Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Read all startup applications in registry (C++)


  • Please log in to reply
7 replies to this topic

#1 fearmyawesome

fearmyawesome

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:15 AM

Posted 26 March 2010 - 07:45 AM

Hey there,

I'm just trying to learn how to manipulate the registry a little bit better using the windows header.
I understand that I need to use the Tregsitry class and stuff, but I'm a little confused about listing the entries in the registry.

What I want to do is the following:
1. Navigate into HKLM:\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. List all of the entries in there: (example: norton, other random exes)

Anyone have any clue how I would do this?

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:15 AM

Posted 26 March 2010 - 08:01 AM

You want RegEnumValue.

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#3 fearmyawesome

fearmyawesome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:15 AM

Posted 26 March 2010 - 08:03 AM

I might have found out another way to do it... but I still have no clue how to use it.

int main(int argc, char *argv[])
{
  unsigned long type=REG_SZ, size=1024;
  char res[1024]="";
  HKEY key;


  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  NULL, KEY_READ, &key)==ERROR_SUCCESS){

  RegQueryValueEx(key,"SM_GamesName",NULL, &type, (LPBYTE)&res[0], &size);
  RegCloseKey(key);
  cout << res;
}

Can someone please explain to me what I am doing wrong?
In my registry, I can see that I have the SM_GamesName in the startup applications under Run.

Thanks for your time!



Whoops. Looks like we were posting at the same time. Ill check out what you said.

Thanks!

#4 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:15 AM

Posted 26 March 2010 - 08:03 AM

RegQueryValueEx only works if you know the name of the value in advance. You don't.

Billy3
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#5 fearmyawesome

fearmyawesome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:15 AM

Posted 26 March 2010 - 08:27 AM

Alright. So after a quick google search I found some code that does something extremely similar to what I want to do.
http://www.codeguru.com/forum/archive/inde...p/t-346900.html

So I wanted to test it before I actually used it.
However I am experiencing a really weird issue.

Upon compiling the sample, I receive an error:
30 Z:\Dev-Cpp\main.cpp invalid conversion from `char*' to `BYTE*'
30 Z:\Dev-Cpp\main.cpp initializing argument 7 of `LONG RegEnumValueA(HKEY__*, DWORD, CHAR*, DWORD*, DWORD*, DWORD*, BYTE*, DWORD*)'

What it is referring to is &valuenamesize, which is triggering this. How should I fix it?

Thanks!

#6 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:15 AM

Posted 26 March 2010 - 08:59 AM

invalid conversion from `char*' to `BYTE* <-- This should tell you what you need to know.
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)

#7 fearmyawesome

fearmyawesome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:15 AM

Posted 26 March 2010 - 11:28 AM

Oh wow. I can't believe I overlooked that.
<facepalm>

Thanks again for your help.

#8 Billy O'Neal

Billy O'Neal

    Bleepin Microsoftie Engineer


  • Malware Response Instructor
  • 11,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:15 AM

Posted 26 March 2010 - 11:37 AM

Bill quotes the inevitable Raymond: http://blogs.msdn.com/oldnewthing/archive/...24/9983984.aspx
Look buddy, I'm an Engineer, and that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall within the purview of your conundrums of philosophy....
GitHub - Twitter
My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users