Batch file REG editing

Switch`

Switch`

Switch`

Associate
Joined
1 Jul 2010
Posts
32
Right. So I've got to add a security package to the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Edit the entry called "Security Packages" and add the value "tspkg"


under normal circumstances
Code: 
reg add reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v "Security Packages" /t REG_MULTI_SZ /d tspkg

Would make the specific key value be tspkg, but the requirement is to append the current value, rather than replace it.

For example the current value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "Security Packages" is

kerberos
msv1_0
schannel
wdigest
pku2u


and it needs to read as


kerberos
msv1_0
schannel
wdigest
pku2u
tspkg

I would just specify the list of packages I want to allow, but there's possible circumstances where this list has already been changed

and thus specifying the entire list would be unhelpful as it would remove the other entries


so what I need is a way to meerly append the current value

thoughts or ideas?
 
The idea is to be able to run these scripts over Group Policy, so the key is making the script dynamic enough to keep the already present value and just apend the last bit to what ever is already present.
 
I'm still trying to get my head around Powershell, there is a command Get-ItemProperty to read the registry key to a $oldreg variable, and then use Set-ItemProperty to combine $oldreg;tspkg.
 
Powershell would be the most elegant solution if the OP's network was largely Windows 7 in a Server 2008 domain. To make Powershell work with Vista and XP via group policy would require an awful lot of faffing about [basically having a batch script call powershell which calls another script - not exactly elegant!].

The best solution is probably using VB Script.

Whatever you decide to stick with, have you tried looking through various scripting repos to see if someone has already come up with a script to do what you want?
 
I make all my reg changes using Group Policy Preferences, there is a specific Registry settings part in it. All you need is to run GPMC on a vista/win7/2k8/r2 machine and hey presto you got access to it. You will need a KB (KB943729) install on Windows XP clients so it can accept GPP settings.
GPP has wiped out all of my VB scripts I used to use.
 
Aye Group Policy Preferences are pretty cool, only downside is you need the relevant patch installed on all clients for it to work properly, there is one per client/architecture type basically.
 
Now you see this is where it gets interesting

If it was for any device on the domain, or even any device in a particular OU this wouldn't be an issue.

But its for specific Windows XP machines (not 7 like most of the machines on the domain) and it is for devices (mostly laptops) which staff take home need to be able to access our portal from home.

Windows Vista > has the security provider already listed.
So what we need is a script/exe we can dole out to the staff who have xp machines that will add the required value to the registry so that their machines can get onto our portal system from home.


So AD/GP is out for this, as its possible some machines in question won't even be connected to the domain at all.
 
Maybe i'm overcomplicating here then. Surely you can just send them a .reg file with the extensions they need? those can be double clicked to insert the values into the registry?
 
With GPP you can do Item Level Targeting, which will filter a whole host of things.
ie. only apply this GPP setting if is apart of a certain group. this is it at its basic level you can filter it for numerous items down to how much ram is installed on a machine.
It is just a shame they wont be able to connect to the domain for the policy refresh to take affect.
In this case sending them a .reg file they run would certainly work as Eulogy suggested.
 
You must log in or register to reply here.
Back
Top Bottom