session.sys.registry.load_key(root_key, base_key, file)
    rescue Rex::Post::Meterpreter::RequestError => e
      case e.to_s
      when "stdapi_registry_load_key: Operation failed: 1314"
        #print_error("You appear to be lacking the SeRestorePrivilege. Are you running with Admin privs?")
        return false
      when "stdapi_registry_load_key: Operation failed: The system cannot find the path specified."
        #print_error("The path you provided to the Registry Hive does not Appear to be valid: #{file}")
        return false
      when "stdapi_registry_load_key: Operation failed: The process cannot access the file because it is being used by another process."
        #print_error("The file you specified is currently locked by another process: #{file}")
        return false
      when /stdapi_registry_load_key: Operation failed:/
        #print_error("An unknown error has occurred: #{loadres.to_s}")
        return false
      else
        return true
      end
    end

  rescue
    return false
  end
end

#meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

Meterpreter-specific registry manipulation methods


396
397
398
399
400
401
402
403
# File 'lib/msf/core/post/windows/registry.rb', line 396

def meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE)
  if view == REGISTRY_VIEW_32_BIT
    perms |= KEY_WOW64_32KEY
  elsif view == REGISTRY_VIEW_64_BIT
    perms |= KEY_WOW64_64KEY
  end
  perms
end

#meterpreter_registry_setvaldata(key, valname, data, type, view) ⇒ Object (protected)

Add the value valname to the key key with the specified type and data


584
585
586
587
588
589
590
591
592
593
594
# File 'lib/msf/core/post/windows/registry.rb', line 584

def meterpreter_registry_setvaldata(key, valname, data, type, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    session.sys.registry.set_value_direct(root_key, base_key,
      valname, session.sys.registry.type2str(type), data, perms)
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_unloadkey(key) ⇒ Object (protected)

Unload the hive file stored in key


441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
# File 'lib/msf/core/post/windows/registry.rb', line 441

def meterpreter_registry_unloadkey(key)
  begin
    client.sys.config.getprivs()
    root_key, base_key = session.sys.registry.splitkey(key)
    begin
      unloadres= session.sys.registry.unload_key(root_key,base_key)
    rescue Rex::Post::Meterpreter::RequestError => e
      case e.to_s
      when "stdapi_registry_unload_key: Operation failed: The parameter is incorrect."
        #print_error("The KEY you provided does not appear to match a loaded Registry Hive: #{key}")
        return false
      when /stdapi_registry_unload_key: Operation failed:/
        #print_error("An unknown error has occurred: #{unloadres.to_s}")
        return false
      else
        return true
      end
    end
  rescue
    return false
  end
end

#normalize_key(key) ⇒ Object (protected)

Normalize the supplied full registry key string so the root key is sane. For instance, passing “HKLMSoftwareDog” will return 'HKEY_LOCAL_MACHINESoftwareDog'


621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
# File 'lib/msf/core/post/windows/registry.rb', line 621

def normalize_key(key)
  keys = split_key(key)
  if (keys[0] =~ /HKLM|HKEY_LOCAL_MACHINE/)
    keys[0] = 'HKEY_LOCAL_MACHINE'
  elsif (keys[0] =~ /HKCU|HKEY_CURRENT_USER/)
    keys[0] = 'HKEY_CURRENT_USER'
  elsif (keys[0] =~ /HKU|HKEY_USERS/)
    keys[0] = 'HKEY_USERS'
  elsif (keys[0] =~ /HKCR|HKEY_CLASSES_ROOT/)
    keys[0] = 'HKEY_CLASSES_ROOT'
  elsif (keys[0] =~ /HKCC|HKEY_CURRENT_CONFIG/)
    keys[0] = 'HKEY_CURRENT_CONFIG'
  elsif (keys[0] =~ /HKPD|HKEY_PERFORMANCE_DATA/)
    keys[0] = 'HKEY_PERFORMANCE_DATA'
  elsif (keys[0] =~ /HKDD|HKEY_DYN_DATA/)
    keys[0] = 'HKEY_DYN_DATA'
  else
    raise ArgumentError, "Cannot normalize unknown key: #{key}"
  end
  print_status("Normalized #{key} to #{keys.join("\\")}") if $blab
  return keys.join("\\")
end

