Jump to content

vbscript to read / vconvert binary from registry?

Recommended Posts

I have tried numerous examples from the web and none have worked, paying close attention to syntax. The closest I got was that seen below:


The problem is that REG_BINARY returns A VBArray of Integers
So you need VBS to read it.

Here an example (store it with extension *.vbs ):

Dim WshShell, bKey
Set WshShell = WScript.CreateObject("WScript.Shell")
bKey = WshShell.RegRead("HKCU\Control Panel\Desktop\UserPreferencesMask")
'WScript.Echo WshShell.RegRead("HKCU\Control Panel\Desktop\UserPreferencesMask")
Dim bVal
Dim i
For i = 0 To Ubound(bKey)
  bVal = bVal + Hex(bKey(i))
WScript.Echo bVal


This works but result is still Binary message box, (as opposed to a comprehensible string, contary to what the author of this snippet implied)

example 2


Const HKEY_LOCAL_MACHINE = &H80000002 
strComputer = "." 
Set StdOut = WScript.StdOut 
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _  
    strComputer & "\root\default:StdRegProv") 
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion" 
strValueName = "LicenseInfo" 
oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath, _ 
For i = lBound(strValue) to uBound(strValue) 
    StdOut.WriteLine  strValue(i) 


Reurns an error.


byte[] data = new byte[] { 0x43, 0x00, 0x61....}
Microsoft.Win32.Registry.SetValue("HKEY_CURRENT_USER\\SOFTWARE\\APPNAME\\Printercheck", "DefaultDevMode", data, Microsoft.Win32.RegistryValueKind.Binary);




Const HKEY_CLASSES_ROOT  = &H80000000
Const HKEY_CURRENT_USER  = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS         = &H80000003

strComputer = "."
Set StdOut = WScript.StdOut
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WPAEvents"
strValueName = "OOBETimer"

oReg.GetBinaryValue HKEY_CURRENT_USER,strKeyPath,strValueName,arrValue
for i=0 to ubound(arrValue)
    if arrValue(i)<>0 then strInfo=strInfo & chr(arrValue(i))
wscript.echo strInfo


Error again.

Any Ideas?


the Path I'm trying to read is SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WPAEvents

Binary detail withing key OOBETimer


Edited by shorterxp
Link to comment
Share on other sites

The OOBEtimer key contains binary values, nothing that you can ever trasform into a "comprehensible string", unless - by sheer luck - those values are in the ASCII range of printable characters AND they are readable.

Have a look at the value in Regedit, example:



I don't think that "ÿÕqÖ‹joÕ3“ý" means anything.


Edited by jaclaz
Link to comment
Share on other sites

Good spot . So is this a unique instance where binary can't be read and deliberately encoded to be such, right?

That examples to read binary exist suggests binary values can be read usually.

Edited by shorterxp
Link to comment
Share on other sites

No, it is not at all "unique"

Binary (actually hex) is a representation of values.

What is used is bytes, that can have values between 0 and 255 or - in hex - 00 to FF.

Bytes can be grouped in words (2 bytes or 16 bit values), long words (4 bytes or 32 bit values), quad words (8 bytes or 64 bit values) when they represent a number.

Otherwise they are taken as single bytes.

A subset of bytes value, 0 to 127 (or 00 to 7F or 7-bit values) are used to represent most common letters, numbers and symbols (and non printable "control codes"), according to ASCII:


and values 128 to 255 (or 80 to FF or 8-bit values) represent "extended ASCII" i.e. additional letters and symbols.

Then there is Unicode that uses a two bytes encoding:


(but the first 128 characters are anyway the same as ASCII)


In the Registry the "binary" type of data corresponds to *any* number of hex bytes.


These hex bytes may represent text or numeric values or *something else*.

Only text represented as bytes can be read/translated back to text.

As an example, check your HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

You will find there ALL and ONLY Reg_Binary keys.

If you click on some of them, you will see how some of them (those corresponding to USB sticks or more generally removable devices, i.e. those beginning with 5C 00 3F 00 or 5F 00 3F 00) will be long and "human readable" in the pop-up modify value window, whilst those corresponding to partitions/volumes on internal hard disks will be shorter and (unless by sheer coincidence) not readable.


This is simply because the former are text strings (encoded in Unicode) whilst the latter represent different data, namely the first four bytes are the Disk Signature and the other 8 bytes are a Quad Word with the offset in sectors to the volume beginning (in practice last three or four bytes will almost always be 00).


Link to comment
Share on other sites

I know this is not a vsbscript but this little utility has been very useful to me.

Old Timer’s ConvertIt is a simple to use tool that will convert single and multiple hex strings to ASCII text and also the reverse of creating hex values from ASCII text. It supports both the old Windows 9x version 4 and the modern version 5 registry .reg files. Paste in the hex (everything after the colon in the .reg file) or text value, select the conversion method and click the button. The result is clean and stripped of erroneous characters. Hex(2) is for a single line value, Hex(7) is a multiple line value. OTConverIt is only 174KB in size and portable.



Edited by alacran
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...