在rootdefault命名空间中的StdRegProv类(标准注册表提供程序)提供了下面16种方法,我们将陆续介绍这些方法的使用规则,并给出分别用WBscript和Powershell编写的例子。
GetBinaryValue – 读取BINARY 类型的键值数据
GetDWORDValue – 读取DWORD 类型的键值数据
GetExpandedStringValue – 读取 EXPANDED STRING 类型的键值数据
GetMultiStringValue - 读取MULTI STRING 类型的键值数据。
GetStringValue - 读取STRING 类型的键值数据
CreateKey - 创建子键
SetBinaryValue - 为键值设置 BINARY 类型的键值数据。
SetDWORDValue - 为键值设置DWORD类型键值数据
SetExpandedStringValue – 为键值设置 EXPANDED STRING 类型键值数据
SetMultiStringValue - 为键值设置MULTI STRING 类型键值数据
SetStringValue - 为键值设置STRING类型键值数据
DeleteKey - 删除子键
DeleteValue - 删除键值
EnumKey - 列举子键
EnumValues - 列举键值
CheckAccess - 检查当前帐户权限
下面是在注册表操作时用到有关帐户权限、根键、键值类型等代码。
帐户权限类型:
名称 数值 描述
KEY_QUERY_VALUE &H0001 ability to query registry value
KEY_SET_VALUE &H0002 ability to set registry value
KEY_CREATE_SUB_KEY &H0004 ability to create subkey
KEY_ENUMERATE_SUB_KEYS &H0008 ability to enumerate subke
KEY_NOTIFY &H0010 ability to audit changes to the key
KEY_CREATE_LINK &H0020 ability to create a symbolic link to the key (example of such a link is the one that exists
between HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINESOFTWAREClasses)
DELETE &H00010000 ability to delete current key
READ_CONTROL &H00020000 ability to read permissions on the current key
WRITE_DAC &H00040000 ability to modify permissions on the current key
WRITE_OWNER &H00080000 ability to take ownership of the current key
根键的代码:
名称 数值
HKEY_CLASSES_ROOT 2147483648, &H80000000
HKEY_CURRENT_USER 2147483649, &H80000001
HKEY_LOCAL_MACHINE 2147483650, &H80000002
HKEY_USERS 2147483651, &H80000003
HKEY_CURRENT_CONFIG 2147483653, &H80000005
HKEY_DYN_DATA 2147483654, &H80000006
键值类型的代码
名称 数值 描述
REG_SZ 1 字符串值
REG_EXPAND_SZ 2 可扩充字符串值
REG_BINARY 3 二进制值
REG_DWORD 4 DWORD值
REG_MULTI_SZ 7 多字符串值
使用wbemtest工具查看
ootdefault:StdRegProv可以知道指定方法的输入输出参数。例如EnumKey方法有两个输入参数(hDefKey,sSubKeyName)和两个输出参数(ReturnValue,sNames[])。
(01) EnumKey
列举指定路径下的子键(SubKey)。
Uint32 EnumKey(
[in,optional] unit32 hDefKey = 2147483650, (&H80000002,默认)
[in] string sSubKeyName,
[out] string sNames[]
);
例1:列举注册表 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices下的子键名称
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\"&_
strComputer & "
ootdefault:StdRegProv")
strKeyPath = "SYSTEMCurrentControlSetServices"
' 输出arrSubKeys 即是sNames[]
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
WScript.Echo "Subkeys under " _
& "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices"
For Each subkey In arrSubKeys
WScript.Echo subkey
Next
例2:通过ExecMethod_()方法调用EnumKey。
Const HKEY_LOCAL_MACHINE = &H80000002
sComputer = "."
