9
2
I'm trying to use a batch script and a .REG file to set up some custom services. Most of the keys are being set up properly, but I need to set the DependOnService key for some of the services, which is normally a multi-string. Is it possible to set this key from a .REG file, or will manual entry be required?
MBraedley
Posted 2011-03-01T14:14:20.677
Reputation: 2 712
12
REG_MULTI_SZ data in .REG files must be encoded in hexadecimal. If the content never changes you can create a dummy item in your registry with the data, export it, and adjust that to your needs.
If it does change, it will probably be far easier to use the reg command included with Windows to add it. To do so, call reg in this format:
reg add <KEY> /v <NAME> /t REG_MULTI_SZ /d <DATA> /s <SEPERATOR>
The seperator switch is optional. If not used, the strings to be written should be seperated by the escape sequence for the null character (\0). For instance, to add a item named Flair to HKEY_LOCAL_ MACHINE\SOFTWARE\WhizBang\Excite-O-Rama with the strings foo, bar, and baz you would run:
reg add HKEY_LOCAL_ MACHINE\SOFTWARE\WhizBang\Excite-O-Rama /v Flair /t REG_MULTI_SZ /d foo\0bar\0baz
To seperate the data with commas instead, you would run:
reg add HKEY_LOCAL_ MACHINE\SOFTWARE\WhizBang\Excite-O-Rama /v Flair /t REG_MULTI_SZ /d foo,bar,baz /s ,
For more information, consult Microsoft's documentation of the reg command.
Patches
Posted 2011-03-01T14:14:20.677
Reputation: 14 078
0
DWORD = dword: Expandable String = hex(2): Multi String = hex(7):
A DWORD is a 32-bit unsigned integer (range: 0 through 4294967295 decimal) In the registry, a DWORD always begins with 0x. In the registry, DWORDS always have 8 digits that follow 0x. This can be in decimal or hexadecimal format, 1000 can be written as: 0x00001000 or 0x000003e8
DWORDS can only make use of the digits 0-9. Strings, any kind, always use ASCII, in ACSII 1000 can only be written as 31,30,30,30 For the String data type, ASCII works in the background without you even knowing. It has to because the computer only understand 1s and 0s. For Expandable String and Multi String data types, these save your entries as a series of ASCII codes in a hexadecimal format, separated by a commas and hex zeroes. So, an Expandable String of 1000 would be: hex(2):31,00,30,00,30,00,30,00
So let's convert %PROGRAMFILES% into an expandable string. First, download this: https://hotfile.com/dl/244097278/55aa086/ASCII_2_HEX_Conversion_Tool.7z.html
Now open that in any modern browser. Put %PROGRAMFILES% into the ASCII box, and select encode it. It will give you %25%50%52%4F%47%52%41%4D%46%49%4C%45%53%25 Copy paste that into a text editor, move the first % to the end. Select the replace command, find all "%" and replace with ",00,". Remove the comma at the very end. You should get: 25,00,50,00,52,00,4F,00,47,00,52,00,41,00,4D,00,46,00,49,00,4C,00,45,00,53,00,25,00 And finally, hex(2):25,00,50,00,52,00,4F,00,47,00,52,00,41,00,4D,00,46,00,49,00,4C,00,45,00,53,00,25,00
Done.
Have you ever tried to convert a curious hex registry entry into ASCII and failed miserably. This lesson contains all the knowledge required to reverse engineer any hex coded registry entry that is not encrypted. Have Fun!
DarkReverser
Posted 2011-03-01T14:14:20.677
Reputation: 83
1The hotfile link is just a 7z archive with a html page (that contains the converter) stored inside. Why not just link to the web page itself? – John Bensin – 2013-09-08T21:35:04.933
1To avoid link rot please post all relevant information in your answer. for more information on how to answer questions please see [answer] – 50-3 – 2013-09-08T21:49:54.373
4Great answer (using a
.batfile withregcommand instead of a.regfile), but why does it speak about REG_MULTI_SZ when the question is about REG_EXPAND_SZ? – Norswap – 2013-08-25T08:28:35.807