0

HKU

\\<host>\HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run /s

Example: 

for /f  "delims=\ tokens=2,*" %t in ('reg query HKU') do reg query HKU\%t         \Software\Microsoft\Windows\CurrentVersion\Run /s

HKLM

reg query \\<host>\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s

Example:

FOR /F %i in (hosts.txt) DO @echo [+] %i && 
@reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s 2>NUL > output.txt && 
FOR /F %n in (strings.txt) DO @type output.txt | findstr %n > NUL && 
echo [!] %n was found on %i!

Here are some examples that we have came up with at the office. But trying to figure out how to add in a psexec command to allow for us to query remote computers on the network.

So it would read the hosts from the hosts.txt file along with the strings from the strings.txt and possible add in a variable to change out the different registry keys. Then output it all into one text file.

Do you think this is too much to try in a batch file? What about a powershell script? Thanks

4

2 回答 2

1

要使用 PowerShell 查询远程注册表项,请使用OpenRemoteBaseKey

[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'computer-name')

第一个参数是配置单元名称,可以在此处找到其列表。第二个是要连接的计算机的名称。

这将返回一个Microsoft.Win32.RegistryKey对象,您可以使用该对象列出子键并读取它们的值。

以下是读取运行键值的示例:

$path = "Software\Microsoft\Windows\CurrentVersion\Run"
$key = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', 'computer-name')
$subkey = $key.OpenSubKey($path)
$subkey.GetValueNames() | ForEach-Object {
    '{0} : {1}' -f $_, $subkey.GetValue($_)
}
于 2013-05-26T05:53:16.883 回答
0

你也可以试试PSRemoteRegistry模块:

 Get-RegValue -Hive LocalMachine -Key Software\Microsoft\Windows\CurrentVersion\Run -ComputerName server1
于 2013-05-26T10:59:29.760 回答