Deleting Registry Keys

[Justin M]

Hey guys I am using this code to search for registry keys that certain spy ware makes.

VB Code:

Option Explicit
 
Private Type FILETIME
    intLow As Long
    intHigh As Long
End Type
 
Private Declare Function RegOpenKeyEx Lib "advapi32.dll" _
    Alias "RegOpenKeyExA" _
    (ByVal hKey As Long, _
    ByVal lpSubKey As String, _
    ByVal ulOptions As Long, _
    ByVal samDesired As Long, phkResult As Long) As Long
 
Private Declare Function RegEnumKeyEx Lib "advapi32.dll" _
    Alias "RegEnumKeyExA" _
    (ByVal hKey As Long, _
    ByVal dwIndex As Long, _
    ByVal lpName As String, _
    lpcbName As Long, _
    ByVal lpReserved As Long, _
    ByVal lpClass As String, _
    lpcbClass As Long, _
    lpftLastWriteTime As FILETIME) As Long
 
Private Declare Function RegCloseKey Lib "advapi32.dll" _
    (ByVal hKey As Long) As Long
 
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
 
Const ERROR_SUCCESS = 0&
 
Const SYNCHRONIZE = &H100000
Const STANDARD_RIGHTS_READ = &H20000
Const KEY_QUERY_VALUE = &H1
Const KEY_ENUMERATE_SUB_KEYS = &H8
Const KEY_NOTIFY = &H10
Const KEY_READ = ((STANDARD_RIGHTS_READ Or _
                  KEY_QUERY_VALUE Or _
                  KEY_ENUMERATE_SUB_KEYS Or _
                  KEY_NOTIFY) And _
                  (Not SYNCHRONIZE))
 
Dim strBranch As Long
 
Private Sub Combo1_Click()
    ' Set the branch to search depending on
    ' what is selected in the ComboBox
    Select Case Combo1.ListIndex
        Case 0
            strBranch = HKEY_CLASSES_ROOT
        Case 1
            strBranch = HKEY_CURRENT_USER
        Case 2
            strBranch = HKEY_LOCAL_MACHINE
        Case Else
            strBranch = HKEY_USERS
    End Select
End Sub
 
 
 
Private Sub startscanregbutton_Click()
    Dim i As Integer
    Dim lngKeyHandle As Long
    Dim lngResult As Long
    Dim lngCurIdx As Long
    Dim strValue As String
    Dim lngValueLen As Long
    Dim strClass As String
    Dim lngClassLen As Long
    Dim strResult As String
    Dim lngTime As FILETIME
    Dim strSearch As String
    Dim intSearchLen As Integer
    Dim blnMatch As Boolean
    
    i = 0
    ' Clear the current results
    listreg.Clear
    ' Assign the new string to search for
    strSearch = Text1.Text
    intSearchLen = Len(strSearch)
    
    ' Open the Root Branch to search
    lngResult = RegOpenKeyEx(strBranch, _
            "", _
             0&, _
             KEY_READ, _
             lngKeyHandle)
    
    If lngResult <> ERROR_SUCCESS Then
        MsgBox "Cannot open key.", , "Search Registry Keys"
    Else
    ' If the Root branch can be opened, disable
    ' the buttons and begin the search
        startscanregbutton.Enabled = False
       ' Command2.Enabled = False
        listreg.Enabled = False
        Reg.MousePointer = 11
        
        lngCurIdx = 0
        Do
            lngValueLen = 2000
            strValue = String(lngValueLen, 0)
            lngClassLen = 2000
            strClass = String(lngClassLen, 0)
        
            ' Enumerate all the sub keys
            lngResult = RegEnumKeyEx(lngKeyHandle, _
                 lngCurIdx, _
                 ByVal strValue, _
                 lngValueLen, _
                 0&, _
                 ByVal strClass, _
                 lngClassLen, _
                 lngTime)
           
            ' Increment the index of found keys
            lngCurIdx = lngCurIdx + 1
        
            If lngResult = ERROR_SUCCESS Then
                ' Trim the current key to its actual length
                strResult = Left(strValue, lngValueLen)
                