sMethod = "EnumKey"
hTree = HKEY_LOCAL_MACHINE
sKey = "SYSTEMCurrentControlSetServices"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
sComputer & "/root/default:StdRegProv")
' 创建输入参数
Set oMethod = oRegistry.Methods_(sMethod)
Set oInParam = oMethod.inParameters.SpawnInstance_()
oInParam.hDefKey = hTree
oInParam.sSubKeyName = sKey
' 执行EnumKey方法
Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
' 显示执行EnumKey方法的执行状态。一种是读取执行的返回码,另一种是读取输出参数。
WScript.Echo "The return code of ExecMethod EnumKey is: " & oOutParam.ReturnValue
WScript.Echo "The return code of ExecMethod EnumKey is: " & oOutParam.Properties_("ReturnValue")
' 另一个输出参数是数组sNames[],显示子键的名称。
For i=0 To UBound(oOutParam.Properties_("sNames"))
WScript.Echo oOutParam.Properties_("sNames")(i)
Next
从例1和例2中可以知道,通过SWbemObject访问CIM对象和类的属性和方法,可以使用下面两种方法之一访问低层CIM对象的属性和方法:
直接调用StdRegProv类的方法时(如例1),只需要使用它的原名称执行方法或属性来获取数据,好象它就是一个SWbemObject属性或方法。
使用SWbemServices.ExecMethod、SWbemObject.ExecMothod_、SWbemObject.ExecMothodAsync_ 间接调用StdRegProv类的方法时(如例2),需要通过Properties_集合来获取数据。
例3:相应的Powershell程序。因为是直接使用EnumKey方法,通过输出参数获取数据。在PS中EnumKey方法格式有所不同:
EnumKey(System.UInt32 hDefKey, System.string sSubKeyName)
$computer = "."
$namespace = "rootDefault"
$HKLM = "&H80000002" # 也可以写成 $HKLM = 2147483650
$strKeyPath = "SYSTEMCurrentControlSetServices"
$oreg = get-wmiobject -list -namespace $namespace -ComputerName $computer | where-object { $_.name -eq "StdRegProv" }
$arrSubKeys = $oreg.EnumKey($HKLM, $strKeyPath)
"Subkeys under " + "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices"
ForEach($subkey In $arrSubKeys)
{
"Return code is : " + $subkey.returnvalue
$subkey.sNames
}
本文转载自 http://bbs.winos.cn/thread-70624-1-1.html
(02) EnumValues
列举给定子键的键值名称和键值类型。如果没有改变过,总是返回子键的默认键值,如果数据是空则返回空串("")。
uint32 EnumValues(
[in, optional] uint32 hDefKey = 2147483650,
[in] string sSubKeyName,
[out] string sNames[],
[out] sint32 Types[]
);
例1:列举HKEY_LOCAL_MACHINESYSTEMCurrent Control SetControlLsa下的键值名称和键值类型
const HKEY_LOCAL_MACHINE = &H80000002
const REG_SZ = 1
const REG_EXPAND_SZ = 2
const REG_BINARY = 3
const REG_DWORD = 4
const REG_MULTI_SZ = 7
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\" &_
strComputer & "
ootdefault:StdRegProv")
strKeyPath = "SYSTEMCurrentControlSetControlLsa"
oReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath,_
arrValueNames, arrValueTypes
For I=0 To UBound(arrValueNames)
Select Case arrValueTypes(I)
Case REG_SZ
DataType = "Data Type: String"
Case REG_EXPAND_SZ
DataType = "Data Type: Expanded String"
Case REG_BINARY
DataType = "Data Type: Binary"
Case REG_DWORD
DataType = "Data Type: DWORD"
Case REG_MULTI_SZ
DataType = "Data Type: Multi String"
End Select
WScript.Echo "Value Name: " & arrValueNames(I) & "," & vbTab & DataType
Next
例2:通过ExecMethod_()方法调用EnumValues。
Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7
sComputer = "."
