2022-01-21 257 次评论

PE环境下获取本地系统注册表

%SystemRoot%\system32\config这个目录下文件是注册表的配置单元，可以在PE环境中检索这个目录，然后加载这个配置单元来读取本地系统的相关信息。
下面的代码是获取系统名字版本号等等，网卡IP信息可以从这个项下面寻找HKEY_LOCAL_MACHINE\_LOAD_SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\

#include <array.au3>
Global $SysDrive
;提取 系统信息
Local_Drive()
Load_local_REG()
;HKEY_LOCAL_MACHINE\_LOAD_SOFTWARE\Microsoft\Windows NT\CurrentVersion
;ProductName    ReleaseId  CurrentBuild
$ProductName = RegRead("HKEY_LOCAL_MACHINE\_LOAD_SOFTWARE\Microsoft\Windows NT\CurrentVersion","ProductName")
$ReleaseId = RegRead("HKEY_LOCAL_MACHINE\_LOAD_SOFTWARE\Microsoft\Windows NT\CurrentVersion","ReleaseId")
$CurrentBuild = RegRead("HKEY_LOCAL_MACHINE\_LOAD_SOFTWARE\Microsoft\Windows NT\CurrentVersion","CurrentBuild")
MsgBox(0,"本地系统信息",$ProductName & @CRLF & $ReleaseId& @CRLF&$CurrentBuild)
UNLoad_local_REG()

;根据盘符检索包含Windows\System32\config的磁盘
Func Local_Drive()
Local $Drive_array = DriveGetDrive($DT_FIXED) ;枚举固定盘驱动器的数组
For $i=1 To UBound($Drive_array)-1
   If $Drive_array[$i]<> "X:" Then ;剔除PE系统盘
  Local $Drive_Temp =$Drive_array[$i] & "\Windows\System32\config"
   If FileExists($Drive_Temp) Then
 $SysDrive = $Drive_Temp
   EndIf
   EndIf
Next
EndFunc

;加载离线注册表
Func Load_local_REG()
RunWait('Reg.exe LOAD HKLM\_LOAD_SAM "' & $SysDrive & '\SAM' & '"', '', @SW_HIDE)
RunWait('Reg.exe LOAD HKLM\_LOAD_SOFTWARE "' & $SysDrive & '\SOFTWARE' & '"', '', @SW_HIDE)
RunWait('Reg.exe LOAD HKLM\_LOAD_SYSTEM "' & $SysDrive& '\SYSTEM' & '"', '', @SW_HIDE)
RunWait('Reg.exe LOAD HKLM\_LOAD_SECURITY "' & $SysDrive & '\SECURITY' & '"', '', @SW_HIDE)
EndFunc

;卸载离线注册表
Func UNLoad_local_REG()
RunWait('Reg.exe UNLOAD HKLM\_LOAD_SAM', '', @SW_HIDE)
RunWait('Reg.exe UNLOAD HKLM\_LOAD_SOFTWARE', '', @SW_HIDE)
RunWait('Reg.exe UNLOAD HKLM\_LOAD_SYSTEM', '', @SW_HIDE)
RunWait('Reg.exe UNLOAD HKLM\_LOAD_SECURITY', '', @SW_HIDE)
EndFunc