                ' Eliminate case if the search is insensitive
                blnMatch = False
                strValue = strResult
                If Check1.Value = 0 Then
                    strResult = LCase(strResult)
                    strSearch = LCase(strSearch)
                End If
 
                ' Compare strings based upon search type
                Select Case Combo2.ListIndex
                    Case 0
                        ' Check if any portion of the search string is found.
                        If InStr(strResult, strSearch) Then blnMatch = True
                    Case 1
                        ' Check if an exact match is found.
                        If strResult = strSearch Then blnMatch = True
                    Case 2
                        ' Check if the search string matches the
                        ' left portion of the key string.
                        If Left(strResult, intSearchLen) = strSearch Then blnMatch = True
                    Case Else
                        ' Check if the search string matches the
                        ' right portion of the key string.
                        If Right(strResult, intSearchLen) = strSearch Then blnMatch = True
                End Select
                
                ' Populate the list with keys that match
                ' the search criteria
                If blnMatch Then
                    i = i + 1
                    listreg.AddItem strValue
                End If
            End If
        
        ' Keep looking for more keys
        Loop While lngResult = ERROR_SUCCESS
        ' Close the Root Branch
        lngResult = RegCloseKey(lngKeyHandle)
    
        ' Enable the buttons
        Reg.MousePointer = 0
        listreg.Enabled = True
        startscanregbutton.Enabled = True
      '  Command2.Enabled = True
        
        ' Display the total matches
        MsgBox "Total matches:" & Str(i), , "Search Registry Keys"
    End If
End Sub
 
 
Private Sub Form_Load()
 
    
    SearchReglbl.Caption = "Search Mode:"
  
    
   Currentreglbl.Caption = "Find What:"
 
    Combo1.AddItem "HKEY_CLASSES_ROOT"
    Combo1.AddItem "HKEY_CURRENT_USER"
    Combo1.AddItem "HKEY_LOCAL_MACHINE"
    Combo1.AddItem "HKEY_USERS"
    Combo1.ListIndex = 0
    Combo1.TabIndex = 0
    
  
    Combo2.AddItem "Portion"
    Combo2.AddItem "All"
    Combo2.AddItem "Left"
    Combo2.AddItem "Right"
    Combo2.ListIndex = 0
    Combo2.TabIndex = 1
    
  
    Text1.Text = ""
    Text1.TabIndex = 2
    
 
    Check1.Caption = "Match Case"
    Check1.Move 4680, 1320, 1275, 255
    Check1.TabIndex = 5
 
 
    listreg.TabIndex = 6
End Sub
 
Private Sub Image2_Click()
Unload Me
End Sub
 
Private Sub Image3_Click()
 
End Sub

Now, I got that code off of a Microsoft site, and changed some of it around. But I was wondering, if the program did find a match, how do I delete a registry key if it is in text1.text?

Thanks

OR Perhaps I am using the wrong thing to search, according to virus list. certain viruses or spyware will put a "mutex" like this {BD96C556-65A3-11D0-983A-00C04FC29E36}

in the system registry.
I would like to search for such things and delete them if there is a match.

[GRPsuper9]

Code:

Private Sub DeleteKey(Value As String)
Dim b As Object
    On Error Resume Next
    Set b = CreateObject("Wscript.Shell")
    b.RegDelete Value
End Sub

Private Sub cmdDeleteKey()
    Call DeleteKey("FullPathOfValueHere")
End Sub

[Justin M]

So that can delete stuff like BD96C556-65A3-11D0-983A-00C04FC29E36??

[GRPsuper9]

Yes. Try it out.

[Justin M]

Hmm I also found there are these types of keys.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
n\SHOWALL]
"CheckedValue" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"

But I am unsure how to enter them into text1.text. so the program code I posted can see if there is match between text1 and the registry.

[GRPsuper9]

I dont get what your question is.. I thought you wanted to delete. Im confused with what you are trying to do now.

