Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Read all startup applications in registry (C++)


  • Please log in to reply
7 replies to this topic

#1 fearmyawesome

fearmyawesome

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:25 PM

Posted 26 March 2010 - 07:45 AM

Hey there,

I'm just trying to learn how to manipulate the registry a little bit better using the windows header.
I understand that I need to use the Tregsitry class and stuff, but I'm a little confused about listing the entries in the registry.

What I want to do is the following:
1. Navigate into HKLM:\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. List all of the entries in there: (example: norton, other random exes)

Anyone have any clue how I would do this?

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 12,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 26 March 2010 - 08:01 AM

You want RegEnumValue.

Billy3
There is literally water pouring out of my walls at the moment... responses will be delayed.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
82320.png

#3 fearmyawesome

fearmyawesome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:25 PM

Posted 26 March 2010 - 08:03 AM

I might have found out another way to do it... but I still have no clue how to use it.

int main(int argc, char *argv[])
{
  unsigned long type=REG_SZ, size=1024;
  char res[1024]="";
  HKEY key;


  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  NULL, KEY_READ, &key)==ERROR_SUCCESS){

  RegQueryValueEx(key,"SM_GamesName",NULL, &type, (LPBYTE)&res[0], &size);
  RegCloseKey(key);
  cout << res;
}

Can someone please explain to me what I am doing wrong?
In my registry, I can see that I have the SM_GamesName in the startup applications under Run.

Thanks for your time!



Whoops. Looks like we were posting at the same time. Ill check out what you said.

Thanks!

#4 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 12,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 26 March 2010 - 08:03 AM

RegQueryValueEx only works if you know the name of the value in advance. You don't.

Billy3
There is literally water pouring out of my walls at the moment... responses will be delayed.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
82320.png

#5 fearmyawesome

fearmyawesome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:25 PM

Posted 26 March 2010 - 08:27 AM

Alright. So after a quick google search I found some code that does something extremely similar to what I want to do.
http://www.codeguru.com/forum/archive/inde...p/t-346900.html

So I wanted to test it before I actually used it.
However I am experiencing a really weird issue.

Upon compiling the sample, I receive an error:
30 Z:\Dev-Cpp\main.cpp invalid conversion from `char*' to `BYTE*'
30 Z:\Dev-Cpp\main.cpp initializing argument 7 of `LONG RegEnumValueA(HKEY__*, DWORD, CHAR*, DWORD*, DWORD*, DWORD*, BYTE*, DWORD*)'

What it is referring to is &valuenamesize, which is triggering this. How should I fix it?

Thanks!

#6 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 12,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 26 March 2010 - 08:59 AM

invalid conversion from `char*' to `BYTE* <-- This should tell you what you need to know.
There is literally water pouring out of my walls at the moment... responses will be delayed.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
82320.png

#7 fearmyawesome

fearmyawesome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:25 PM

Posted 26 March 2010 - 11:28 AM

Oh wow. I can't believe I overlooked that.
<facepalm>

Thanks again for your help.

#8 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 12,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 26 March 2010 - 11:37 AM

Bill quotes the inevitable Raymond: http://blogs.msdn.com/oldnewthing/archive/...24/9983984.aspx
There is literally water pouring out of my walls at the moment... responses will be delayed.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
82320.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users