def main(): """The entry function to be executed. Returns: None """ clsid_all_keys_list = get_all_keys(HKEY_CURRENT_USER, CLSID_PATH) premium_all_keys_list = get_all_keys(HKEY_CURRENT_USER, PREMIUM_PATH) premium_sub_keys_list = [ os.path.join(PREMIUM_PATH, item) for item in get_sub_keys(HKEY_CURRENT_USER, PREMIUM_PATH) ] print(f"premium_sub_keys_list: {premium_sub_keys_list}") for clsid_item in clsid_all_keys_list: if "Info" in clsid_item: clsid_item_prefix = os.path.dirname(clsid_item) print(f"# Info item: {clsid_item}") winreg.DeleteKeyEx(HKEY_CURRENT_USER, clsid_item) winreg.DeleteKeyEx(HKEY_CURRENT_USER, clsid_item_prefix) # The outermost folder is not deleted. for premium_item in reversed(premium_all_keys_list): if "Servers" in premium_item: print(f"Tips: Servers => {premium_item} will not be deleted.") pass elif premium_item in premium_sub_keys_list: print(f"Tips: Servers => {premium_item} will not be deleted.") pass else: winreg.DeleteKeyEx(HKEY_CURRENT_USER, premium_item)
def delete_registry(self, root: str, key_relative_to_root: str, key: str, architecture: int = None) -> bool: """ Delete a key in the registry. Is not recursive :param root: e.g., winreg.HKEY_CURRENT_USER :param key_relative_to_root: you can use "SOFTWARE\\Microsoft\\Internet Explorer\\Main" to set it to internet explorer :param key: key to generate within root + key_relative_to_root :param architecture: architecture to user in the regedit :return: true if the oepration suceeds, false otheriwse """ key_name = f"{key_relative_to_root}\\{key}" open_key = None try: try: print(f"open_key = {key_name}") open_key = winreg.OpenKey(root, key_name, 0, winreg.KEY_ALL_ACCESS) try: sub_key = winreg.EnumKey(open_key, 0) print(f"subkey considered is {sub_key}") winreg.DeleteKeyEx(open_key, sub_key) return True except OSError: pass finally: if open_key is not None: winreg.CloseKey(open_key) except FileNotFoundError: architecture = architecture or self.core.get_architecture() if architecture == 32: other_architecture = winreg.KEY_WOW64_64KEY elif architecture == 64: other_architecture = winreg.KEY_WOW64_32KEY else: raise ValueError(f"Invalid architecture {architecture}!") try: print(f"open_key = {key_name}") open_key = winreg.OpenKey(root, key_name, 0, winreg.KEY_ALL_ACCESS) try: sub_key = winreg.EnumKey(open_key, 0) print(f"subkey considered is {sub_key}") winreg.DeleteKeyEx(open_key, sub_key) return True except OSError: pass except FileNotFoundError as e: raise FileNotFoundError( f"Cannot find the registry key {root}\\{key_relative_to_root}\\{key}" ) finally: if open_key is not None: winreg.CloseKey(open_key)
def uninstall(): for key in reg_classes: root = winreg.OpenKey(winreg.HKEY_CLASSES_ROOT, sub_key=rf'{key}\shell') winreg.DeleteKeyEx(root, r'EZNO Convert to PDF\command') winreg.DeleteKeyEx(root, r'EZNO Convert to...\command') winreg.DeleteKeyEx(root, r'EZNO Convert to PDF') winreg.DeleteKeyEx(root, r'EZNO Convert to...')
def add_to_registry(remove_key=False): # in python __file__ is the instant of # file path where it was executed # so if it was executed from desktop, # then __file__ will be # c:\users\current_user\desktop pth = os.path.dirname(os.path.realpath(__file__)) # name of the python file with extension s_name = "TA_Monitor.py" # joins the file name to end of path address address = os.path.join(pth, s_name) # key we want to change is HKEY_CURRENT_USER # key value is Software\Microsoft\Windows\CurrentVersion\Run key = reg.HKEY_CURRENT_USER key_value = r"Software\Microsoft\Windows\CurrentVersion\Run" # open the key to make changes to reg_key = reg.OpenKey(key, key_value, 0, reg.KEY_ALL_ACCESS) if remove_key: reg.DeleteKeyEx(reg_key, "start_up", 0, reg.REG_SZ, address) else: reg.SetValueEx(reg_key, "start_up", 0, reg.REG_SZ, address) # now close the opened key reg.CloseKey(reg_key)
def remove_vc9_reg(): try: winreg.DeleteKeyEx(HCU, r"Software\Microsoft\VisualStudio\9.0\Setup\VC") print("Removed") except WindowsError: print("key not exist")
