Wild cards in registry .reg file?

[martinlest]

Hi. I want certain keys in the registry to be deleted automatically, if present, at every boot. So I made a very simple batch script to run an .reg file. The .reg file is:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_06A3&PID_075C]
[-HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_06A3&PID_5081]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\OEM\VID_06A3&PID_075C]

and the batch file to run it (with a shortcut in the Windows 7 startup folder) is:

Echo making Registry edits....
Echo .
regedit.exe /S "C:\Users\Martin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Batch Files\Scripts\X52.reg"

My question is this: I want all subkeys which begin VID_06A3 in the above locations to be deleted, whatever their name. Putting an asterisk doesn't work, nothing is deleted. Is it possible to have a wild card in an .reg file? Or a similarly simple way to achieve this?

Thanks.

 

[martinlest]

Looks as if wild cards aren't accepted in reg files. The issue is that the PID values in the sub-keys may change over time. I suppose the easiest way is for me to monitor what appears and just add any new values to the .reg delete file as new sub-keys come up (if they do - so far I have only seen the ones I wrote in the script above, so I may be OK!).

 

[LMiller7]

A PID will not change while the process is running but will almost certainly change in the next session, or if the process terminates and is then restarted. There is no way to control this.

What are you trying to accomplish with this?

 

[Callender]

I don't know if this meets your needs but you can prevent changes to any registry key using MJRegWatcher.

Tested like this.

Set: Block changes to the following key

hkey_lmus\software\microsoft\windows nt\currentversion\image file execution options\

Then create a new "Test Key" (in image file execution options key) and see if it gets deleted.

Results:

Add Test Key Created (by me)

​

The change is blocked:



The key is quarantined:

​

I know that's not the same as deleting on boot but those keys would be deleted soon after boot.

So the idea is to delete the required sub keys here then block changes:

HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\OEM\

You need to know how to launch MJRegWatcher (Elevated) soon after boot. I've found that on my machine it needs to be launched delayed to give other security software a chance to load first.

​

EDIT:

Note that I use this application just to monitor important registry keys with the option to allow/ block changes when prompted rather than setting it to auto quarantine keys when found. I just experimented to see if it was possible to auto quarantine certain registry keys.

 

[SIW2]

You could see if regfind.exe will do the job.

Perhaps it can only replace value data. Worth a look.

Regfind.exe – Massive Search and Replace for Windows Registry | Buster Collings

 

[UsernameIssues]

Hi. I want certain keys in the registry to be deleted automatically, if present, at every boot.

What are you trying to accomplish with this?

I would like to see LMiller7's question answered before I spend much time seeing if AutoIt will do this for you. If we knew more about why you need to do this, we might find a solution that prevents the keys from being a problem.

AutoIt supports Perl-Compatible Regular Expressions and can enumerate registry keys. Unfortunately, I'm not good with Regular Expressions syntax... but I'm pretty sure that I could sort this out using "string in string" searches. Such searches are less elegant than Regular Expressions, but are functional and easier to read/understand.

 

[Pyprohly]

Looks as if wild cards aren't accepted in reg files.

Correct. Unfortunately there’s no wildcard specification for reg files. What you can do is use a batch file instead.

The Reg command allows you to do a wildcard key search: switches /f and /k.
E.g.

reg query "HKLM\SOFTWARE\somewhere" /f "search*string" /k

However, this will perform a non exact search (i.e., like *searchstring*), though you can always pipe to Findstr to refine your searches with regex.

If you are familiar with batch, Martinlest, it would become apparent that you can loop against the results the command and delete the found keys.

@echo off

for /f "delims=" %%I in ('
	reg query "HKLM\SOFTWARE\somewhere" /f "key*name" /k
') do (
	echo "%%~I"| findstr /v "End of search:" >NUL && (
		ECHO reg delete "%%~I" /f
	)
)

 

[RolandJS]

Callender, does MJRegWatcher launch via a shortcut on the desktop and/or pinned to taskbar? And, I have to "load" stuff to protect in some sort of input file, correct?

 

[Callender]

Callender, does MJRegWatcher launch via a shortcut on the desktop and/or pinned to taskbar? And, I have to "load" stuff to protect in some sort of input file, correct?

I launch it delayed on boot from an elevated shortcut via a scheduled task.

​

​

You don't have to load anything but there are some changes you can make to improve performance or to exempt/ include certain keys/ subkeys if you need to. As reported you can also auto block changes to any specified key. Personally I just like to be prompted when something changes. There's also a decent log that contains all changes so if you forget exactly what changed you can inspect the log. I've found that useful a few times where I haven't noticed a problem say for a week or so after a change was made.

​