sMethod = "EnumValues"
hTree = HKEY_LOCAL_MACHINE
'sKey = "SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
sKey = "SYSTEMCurrentControlSetControlLsa"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
sComputer & "/root/default:StdRegProv")
Set oMethod = oRegistry.Methods_(sMethod)
Set oInParam = oMethod.inParameters.SpawnInstance_()
oInParam.hDefKey = hTree
oInParam.sSubKeyName = sKey
Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
For i=0 To UBound(oOutParam.Properties_("sNames"))
sMessage = oOutParam.Properties_("sNames")(i)
Select Case oOutParam.Properties_("Types")(i)
Case REG_SZ sMessage = sMessage & " :REG_SZ"
Case REG_EXPAND_SZ sMessage = sMessage & " :REG_EXPAND_SZ"
Case REG_BINARY sMessage = sMessage & " :REG_BINARY"
Case REG_DWORD sMessage = sMessage & " :REG_DWORD"
Case REG_MULTI_SZ sMessage = sMessage & " :REG_MULTI_SZ"
End Select
WScript.Echo sMessage
Next
例3:相应的PS程序。
$HKEY_LOCAL_MACHINE = "&H80000002"
$REG_SZ = 1
$REG_EXPAND_SZ = 2
$REG_BINARY = 3
$REG_DWORD = 4
$REG_MULTI_SZ = 7
$computer = "."
$namespace = "rootDefault"
$strKeyPath = "SYSTEMCurrentControlSetControlLsa"
$oreg = get-wmiobject -list -namespace $namespace -ComputerName $computer | where-object { $_.name -eq "StdRegProv" }
$OutParams = $oreg.EnumValues($HKEY_LOCAL_MACHINE, $strKeyPath)
"Subkeys under " + "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa"
Foreach($OutParam In $OutParams)
{
$Counts = $OutParam.sNames.count
for ( $i=0; $i -lt $Counts; $i++ )
{
Switch ($OutParam.Types[$i])
{
"$REG_SZ" { $DataType = "Data Type: String" }
"$REG_EXPAND_SZ" { $DataType = "Data Type: Expanded String" }
"$REG_BINARY" { $DataType = "Data Type: Binary" }
"$REG_DWORD" { $DataType = "Data Type: DWORD" }
"$REG_MULTI_SZ" { $DataType = "Data Type: Multi String" }
}
"Value Name: " + $OutParam.sNames[$i] + "`t" + $DataType
}
}
(03) GetStringValue方法
返回键值类型为REG_SZ的指定键值名称的键值数值。
uint32 GetStringValue(
[in] uint32 hDefKey = 2147483650,
[in] string sSubKeyName,
[in] string sValueName,
[out] string sValue
);
例1:返回HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon下键值名为DefaultUserName的键值数值。此例采用ExecMethod_()方法调用GetStringValue。
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
Const HKEY_CURRENT_CONFIG = &H80000005
sComputer = "."
sMethod = "GetStringValue"
hTree = HKEY_LOCAL_MACHINE
sKey = "SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
sValueName = "DefaultUserName"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
sComputer & "/root/default:StdRegProv")
Set oMethod = oRegistry.Methods_(sMethod)
Set oInParam = oMethod.inParameters.SpawnInstance_()
oInParam.hDefKey = hTree
oInParam.sSubKeyName = sKey
oInParam.sValueName = sValueName
Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
WScript.Echo "Key Value of DefaultUserName(Key NAme)is : " & oOutParam.Properties_("sValue")
例2:直接调用GetStringValue。
Const HKEY_LOCAL_MACHINE = &H80000002
sComputer = "."
hDefKey = HKEY_LOCAL_MACHINE
sSubKeyName = "SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
sValueName = "DefaultUserName"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
sComputer & "/root/default:StdRegProv")
oOutParam = oRegistry.GetStringValue(hDefKey, sSubKeyName, sValueName, sValue)
WScript.Echo "Return code: " & oOutParam
WScript.Echo "Key Value of DefaultUserName(Key Name)is : " & sValue
例3:相应的PS程序。它是直接调用GetStringValue方法
$computer = "."