def unregisterInstallation(keepDesktopShortcut=False): try: winreg.DeleteKeyEx(winreg.HKEY_LOCAL_MACHINE, easeOfAccess.APP_KEY_PATH, winreg.KEY_WOW64_64KEY) easeOfAccess.setAutoStart(winreg.HKEY_LOCAL_MACHINE, False) except WindowsError: pass wsh=_getWSH() desktopPath=os.path.join(wsh.SpecialFolders("AllUsersDesktop"),"NVDA.lnk") if not keepDesktopShortcut and os.path.isfile(desktopPath): try: os.remove(desktopPath) except WindowsError: pass startMenuFolder=getStartMenuFolder() if startMenuFolder: programsPath=wsh.SpecialFolders("AllUsersPrograms") startMenuPath=os.path.join(programsPath,startMenuFolder) if os.path.isdir(startMenuPath): shutil.rmtree(startMenuPath,ignore_errors=True) try: winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\nvda") except WindowsError: pass try: winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\nvda.exe") except WindowsError: pass try: winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,config.NVDA_REGKEY) except WindowsError: pass unregisterAddonFileAssociation()
def delete_key(self, keyName): try: winreg.DeleteKeyEx(self.HKEY, self.__format_after_path() + keyName, winreg.KEY_ALL_ACCESS, 0) except: pass
def delete(self, key, bitness=None): """ Deletes key registry :param key: registry key :param bitness: """ logging.debug('{0}'.format(key)) hive, path = self._get_registry_hive(key) bitness_flag = Registry._get_bitness_flag(bitness) winreg.DeleteKeyEx(hive, path, bitness_flag, 0)
def delete(self): for k in self: k.delete() try: key = winreg.OpenKeyEx(self._root, None, 0, winreg.KEY_READ | self._flags) except OSError: return with key: winreg.DeleteKeyEx(key, self.subkey)
def del_user_env(name=None): try: if name is None: winreg.DeleteKeyEx(winreg.HKEY_CURRENT_USER, r"xGIS", winreg.KEY_ALL_ACCESS, 0) else: key = winreg.OpenKeyEx(winreg.HKEY_CURRENT_USER, r"xGIS", 0, winreg.KEY_SET_VALUE) winreg.DeleteValue(key, name) except WindowsError: pass
def delete_registry(key, subkey, arch): """ Delete a registry Parameters ---------- key : str The key of the registry (HKEY_* constants). subkey : str The subkey (name) of the registry. """ sys.platform == 'win32' and winreg.DeleteKeyEx(key, subkey, access=arch)
def deleteKey(data): try: data = data.split('\\', 1) data1 = str(data[0]) data2 = str(data[1]) data2 = format(data2) registry_key = winreg.DeleteKeyEx(getattr(winreg, data1), data2, winreg.KEY_WOW64_64KEY, 0) winreg.CloseKey(registry_key) return 'Xoá key thành công' except WindowsError: return 'Lỗi'
def delete_registry_entries(self): ''' @summary: Deletes the timer registry key ''' # Open and delete the key try: reg = winreg.OpenKeyEx(winreg.HKEY_CURRENT_USER, self.REGISTRY_LOCATION) winreg.DeleteKeyEx(reg, "") winreg.CloseKey(reg) except WindowsError: # Ignore any Windows errors pass
def remove_start_at_boot(): # Creating a handle (key) in the HKEY Current user tree of the windows registry key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, run_key, 0, winreg.KEY_ALL_ACCESS) # We execute the function defined below to check whether the key we're about # to make exists. if registry_key_exists(key, program_name): print("Key exists attempting to remove") try: winreg.DeleteKeyEx(key, program_name) except WindowsError: # If this fails try executing as administrator print("Couldn't remove key") else: print("Key doesn't exists")
def deleteRegKeyRecursively(HKey, subKey, view=winreg.KEY_WOW64_64KEY): # Delete all the sub keys first keyExist = False with winreg.OpenKeyEx(HKey, subKey, 0, access=winreg.KEY_ALL_ACCESS | view) as keyHandle: keyExist = True index = 0 while True: try: subKeyName = winreg.EnumKey(keyHandle, index) deleteRegKeyRecursively(HKey, subKey + '\\' + subKeyName) except OSError: break index += 1 # Then delete this key if keyExist: if view == winreg.KEY_WOW64_64KEY: winreg.DeleteKeyEx(HKey, subKey, access=view, reserved=0) else: winreg.DeleteKey(HKey, subKey)
def delete_key(key_hive, key_path, access_type=Wow64RegistryEntry.KEY_WOW64): """ Delete registry key :param key_hive: Windows registry hive to edit, e.g. HKEY_CURRENT_USER :param key_path: Path Windows registry key inside the hive, for example "SOFTWARE\Microsoft\Windows" :param access_type: Access type for 32/64 bit registry sub-entries in HKLM/SOFTWARE key. :return: True if success, False otherwise """ if access_type == Wow64RegistryEntry.KEY_WOW32_64: raise RuntimeError("Use either KEY_WOW64 or KEY_WOW32 with delete_key()") try: key_hive_value = HIVES_MAP[key_hive] wow64_flags = WOW64_MAP[access_type] winreg.DeleteKeyEx(key_hive_value, key_path, (wow64_flags | winreg.KEY_WRITE), 0) return True except WindowsError as e: logger.error("Unable to delete registry key %s\\%s with LastError=%d [%s]", key_hive, key_path, e.winerror, e.strerror) return None
