def DeleteRentionKey(self):
"""Deletes the Retention key for the current user."""
medium = 'Medium' if self._system_level else ''
path = r'%s\ClientState%s\%s\Retention' % (
ChromeState._GOOGLE_UPDATE_PATH, medium, self._config['guid'])
try:
if self._system_level:
_winreg.DeleteKeyEx(self._registry_root,
path + '\\' + GetUserSidString(),
_winreg.KEY_WOW64_32KEY)
_winreg.DeleteKeyEx(self._registry_root, path,
_winreg.KEY_WOW64_32KEY)
except WindowsError as error:
if error.winerror != 2:
raise
def delete_registry_entry():
"""
Author: UKumar
delete_registry_entry() - Delets ShoreTel key from the registry
"""
try:
connection = winreg.ConnectRegistry(None, winreg.HKEY_CURRENT_USER)
print(connection)
akeys = winreg.OpenKey(connection, r'SOFTWARE\ShoreTel')
print(akeys)
winreg.DeleteKeyEx(akeys, 'Client')
ikeys = winreg.OpenKey(connection, r'SOFTWARE')
winreg.DeleteKeyEx(ikeys, 'ShoreTel')
winreg.CloseKey(akeys)
except Exception as e:
raise e
def remove_vc9_reg():
try:
_winreg.DeleteKeyEx(HCU,
r"Software\Microsoft\VisualStudio\9.0\Setup\VC")
print "Removed"
except WindowsError:
print "key not exist"
def delete_key(hkey, path, key, reflection=True):
'''
Delete a registry key
Note: This cannot delete a key with subkeys
CLI Example:
.. code-block:: bash
salt '*' reg.delete_key HKEY_CURRENT_USER 'SOFTWARE\\Salt' 'version'
'''
registry = Registry()
hkey2 = getattr(registry, hkey)
access_mask = registry.reflection_mask[reflection]
try:
handle = _winreg.OpenKey(hkey2, path, 0, access_mask)
_winreg.DeleteKeyEx(handle, key)
_winreg.CloseKey(handle)
return True
except Exception:
pass
try:
_winreg.DeleteValue(handle, key)
_winreg.CloseKey(handle)
return True
except Exception:
_winreg.CloseKey(handle)
return False
def unregisterInstallation(keepDesktopShortcut=False):
try:
winreg.DeleteKeyEx(winreg.HKEY_LOCAL_MACHINE, easeOfAccess.APP_KEY_PATH,
winreg.KEY_WOW64_64KEY)
easeOfAccess.setAutoStart(winreg.HKEY_LOCAL_MACHINE, False)
except WindowsError:
pass
wsh=_getWSH()
desktopPath=os.path.join(wsh.SpecialFolders("AllUsersDesktop"),"NVDA.lnk")
if not keepDesktopShortcut and os.path.isfile(desktopPath):
try:
os.remove(desktopPath)
except WindowsError:
pass
startMenuFolder=getStartMenuFolder()
if startMenuFolder:
programsPath=wsh.SpecialFolders("AllUsersPrograms")
startMenuPath=os.path.join(programsPath,startMenuFolder)
if os.path.isdir(startMenuPath):
shutil.rmtree(startMenuPath,ignore_errors=True)
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\nvda")
except WindowsError:
pass
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\nvda.exe")
except WindowsError:
pass
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,config.NVDA_REGKEY)
except WindowsError:
pass
unregisterAddonFileAssociation()
def delete_registry_entries(self): ''' @summary: Deletes the timer registry key ''' # Open and delete the key reg = _winreg.OpenKeyEx(_winreg.HKEY_CURRENT_USER, self.REGISTRY_LOCATION) _winreg.DeleteKeyEx(reg, "") _winreg.CloseKey(reg)
def delete(self):
"""Delete the registry key"""
try:
_winreg.DeleteKeyEx(self.surkey.phkey, self.name, self.sam, 0)
except WindowsError as e:
raise WindowsError(
e.winerror, "Could not delete registry key <{0}> ({1})".format(
self.fullname, e.strerror))
return None
def del_subkey(hkey, subkey):
hsubkeyobj = winreg.OpenKey(hkey, subkey)
subkeyinfo = winreg.QueryInfoKey(hsubkeyobj)
subsubkeynum = subkeyinfo[0]
if subsubkeynum != 0:
for index in range(subsubkeynum):
subsubkey = winreg.EnumKey(hsubkeyobj, index)
del_subkey(hsubkeyobj, subsubkey)
winreg.CloseKey(hsubkeyobj)
logger.debug("delKey: delete key '%s\\%s'", self.__key, subkey)
winreg.DeleteKeyEx(hkey, subkey, None, None)
def delete_registry_entries(self):
'''
@summary: Deletes the timer registry key
'''
# Open and delete the key
try:
reg = _winreg.OpenKeyEx(_winreg.HKEY_CURRENT_USER, self.REGISTRY_LOCATION)
_winreg.DeleteKeyEx(reg, "")
_winreg.CloseKey(reg)
except WindowsError:
# Ignore any Windows errors
pass
def main():
common.log("Suspicious Registry Persistence")
for hive in (wreg.HKEY_LOCAL_MACHINE, wreg.HKEY_CURRENT_USER):