#registry_createkey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Create the given registry key


102
103
104
105
106
107
108
# File 'lib/msf/core/post/windows/registry.rb', line 102

def registry_createkey(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_createkey(key, view)
  else
    shell_registry_createkey(key, view)
  end
end

#registry_deletekey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Delete a given registry key

returns true if succesful


128
129
130
131
132
133
134
# File 'lib/msf/core/post/windows/registry.rb', line 128

def registry_deletekey(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_deletekey(key, view)
  else
    shell_registry_deletekey(key, view)
  end
end

#registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Deletes a registry value given the key and value name

returns true if succesful


115
116
117
118
119
120
121
# File 'lib/msf/core/post/windows/registry.rb', line 115

def registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_deleteval(key, valname, view)
  else
    shell_registry_deleteval(key, valname, view)
  end
end

#registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return an array of subkeys for the given registry key


139
140
141
142
143
144
145
# File 'lib/msf/core/post/windows/registry.rb', line 139

def registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_enumkeys(key, view)
  else
    shell_registry_enumkeys(key, view)
  end
end

#registry_enumvals(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return an array of value names for the given registry key


150
151
152
153
154
155
156
# File 'lib/msf/core/post/windows/registry.rb', line 150

def registry_enumvals(key, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_enumvals(key, view)
  else
    shell_registry_enumvals(key, view)
  end
end

#registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return the data of a given registry key and value


161
162
163
164
165
166
167
# File 'lib/msf/core/post/windows/registry.rb', line 161

def registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_getvaldata(key, valname, view)
  else
    shell_registry_getvaldata(key, valname, view)
  end
end

#registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return the data and type of a given registry key and value


172
173
174
175
176
177
178
# File 'lib/msf/core/post/windows/registry.rb', line 172

def registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_getvalinfo(key, valname, view)
  else
    shell_registry_getvalinfo(key, valname, view)
  end
end

#registry_hive_lookup(hive) ⇒ Object

Lookup registry hives by key.


56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/msf/core/post/windows/registry.rb', line 56

def registry_hive_lookup(hive)
  case hive
  when 'HKCR'
    HKEY_LOCAL_MACHINE
  when 'HKCU'
    HKEY_CURRENT_USER
  when 'HKLM'
    HKEY_LOCAL_MACHINE
  when 'HKU'
    HKEY_USERS
  when 'HKPD'
    HKEY_PERFORMANCE_DATA
  when 'HKCC'
    HKEY_CURRENT_CONFIG
  when 'HKDD'
    HKEY_DYN_DATA
  else
    HKEY_LOCAL_MACHINE
  end
end

#registry_key_exist?(key) ⇒ Boolean

Checks if a key exists on the target registry

Parameters:

  • key (String)

    the full path of the key to check

Returns:

  • (Boolean)

    true if the key exists on the target registry, false otherwise (also in case of error)


198
199
200
201
202
203
204
# File 'lib/msf/core/post/windows/registry.rb', line 198

def registry_key_exist?(key)
  if session_has_registry_ext
    meterpreter_registry_key_exist?(key)
  else
    shell_registry_key_exist?(key)
  end
end

#registry_loadkey(key, file) ⇒ Object

Load a hive file


80
81
82
83
84
85
86
# File 'lib/msf/core/post/windows/registry.rb', line 80

def registry_loadkey(key, file)
  if session_has_registry_ext
    meterpreter_registry_loadkey(key, file)
  else
    shell_registry_loadkey(key, file)
  end
end

#registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Sets the data for a given value and type of data on the target registry

returns true if succesful


185
186
187
188
189
190
191
# File 'lib/msf/core/post/windows/registry.rb', line 185

def registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE)
  if session_has_registry_ext
    meterpreter_registry_setvaldata(key, valname, data, type, view)
  else
    shell_registry_setvaldata(key, valname, data, type, view)
  end
end