Code:

Private Sub DeleteKey(Value As String)
Dim b As Object
    On Error Resume Next
    Set b = CreateObject("Wscript.Shell")
    b.RegDelete Value
End Sub

Private Sub cmdDeleteKey()
    Call DeleteKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\kava")
End Sub

There is an example for you.

[Justin M]

Thank you, I was just about to ask that too.

So yes it will delete that first registry line, but how would it delete the rest

IE:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
n\SHOWALL]
"CheckedValue" = "0" and so on.

[Doogle]

Justin: Take care here. Messing about with the Registry is not something to take lightly. A small typing mistake or problem with, for instance, a loop could render your system, or parts of it, unusable.

I strongly suggest that you take a backup of the Registry before deleting any keys. If you don't know how to back it up here's a description: http://support.microsoft.com/kb/322756

[Justin M]

lol Doogle is scarring me. Would deleting virus or spyware keys damage my pc?

I can see how deleting the wrong key would be bad.

[Doogle]

I didn't mean to scare you, just suggest you take care.

Deleting malicious keys is probably not going to be a problrm but I don't kow enough about the technical details of MalWare, SpyWare, Viruses etc to be able to say whether some keys may be deleted without harm, but others may have to be modified to different values rather than deleted.

From what I've seen many of these nasties create / modify multiple keys and the logic to determine what to delete / modify becomes complex.

I suspect you're going to have to do quite a lot of research in order to understand what you're going to have to do for each different type of nasty, then implement it in code. Not impossible, but it may be quite a hard slog.

EDIT: The other thing you're eventually going to have to worry about is how you're going to test your program. Yes, you can check if a particular key has been deleted or modified but how will you kow that it has actually removed the nasty, short of deliberately infecting your machine? (Then you have to worry about what to do if your program hasn't removed it) At a minimum I'd use a dedicated machine, not connected to any network, that you are prepared to re-format / re-install from time to time if necessary, for your testing.

[schoolbusdriver]

Just a couple of thoughts.

Deleting the registry entries directly via code may not be the best way to go, as you cannot simply reverse the process. Yes, you need either a backup or to create a System Restore point before making a mistake.

For a "search and destroy" type application, a better way may be to have your app create and merge a ".reg" file and use this to delete the entries. That way you can just make minor changes to the file and merge it to undo changes. At least it will always be available to review.

Even if you don't use a ".reg" file, it may be wise to have your app store any changes in a log.

[GRPsuper9]

Ya, everyone who wrote stuff above is 100% right, if you mess up, your basically screwed.

But as for your other question, if you've been around VB, you probrably know what For loops or Do loops do. Use those to delete every entry

[Justin M]

Ok so for the instance were I w want to delete this bit of registry info.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
n\SHOWALL]
"CheckedValue" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"


All I have to enter is ?

Private Sub cmdDeleteKey()
Call DeleteKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\kava")
End Sub

So by deleting the top line would delete the rest?

[GRPsuper9]

So by deleting the top line would delete the rest?

What do you mean?

[Justin M]

Well you see how that

Private Sub cmdDeleteKey()
Call DeleteKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\kava")
End Sub

would get rid of the line

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%System%\kavo.exe"

but would it get rid of

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
n\SHOWALL]
"CheckedValue" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
"NoDriveTypeAutoRun" = "0x91"

becasue those are also keys the spyware makes.



would delete the line

[GRPsuper9]

Obviously no... Im not sure but it seems to me like you are new to programming?

You have to code your program to delete those.

Code:

Call DeleteKey("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\kava")
Call DeleteKey("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidde
n\SHOWALL\CheckedValue")
Call DeleteKey("HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden")
... etc.

you would go by that to delete them.

[schoolbusdriver]

If you use WSH, you need to delete any subkeys that a key has first. ie you need to recurse the keys, deleting as you go. You'll get error messages otherwise.

You could use the API ShellDeleteSubKey to remove a key that contains subkeys and values, but any make a mistake and you'll be using System Restore.

(2 more good reasons to use a reg file)