How to read hexadecimal ( binary) data from registry

[Ahankhah]

Hi All,

 

as most of you know, (vl-registry-read) is a good function to get data out of windows registry.

 

It works nice for string and decimal number data, but not works correct for hexadecimal (or binary) data.

 

For example, if you issue this:

 

(vl-registry-read "[b]HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs[/b]" "[b]MRUListEx[/b]")

 

you will find '(3) or something similar as the result, but the data exported by Windows "REGEDIT" command on my PC is as seen below:

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs]

"MRUListEx"=hex:74,00,00,00,90,00,00,00,38,00,00,00,04,00,00,00,36,00,00,00,7d,\

00,00,00,40,00,00,00,13,00,00,00,07,00,00,00,66,00,00,00,62,00,00,00,0b,00,\

00,00,27,00,00,00,1b,00,00,00,5d,00,00,00,09,00,00,00,48,00,00,00,64,00,00,\

00,88,00,00,00,16,00,00,00,14,00,00,00,5a,00,00,00,65,00,00,00,93,00,00,00,\

39,00,00,00,19,00,00,00,6a,00,00,00,94,00,00,00,8a,00,00,00,70,00,00,00,71,\

00,00,00,7e,00,00,00,01,00,00,00,72,00,00,00,6f,00,00,00,0f,00,00,00,22,00,\

00,00,11,00,00,00,63,00,00,00,81,00,00,00,68,00,00,00,80,00,00,00,7f,00,00,\

00,5c,00,00,00,86,00,00,00,85,00,00,00,84,00,00,00,7c,00,00,00,83,00,00,00,\

77,00,00,00,78,00,00,00,5f,00,00,00,10,00,00,00,95,00,00,00,6b,00,00,00,0a,\

00,00,00,3d,00,00,00,58,00,00,00,69,00,00,00,2f,00,00,00,6c,00,00,00,33,00,\

00,00,35,00,00,00,61,00,00,00,23,00,00,00,79,00,00,00,49,00,00,00,73,00,00,\

00,75,00,00,00,76,00,00,00,02,00,00,00,0d,00,00,00,1e,00,00,00,3a,00,00,00,\

5e,00,00,00,5b,00,00,00,57,00,00,00,55,00,00,00,54,00,00,00,53,00,00,00,4a,\

00,00,00,34,00,00,00,52,00,00,00,6d,00,00,00,51,00,00,00,29,00,00,00,50,00,\

00,00,4f,00,00,00,4c,00,00,00,0e,00,00,00,8e,00,00,00,15,00,00,00,56,00,00,\

00,4e,00,00,00,47,00,00,00,06,00,00,00,21,00,00,00,17,00,00,00,8c,00,00,00,\

03,00,00,00,6e,00,00,00,8f,00,00,00,8d,00,00,00,59,00,00,00,42,00,00,00,46,\

00,00,00,45,00,00,00,44,00,00,00,43,00,00,00,1d,00,00,00,3e,00,00,00,41,00,\

00,00,3f,00,00,00,3b,00,00,00,32,00,00,00,37,00,00,00,00,00,00,00,2a,00,00,\

00,24,00,00,00,28,00,00,00,2c,00,00,00,31,00,00,00,25,00,00,00,30,00,00,00,\

2e,00,00,00,2d,00,00,00,26,00,00,00,2b,00,00,00,1f,00,00,00,08,00,00,00,91,\

00,00,00,82,00,00,00,1c,00,00,00,20,00,00,00,05,00,00,00,0c,00,00,00,1a,00,\

00,00,7b,00,00,00,18,00,00,00,92,00,00,00,4d,00,00,00,7a,00,00,00,89,00,00,\

00,67,00,00,00,4b,00,00,00,60,00,00,00,8b,00,00,00,3c,00,00,00,87,00,00,00,\

12,00,00,00,ff,ff,ff,ff

 

How is it possible to get hexadecimal (binary) data from registry.

 

(In the following step, I guess I can convert binary data to strings.)

 

Any help, clues or suggestions are greatly appreciated.

[LanloyLisp]

the results i found to get the value of reg_binary is "wscript.shell".

i tried to manipulate in AutoCAD but the result is error.

 

(vlax-invoke (vlax-create-object "WScript.Shell") 'regread "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security\\Sources\\")

 

result

WshShell.RegRead: Invalid root in registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\Sources\".

[irneb]

First, what windows are you using? Some registry keys have been renamed, and in some cases you're not allowed to read some keys. E.g. I can't find the EventLog security sources on my Win7-Pro 64 unless I'm using an admisnistrator account.

 

Also the RegRead from the WScript does not return a path's keys. You'll need to return a specific key. E.g. from the OP's path, in my windows that "folder" contains subfolders as well as keys numbered from 0 through to 149. E.g.