$namespace = "rootDEFAULT"
$HKLM = 2147483650
$oreg = get-wmiobject -list -namespace $namespace -ComputerName $computer | where-object { $_.name -eq "StdRegProv" }
$strKeyPath = "SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
$strValueName = "DefaultUserName"
$oOutParam = $oreg.GetStringValue($HKLM,$strKeyPath,$strValueName)
"Key Value of DefaultUserName(Key NAme)is : " + $oOutParam.sValue
(04) GetBinaryValue
返回键值类型为REG_BINARY的指定键值名称的键值数值。
uint32 GetBinaryValue(
[in, optional] uint32 hDefKey = 2147483650,
[in] string sSubKeyName,
[in] string sValueName,
[out] uint8 uValue[]
);
例1:显示SOFTWAREMicrosoftWindows NTCurrentVersion下键值名称为“DigitalProductId”的键值数值。这是一个数组,存放类型为REG_BINARY的二进制数据。此例采用ExecMethod_()方法调用GetBinaryValue。
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
Const HKEY_CURRENT_CONFIG = &H80000005
sComputer = "."
sMethod = "GetBinaryValue"
hTree = HKEY_LOCAL_MACHINE
sKey = "SOFTWAREMicrosoftWindows NTCurrentVersion"
sValue = "DigitalProductId"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
sComputer & "/root/default:StdRegProv")
Set oMethod = oRegistry.Methods_(sMethod)
Set oInParam = oMethod.inParameters.SpawnInstance_()
oInParam.hDefKey = hTree
oInParam.sSubKeyName = sKey
oInParam.sValueName = sValue
Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
For iCount = 0 To UBound(oOutParam.Properties_("uValue"))
WScript.Echo oOutParam.Properties_("uValue")(iCount)
Next
例2:直接调用GetBinaryValue。
Const HKEY_LOCAL_MACHINE = &H80000002
sComputer = "."
hDefKey = HKEY_LOCAL_MACHINE
sSubKeyName = "SOFTWAREMicrosoftWindows NTCurrentVersion"
sValueName = "DigitalProductId"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
sComputer & "/root/default:StdRegProv")
oOutParam = oRegistry.GetBinaryValue(hDefKey, sSubKeyName, sValueName, uValue)
WScript.Echo "Return code: " & oOutParam
OutValues = ""
For i = 0 To UBound(uValue)
OutValues = OutValues & Hex(uValue(i)) & " "
Next
WScript.Echo "Key Value of " & sValueName & " is : " & OutValues
例3:相应的PS程序,本例直接调用GetBinaryValue。由于输出显示是10进制,所以使用Tostring("x")将其转换成16进制。
$computer = "."
$namespace = "rootDEFAULT"
$hDefKey = "&H80000002"
$sSubKeyName = "SOFTWAREMicrosoftWindows NTCurrentVersion"
$sValueName = "DigitalProductId"
$oRegistry = get-wmiobject -list -namespace $namespace -ComputerName $computer | where-object { $_.name -eq "StdRegProv" }
$oOutParams = $oRegistry.GetBinaryValue($hDefKey, $sSubKeyName, $sValueName)
$ValueString = ""
Foreach($oOutParam in $oOutParams)
{
$Counts = $oOutParam.uValue.count
For ($i=0; $i -lt $Counts; $i++)
{
$ValueString = $ValueString + $oOutParam.uValue[$i].Tostring("x") + " "
}
}
"Key Value " + $sValueName + " is: "
$ValueString
(05) GetDWORDValue
返回键值类型为REG_DWORD的指定键值名称的键值数值。
uint32 GetDWORDValue(
[in, optional] uint32 hDefKey = 2147483650,
[in] string sSubKeyName,
[in] string sValueName,
[out] uint32 uValue
);
例1:获取SYSTEMCurrentControlSetControlCrashControl下键值名为AutoReboot的键值数值,它的类型是REG_DWORD。此例直接调用GetDWORDValue。
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\" &_
strComputer & "
ootdefault:StdRegProv")
strKeyPath = "SYSTEMCurrentControlSetControlCrashControl"
strValueName = "AutoReboot"
oReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
WScript.Echo "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControlAutoReboot" _
& " = " & dwValue
例2:此例使用ExecMethod_()调用GetDWORDValue。
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
sMethod = "GetDWORDValue"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
strComputer & "/root/default:StdRegProv")
Set oMethod = oRegistry.Methods_(sMethod)
Set oInParam = oMethod.inParameters.SpawnInstance_()
oInParam.hDefKey = HKEY_LOCAL_MACHINE
oInParam.sSubKeyName = "SYSTEMCurrentControlSetControlCrashControl"
oInParam.sValueName = "AutoReboot"
Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
WScript.Echo "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControlAutoReboot" _
& " = " & oOutParam.Properties_("uValue")
例3:相应的PS程序。
$computer = "."