#registry_unloadkey(key) ⇒ Object

Unload a hive file


91
92
93
94
95
96
97
# File 'lib/msf/core/post/windows/registry.rb', line 91

def registry_unloadkey(key)
  if session_has_registry_ext
    meterpreter_registry_unloadkey(key)
  else
    shell_registry_unloadkey(key)
  end
end

#session_has_registry_extObject (protected)

Determines whether the session can use meterpreter registry methods


211
212
213
214
215
216
217
# File 'lib/msf/core/post/windows/registry.rb', line 211

def session_has_registry_ext
  begin
    return !!(session.sys and session.sys.registry)
  rescue NoMethodError
    return false
  end
end

#shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

Generic registry manipulation methods based on reg.exe


224
225
226
227
228
229
230
231
232
# File 'lib/msf/core/post/windows/registry.rb', line 224

def shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE)
  cmd = "cmd.exe /c reg"
  if view == REGISTRY_VIEW_32_BIT
    cmd += " /reg:32"
  elsif view == REGISTRY_VIEW_64_BIT
    cmd += " /reg:64"
  end
  cmd_exec("#{cmd} #{suffix}")
end

#shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)


234
235
236
237
# File 'lib/msf/core/post/windows/registry.rb', line 234

def shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE)
  results = shell_registry_cmd(suffix, view);
  results.include?('The operation completed successfully')
end

#shell_registry_createkey(key, view) ⇒ Object (protected)

Use reg.exe to create a new registry key


258
259
260
261
262
# File 'lib/msf/core/post/windows/registry.rb', line 258

def shell_registry_createkey(key, view)
  key = normalize_key(key)
  # REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
  shell_registry_cmd_result("add /f \"#{key}\"", view)
end

#shell_registry_deletekey(key, view) ⇒ Object (protected)

Use reg.exe to delete key and all its subkeys and values


276
277
278
279
280
# File 'lib/msf/core/post/windows/registry.rb', line 276

def shell_registry_deletekey(key, view)
  key = normalize_key(key)
  # REG DELETE KeyName [/v ValueName | /ve | /va] [/f]
  shell_registry_cmd_result("delete \"#{key}\" /f", view)
end

#shell_registry_deleteval(key, valname, view) ⇒ Object (protected)

Use reg.exe to delete valname in key


267
268
269
270
271
# File 'lib/msf/core/post/windows/registry.rb', line 267

def shell_registry_deleteval(key, valname, view)
  key = normalize_key(key)
  # REG DELETE KeyName [/v ValueName | /ve | /va] [/f]
  shell_registry_cmd_result("delete \"#{key}\" /v \"#{valname}\" /f", view)
end

#shell_registry_enumkeys(key, view) ⇒ Object (protected)

Use reg.exe to enumerate all the subkeys in key


285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
# File 'lib/msf/core/post/windows/registry.rb', line 285

def shell_registry_enumkeys(key, view)
  key = normalize_key(key)
  subkeys = []
  reg_data_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|'
  reg_data_types << 'REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ|REG_LINK|REG_FULL_RESOURCE_DESCRIPTOR'
  bslashes = key.count('\\')
  results = shell_registry_cmd("query \"#{key}\"", view)
  unless results.include?('Error')
    results.each_line do |line|
      # now let's keep the ones that have a count = bslashes+1
      # feels like there's a smarter way to do this but...
      if (line.count('\\') == bslashes+1 && !line.ends_with?('\\'))
        #then it's a first level subkey
        subkeys << line.split('\\').last.chomp # take & chomp the last item only
      end
    end
  end
  subkeys
end

#shell_registry_enumvals(key, view) ⇒ Object (protected)

Use reg.exe to enumerate all the values in key


308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
# File 'lib/msf/core/post/windows/registry.rb', line 308

def shell_registry_enumvals(key, view)
  key = normalize_key(key)
  values = []
  reg_data_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|'
  reg_data_types << 'REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ|REG_LINK|REG_FULL_RESOURCE_DESCRIPTOR'
  # REG QUERY KeyName [/v ValueName | /ve] [/s]
  results = shell_registry_cmd("query \"#{key}\"", view)
  unless results.include?('Error')
    if values = results.scan(/^ +.*[#{reg_data_types}].*/)
      # yanked the lines with legit REG value types like REG_SZ
      # now let's parse out the names (first field basically)
      values.collect! do |line|
        t = line.split(' ')[0].chomp #chomp for good measure
        # check if reg returned "<NO NAME>", which splits to "<NO", if so nil instead
        t = nil if t == "<NO"
        t
      end
    end
  end
  values
end