Command: (setq ws (vlax-create-object "WScript.Shell") )
#<VLA-OBJECT IWshShell3 000000000055c260>
Command: (vlax-invoke ws 'RegRead "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\0")
(83 0 97 0 109 0 112 0 108 0 101 0 32 0 66 0 111 0 97 0 114 0 100 0 115 0 0 0 112 0 50 0 0 0 0 0 0 0 0 0 0 0 83 97 109 112 108 101 32 66 111 97 114 100 115 46 108 110 107 0 80 0 8 0 4 0 239 190 0 0 0 0 0 0 0 0 42 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 83 0 97 0 109 0 112 0 108 0 101 0 32 0 66 0 111 0 97 0 114 0 100 0 115 0 46 0 108 0 110 0 107 0 0 0 32 0 0 0)

 

And to save yourself some issue in the future, remember to keep a variable pointing to the object generated by that vlax-create-object function. So you can vlax-release-object later. These ActiveX objects don't get garbage collected like normal lisp variables do, so could end up causing RAM leakage and / or crashes. If you don't keep track of them, there's no way for you to clear them later.

[LanloyLisp]

First, what windows are you using? Some registry keys have been renamed, and in some cases you're not allowed to read some keys. E.g. I can't find the EventLog security sources on my Win7-Pro 64 unless I'm using an admisnistrator account.

 

Also the RegRead from the WScript does not return a path's keys. You'll need to return a specific key. E.g. from the OP's path, in my windows that "folder" contains subfolders as well as keys numbered from 0 through to 149. E.g.

Command: (setq ws (vlax-create-object "WScript.Shell") )
#<VLA-OBJECT IWshShell3 000000000055c260>
Command: (vlax-invoke ws 'RegRead "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\0")
(83 0 97 0 109 0 112 0 108 0 101 0 32 0 66 0 111 0 97 0 114 0 100 0 115 0 0 0 112 0 50 0 0 0 0 0 0 0 0 0 0 0 83 97 109 112 108 101 32 66 111 97 114 100 115 46 108 110 107 0 80 0 8 0 4 0 239 190 0 0 0 0 0 0 0 0 42 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 83 0 97 0 109 0 112 0 108 0 101 0 32 0 66 0 111 0 97 0 114 0 100 0 115 0 46 0 108 0 110 0 107 0 0 0 32 0 0 0)

And to save yourself some issue in the future, remember to keep a variable pointing to the object generated by that vlax-create-object function. So you can vlax-release-object later. These ActiveX objects don't get garbage collected like normal lisp variables do, so could end up causing RAM leakage and / or crashes. If you don't keep track of them, there's no way for you to clear them later.

 

Irneb, Im using windows 7 - premium 64

In my case, the specified key is in the registry.

 

Command: (setq ws (vlax-create-object "WScript.Shell") )
#<VLA-OBJECT IWshShell3 000000000055c260>
Command: (vlax-invoke ws 'RegRead (vlax-invoke ws 'RegRead "HKLM\\SYSTEM\\MountedDevices\\DosDevices\\C:")
WshShell.RegRead: Invalid root in registry key "HKLM\SYSTEM\MountedDevices\DosDevices\C:".

Maybe the key I specified is a case that is not allowed to be read.

[Lee Mac]

Reading registry keys from the HKLM hive may require administrator priviledges, or may not be available through Scripting for security reasons.

[irneb]

Reading registry keys from the HKLM hive may require administrator priviledges, or may not be available through Scripting for security reasons.

Yep, if at all possible try to stick with HKCU instead. That usually gives the least trouble as most of them are supposed to be user settings and should thus be (at least) readable by the user's security level.

 

The HKLM is not always unavailable, but chances are that lots of those are set to System security level. Therefore you need admin rights to even see them. And most (if not all) companies disallow admin user rights on their PC's to try stopping viruses and such. If the key is only available in HKLM, then try to use something else to get similar data - e.g. if you want to find the drives connected to the PC, perhaps try the FileSystem object's Drives property: http://msdn.microsoft.com/en-us/library/aa242690%28v=VS.60%29.aspx

[LanloyLisp]

Command: (setq sfso (vlax-create-object "Scripting.FileSystemObject"))
#<VLA-OBJECT IFileSystem3 0000000000483270>
Command: (vlax-dump-object (vlax-invoke sfso 'getdrive "H:\\") T)
; IDrive: Drive Interface
; Property values:
;   AvailableSpace (RO) = 4.14759e+009
;   DriveLetter (RO) = "H"
;   DriveType (RO) = 1
;   FileSystem (RO) = "FAT32"
;   FreeSpace (RO) = 4.14759e+009
;   IsReady (RO) = -1
;   Path (RO) = "H:"
;   RootFolder (RO) = #<VLA-OBJECT IFolder 00000000004822d8>
;   SerialNumber (RO) = -1131567886
;   ShareName (RO) = ""
;   TotalSize (RO) = 8.09918e+009
;   VolumeName = "LANLOY 8GB"
; No methods
T

Now I'm relieved!!

"Wscript.Shell" and "Scripting.FileSystemObject" are the main event of this thread

Especially to both (Irneb and Lee Mac) of you guys.. Thanks a lot.