$namespace = "rootDEFAULT"
$hDefKey = "&H80000002"
$strKeyPath = "SYSTEMCurrentControlSetControlCrashControl"
$strValueName = "AutoReboot"
$oRegistry = get-wmiobject -list -namespace $namespace -ComputerName $computer | where-object { $_.name -eq "StdRegProv" }
$oOutParams = $oRegistry.GetDWORDValue($hDefKey, $strKeyPath, $strValueName)
Foreach($oOutParam in $oOutParams)
{
$oOutParam.uValue
}
(06) GetExpandedStringValue
返回键值类型为REG_EXPAND_SZ的指定键值名称的键值数值
uint32 GetExpandedStringValue(
[in, optional] uint32 hDefKey = 2147483650,
[in] string sSubKeyName,
[in] string sValueName,
[out] string sValue
);
例1:读取HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon路径下键值名为UIHost的键值数值,这个数值是REG_EXPAND_SZ类型的。本例直接调用GetExpandedStringValue。
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_USERS = &H80000003
Const HKEY_CURRENT_CONFIG = &H80000005
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\"&_
strComputer & "
ootdefault:StdRegProv")
strKeyPath = "SOFTWAREMicrosoftWindows NTCurrentVersionWinLogon"
strValueName = "UIHost"
Return = objReg.GetExpandedStringValue(HKEY_LOCAL_MACHINE,_
strKeyPath,strValueName,strValue)
If (Return = 0) And (Err.Number = 0) Then
WScript.Echo "The Windows logon UI host is: " & strValue
Else
Wscript.Echo _
"GetExpandedStringValue failed. Error = " & Err.Number
End If
例2:使用ExecMethod_()调用GetExpandedStringValue。
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
sMethod = "GetExpandedStringValue"
Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
strComputer & "/root/default:StdRegProv")
Set oMethod = oRegistry.Methods_(sMethod)
Set oInParam = oMethod.inParameters.SpawnInstance_()
oInParam.hDefKey = HKEY_LOCAL_MACHINE
oInParam.sSubKeyName = "SOFTWAREMicrosoftWindows NTCurrentVersionWinLogon"
oInParam.sValueName = "UIHost"
Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
If (oOutParam.ReturnValue = 0) And (Err.Number = 0) Then
WScript.Echo "The Windows logon UI host is: " & oOutParam.Properties_("sValue")
Else
Wscript.Echo "GetExpandedStringValue failed. Error = " & Err.Number
End If
例3:相应的PS程序
$computer = "."
$namespace = "rootdefault"
$hDefKey = "&H80000002"
$strKeyPath = "SOFTWAREMicrosoftWindows NTCurrentVersionWinLogon"
$strValueName = "UIHost"
$oRegistry = get-wmiobject -list -namespace $namespace -ComputerName $computer | where-object { $_.name -eq "StdRegProv" }
$oOutParams = $oRegistry.GetExpandedStringValue($hDefKey, $strKeyPath, $strValueName)
If ($oOutParams.returnvalue -eq 0)
{
Foreach($oOutParam in $oOutParams)
{
"The Windows logon UI host is: " + $oOutParam.sValue
}
}
Else
{
"GetExpandedStringValue failed."
}