write_reg_string(hive, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", "RunOnceTest", TARGET_APP)
write_reg_string(hive, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "RunTest", TARGET_APP)
# create Services subkey for "ServiceTest"
common.log("Creating ServiceTest registry key")
hkey = wreg.CreateKey(wreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\ServiceTest\\")
# create "ServiceTest" data values
common.log("Updating ServiceTest metadata")
wreg.SetValueEx(hkey, "Description", 0, wreg.REG_SZ, "A fake service")
wreg.SetValueEx(hkey, "DisplayName", 0, wreg.REG_SZ, "ServiceTest Service")
wreg.SetValueEx(hkey, "ImagePath", 0, wreg.REG_SZ, "c:\\ServiceTest.exe")
wreg.SetValueEx(hkey, "ServiceDLL", 0, wreg.REG_SZ, "C:\\ServiceTest.dll")
# modify contents of ServiceDLL and ImagePath
common.log("Modifying ServiceTest binary")
wreg.SetValueEx(hkey, "ImagePath", 0, wreg.REG_SZ, "c:\\ServiceTestMod.exe")
wreg.SetValueEx(hkey, "ServiceDLL", 0, wreg.REG_SZ, "c:\\ServiceTestMod.dll")
hkey.Close()
pause()
# delete Service subkey for "ServiceTest"
common.log("Removing ServiceTest", log_type="-")
hkey = wreg.CreateKey(wreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\")
wreg.DeleteKeyEx(hkey, "ServiceTest")
hkey.Close()
pause()
# Additional persistence
hklm = wreg.HKEY_LOCAL_MACHINE
common.log("Adding AppInit DLL")
windows_base = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\"
write_reg_string(hklm, windows_base, "AppInit_Dlls", "evil.dll", delete=False)
write_reg_string(hklm, windows_base, "AppInit_Dlls", "", delete=False)
hkey.Close()
pause()
debugger_targets = ["normalprogram.exe", "sethc.exe", "utilman.exe", "magnify.exe",
"narrator.exe", "osk.exe", "displayswitch.exe", "atbroker.exe"]
for victim in debugger_targets:
common.log("Registering Image File Execution Options debugger for %s -> %s" % (victim, TARGET_APP))
base_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % victim
write_reg_string(wreg.HKEY_LOCAL_MACHINE, base_key, "Debugger", TARGET_APP, delete=True)
def unregister_uninstall(uninstallkey, win64app=False):
"""Remove uninstall method from registry"""
if not uninstallkey:
raise Exception('No uninstall key provided')
if iswin64():
if not win64app:
root = "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + uninstallkey
else:
root = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + uninstallkey
#key = reg_openkey_noredir(_winreg.HKEY_LOCAL_MACHINE,root)
_winreg.DeleteKeyEx(_winreg.HKEY_LOCAL_MACHINE, root.encode('iso8859'))
else:
root = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + uninstallkey
_winreg.DeleteKey(_winreg.HKEY_LOCAL_MACHINE, root.encode('iso8859'))
def ClearUserActiveSetup(self):
"""Clears per-user state associated with Active Setup so that it will run
again on next login."""
if not self._system_level:
return
paths = [
ChromeState._ACTIVE_SETUP_PATH,
ChromeState._ACTIVE_SETUP_PATH.replace('Software\\',
'Software\\Wow6432Node\\')
]
for path in paths:
try:
_winreg.DeleteKeyEx(_winreg.HKEY_CURRENT_USER,
path + self._config['guid'], 0)
except WindowsError as error:
if error.winerror != 2:
raise
def uninstall():
theme = MAC_THEME
USERDIC_REG_PATH = r"Control Panel\Colors"
import _winreg
hk = _winreg.HKEY_CURRENT_USER
try:
with _winreg.ConnectRegistry(None,
hk) as reg: # computer_name = None
with _winreg.OpenKey(reg, USERDIC_REG_PATH,
_winreg.KEY_SET_VALUE) as path:
for k in theme.iterkeys():
try:
_winreg.DeleteKeyEx(
path, k) # in case the path does not exist
except WindowsError:
pass
except (WindowsError, TypeError, AttributeError), e:
dwarn(e)
def delete_key(hkey, path, key):
'''
Delete a registry key
Note: This cannot delete a key with subkeys
CLI Example::
salt '*' reg.delete_key HKEY_CURRENT_USER 'SOFTWARE\\Salt' 'version'
'''
registry = Registry()
hkey2 = getattr(registry, hkey)
try:
handle = _winreg.OpenKey(hkey2, path, 0, _winreg.KEY_ALL_ACCESS)
_winreg.DeleteKeyEx(handle, key)
_winreg.CloseKey(handle)
return True
except Exception:
_winreg.CloseKey(handle)
return True