def folder_set(): dic = { '{0ddd015d-b06c-45d5-8c4c-f59713854639}': 'Local Pictures', '{35286a68-3c57-41a1-bbb1-0eae73d76c95}': 'Local Videos', '{a0c69a99-21c8-4671-8703-7934162fcf1d}': 'Local Music', '{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}': 'Desktop' } for entry in dic: try: key = winreg.OpenKeyEx( winreg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\%s\PropertyBag' % (entry), access=winreg.KEY_SET_VALUE) winreg.SetValueEx(key, 'ThisPCPolicy', 0, winreg.REG_SZ, 'Hide') winreg.CloseKey(key) except Exception as e: print("hide %s error, %s" % (dic[entry], e)) namespace_dict = { # '{088e3905-0323-4b02-9826-5d99428e115f}': 'Download', '{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}': '3D objects', '{24ad3ad4-a569-4530-98e1-ab02f9417aa8}': "Pictures", '{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}': 'Music', '{d3162b92-9365-467a-956b-92703aca08af}': "documents", '{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}': "Videos" # '{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}': 'Desktop', } for entry in dic: try: winreg.DeleteKeyEx( winreg.HKEY_LOCAL_MACHINE, r'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\%s' % (entry), ) except Exception as e: print("hide %s error, %s" % (dic[entry], e))
def DeleteKey(self, aKey): bResult = False if self.KeyExists(aKey): bResult = winreg.DeleteKeyEx(self.__Root_Key, aKey, self.__default_Architecture_Key) return bResult
def tearDownClass(cls): super(InstallerTest, cls).tearDownClass() winreg.DeleteKeyEx(winreg.HKEY_LOCAL_MACHINE, _TEST_KEY_PATH, winreg.KEY_ALL_ACCESS, 0)
def delete(self, recursive: bool = True) -> None: if recursive: for subkey in self.subkeys(): subkey.delete() winreg.DeleteKeyEx(self.hkey.id_, str(self.path))
import os import shutil import winreg path = 'C:{0}RAT_DELETE_ME'.format(os.path.sep) try: shutil.rmtree(path) except FileNotFoundError: pass try: run = winreg.OpenKey(winreg.HKEY_CURRENT_USER, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run', 0, winreg.KEY_WRITE) winreg.DeleteKeyEx(run, "JRAT") except FileNotFoundError: pass os.system('shutdown /l')
def deleteKeyEx(): # This method can not delete keys with subkeys. winreg.DeleteKeyEx(winreg.HKEY_CURRENT_USER, path, 0, winreg.KEY_ALL_ACCESS)
def delete_entry(self): key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, self.path, 0, winreg.KEY_WRITE) winreg.DeleteKeyEx(key, self.name, access=KEY_WOW64_64KEY ,reserved =0) winreg.CloseKey(key)
def main(): common.log("Suspicious Registry Persistence") for hive in (winreg.HKEY_LOCAL_MACHINE, winreg.HKEY_CURRENT_USER): write_reg_string( hive, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", "RunOnceTest", TARGET_APP) write_reg_string( hive, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "RunTest", TARGET_APP) # create Services subkey for "ServiceTest" common.log("Creating ServiceTest registry key") hkey = winreg.CreateKey( winreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\ServiceTest\\") # create "ServiceTest" data values common.log("Updating ServiceTest metadata") winreg.SetValueEx(hkey, "Description", 0, winreg.REG_SZ, "A fake service") winreg.SetValueEx(hkey, "DisplayName", 0, winreg.REG_SZ, "ServiceTest Service") winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ, "c:\\ServiceTest.exe") winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ, "C:\\ServiceTest.dll") # modify contents of ServiceDLL and ImagePath common.log("Modifying ServiceTest binary") winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ, "c:\\ServiceTestMod.exe") winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ, "c:\\ServiceTestMod.dll") hkey.Close() pause() # delete Service subkey for "ServiceTest" common.log("Removing ServiceTest", log_type="-") hkey = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\") winreg.DeleteKeyEx(hkey, "ServiceTest") hkey.Close() pause() # Additional persistence hklm = winreg.HKEY_LOCAL_MACHINE common.log("Adding AppInit DLL") windows_base = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\" write_reg_string(hklm, windows_base, "AppInit_Dlls", "evil.dll", delete=False) write_reg_string(hklm, windows_base, "AppInit_Dlls", "", delete=False) hkey.Close() pause() debugger_targets = [ "normalprogram.exe", "sethc.exe", "utilman.exe", "magnify.exe", "narrator.exe", "osk.exe", "displayswitch.exe", "atbroker.exe" ] for victim in debugger_targets: common.log( "Registering Image File Execution Options debugger for %s -> %s" % (victim, TARGET_APP)) base_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % victim write_reg_string(winreg.HKEY_LOCAL_MACHINE, base_key, "Debugger", TARGET_APP, delete=True)