#shell_registry_getvaldata(key, valname, view) ⇒ Object (protected)

Returns the data portion of the value valname


333
334
335
336
# File 'lib/msf/core/post/windows/registry.rb', line 333

def shell_registry_getvaldata(key, valname, view)
  a = shell_registry_getvalinfo(key, valname, view)
  a["Data"] || nil
end

#shell_registry_getvalinfo(key, valname, view) ⇒ Object (protected)

Enumerate the type and data stored in the registry value valname in key


342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
# File 'lib/msf/core/post/windows/registry.rb', line 342

def shell_registry_getvalinfo(key, valname, view)
  key = normalize_key(key)
  value = {}
  value["Data"] = nil # defaults
  value["Type"] = nil
  # REG QUERY KeyName [/v ValueName | /ve] [/s]
  results = shell_registry_cmd("query \"#{key}\" /v \"#{valname}\"", view)
  if match_arr = /^ +#{valname}.*/i.match(results)
    # pull out the interesting line (the one with the value name in it)
    # and split it with ' ' yielding [valname,REGvaltype,REGdata]
    split_arr = match_arr[0].split(' ')
    value["Type"] = split_arr[1]
    value["Data"] = split_arr[2]
    # need to test to ensure all results can be parsed this way
  end
  value
end

#shell_registry_key_exist?(key) ⇒ Boolean (protected)

Checks if a key exists on the target registry using a shell session

Parameters:

  • key (String)

    the full path of the key to check

Returns:

  • (Boolean)

    true if the key exists on the target registry, false otherwise, even if case of error (invalid arguments) or the session hasn't permission to access the key


377
378
379
380
381
382
383
384
385
386
387
388
389
390
# File 'lib/msf/core/post/windows/registry.rb', line 377

def shell_registry_key_exist?(key)
  begin
    key = normalize_key(key)
  rescue ArgumentError
    return false
  end

  results = shell_registry_cmd("query \"#{key}\"")
  if results =~ /ERROR: /i
    return false
  else
    return true
  end
end

#shell_registry_loadkey(key, file) ⇒ Object (protected)

Use reg.exe to load the hive file file into key


242
243
244
245
# File 'lib/msf/core/post/windows/registry.rb', line 242

def shell_registry_loadkey(key, file)
  key = normalize_key(key)
  shell_registry_cmd_result("load \"#{key}\" \"#{file}\"")
end

#shell_registry_setvaldata(key, valname, data, type, view) ⇒ Object (protected)

Use reg.exe to add a value valname in the key key with the specified type and data


364
365
366
367
368
369
# File 'lib/msf/core/post/windows/registry.rb', line 364

def shell_registry_setvaldata(key, valname, data, type, view)
  key = normalize_key(key)
  # REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
  # /f to overwrite w/o prompt
  shell_registry_cmd_result("add /f \"#{key}\" /v \"#{valname}\" /t \"#{type}\" /d \"#{data}\" /f", view)
end

#shell_registry_unloadkey(key) ⇒ Object (protected)

Use reg.exe to unload the hive in key


250
251
252
253
# File 'lib/msf/core/post/windows/registry.rb', line 250

def shell_registry_unloadkey(key)
  key = normalize_key(key)
  shell_registry_cmd_result("unload \"#{key}\"")
end

#split_key(str) ⇒ Object (protected)

Split the supplied full registry key string into its root key and base key. For instance, passing “HKLMSoftwareDog” will return [ 'HKEY_LOCAL_MACHINE', 'SoftwareDog' ]


649
650
651
652
653
654
655
# File 'lib/msf/core/post/windows/registry.rb', line 649

def split_key(str)
  if (str =~ /^(.+?)\\(.*)$/)
    [ $1, $2 ]
  else
    [ str, nil ]
  end
end