vbscript to read / vconvert binary from registry?

[shorterxp]

I have tried numerous examples from the web and none have worked, paying close attention to syntax. The closest I got was that seen below:

Quote

The problem is that REG_BINARY returns A VBArray of Integers
So you need VBS to read it.

Here an example (store it with extension *.vbs ):

Dim WshShell, bKey
Set WshShell = WScript.CreateObject("WScript.Shell")
bKey = WshShell.RegRead("HKCU\Control Panel\Desktop\UserPreferencesMask")
'WScript.Echo WshShell.RegRead("HKCU\Control Panel\Desktop\UserPreferencesMask")
Dim bVal
Dim i
For i = 0 To Ubound(bKey)
  bVal = bVal + Hex(bKey(i))
Next
WScript.Echo bVal

Source

This works but result is still Binary message box, (as opposed to a comprehensible string, contary to what the author of this snippet implied)

example 2

Quote

Const HKEY_LOCAL_MACHINE = &H80000002 
 
strComputer = "." 
Set StdOut = WScript.StdOut 
  
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _  
    strComputer & "\root\default:StdRegProv") 
  
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion" 
strValueName = "LicenseInfo" 
oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, _ 
    strValueName,strValue 
  
  
For i = lBound(strValue) to uBound(strValue) 
    StdOut.WriteLine  strValue(i) 
Next 

Source

Reurns an error.

Quote

byte[] data = new byte[] { 0x43, 0x00, 0x61....}
Microsoft.Win32.Registry.SetValue("HKEY_CURRENT_USER\\SOFTWARE\\APPNAME\\Printercheck", "DefaultDevMode", data, Microsoft.Win32.RegistryValueKind.Binary);

Source

Nothing

Quote

Const HKEY_CLASSES_ROOT  = &H80000000
Const HKEY_CURRENT_USER  = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS         = &H80000003

strComputer = "."
Set StdOut = WScript.StdOut
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WPAEvents"
strValueName = "OOBETimer"

oReg.GetBinaryValue HKEY_CURRENT_USER,strKeyPath,strValueName,arrValue
strInfo=""
for i=0 to ubound(arrValue)
    if arrValue(i)<>0 then strInfo=strInfo & chr(arrValue(i))
next
wscript.echo strInfo

Source

Error again.

Any Ideas?

 

the Path I'm trying to read is SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WPAEvents

Binary detail withing key OOBETimer

 

Edited February 22, 2020 by shorterxp

[jaclaz]

The OOBEtimer key contains binary values, nothing that you can ever trasform into a "comprehensible string", unless - by sheer luck - those values are in the ASCII range of printable characters AND they are readable.

Have a look at the value in Regedit, example:

 

I don't think that "ÿÕqÖ‹joÕ3“ý" means anything.

jaclaz

Edited February 22, 2020 by jaclaz

[shorterxp]

Good spot . So is this a unique instance where binary can't be read and deliberately encoded to be such, right?

That examples to read binary exist suggests binary values can be read usually.

Edited February 22, 2020 by shorterxp

[jaclaz]

No, it is not at all "unique"

Binary (actually hex) is a representation of values.

What is used is bytes, that can have values between 0 and 255 or - in hex - 00 to FF.

Bytes can be grouped in words (2 bytes or 16 bit values), long words (4 bytes or 32 bit values), quad words (8 bytes or 64 bit values) when they represent a number.

Otherwise they are taken as single bytes.

A subset of bytes value, 0 to 127 (or 00 to 7F or 7-bit values) are used to represent most common letters, numbers and symbols (and non printable "control codes"), according to ASCII:

http://www.asciitable.com/

and values 128 to 255 (or 80 to FF or 8-bit values) represent "extended ASCII" i.e. additional letters and symbols.

Then there is Unicode that uses a two bytes encoding:

http://www.unicodetables.com/

(but the first 128 characters are anyway the same as ASCII)

 

In the Registry the "binary" type of data corresponds to *any* number of hex bytes.

 

These hex bytes may represent text or numeric values or *something else*.

Only text represented as bytes can be read/translated back to text.

As an example, check your HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

You will find there ALL and ONLY Reg_Binary keys.

If you click on some of them, you will see how some of them (those corresponding to USB sticks or more generally removable devices, i.e. those beginning with 5C 00 3F 00 or 5F 00 3F 00) will be long and "human readable" in the pop-up modify value window, whilst those corresponding to partitions/volumes on internal hard disks will be shorter and (unless by sheer coincidence) not readable.

 

This is simply because the former are text strings (encoded in Unicode) whilst the latter represent different data, namely the first four bytes are the Disk Signature and the other 8 bytes are a Quad Word with the offset in sectors to the volume beginning (in practice last three or four bytes will almost always be 00).

jaclaz

[alacran]

I know this is not a vsbscript but this little utility has been very useful to me.

Old Timer’s ConvertIt is a simple to use tool that will convert single and multiple hex strings to ASCII text and also the reverse of creating hex values from ASCII text. It supports both the old Windows 9x version 4 and the modern version 5 registry .reg files. Paste in the hex (everything after the colon in the .reg file) or text value, select the conversion method and click the button. The result is clean and stripped of erroneous characters. Hex(2) is for a single line value, Hex(7) is a multiple line value. OTConverIt is only 174KB in size and portable.

http://www.geekstogo.com/forum/files/file/404-otconvertit/

alacran

Edited February 24, 2020 by alacran