Thursday, 16 November 2006

Registry hacking

Note: This is Internet Explorer only as it deals with ActiveX and modifying the system registry.

Recently I've been writing a few scripts to change values in the system registry. In actual fact, you use a few different technologies to achieve something that looks very simple. This script reads then sets the home page for Internet Explorer via the registry. However you can edit any registry value you wish to using this method.

Firstly what is the registry? In simple terms, the registry is a database that stores settings and options for Windows and contains information for all the hardware, software and preferences of the PC ( This script uses a combination of JScript and ActiveX in a Windows Script host environment to edit those bits of information in the registry. JScript is Microsoft's Active Scripting implementation of ECMAScript ( Basically it's their version of JavaScript, but with lots of add-on features. These "add-ons" also rather nattily work in any Windows Script Host environment - and that's been shipped by default with every version of Windows since Windows 98 or with Internet Explorer 5+. Further information: We can use this JScript to create an ActiveX control to pass information from our script into the registry. ActiveX is simply as mechanism for passing information around a Windows computer. All in all, pretty neat eh?

Here's my script:
<script type="text/jscript" language="jscript">
var objShell = new ActiveXObject("");

/* Get the current home page */
var strRegKey = "HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page";
var strCurrentHomepage = objShell.RegRead(strRegKey);

/* Set a new homepage */
objShell.RegWrite(strRegKey, "");


Let's go through it.
The script attributes
<script type="text/jscript" language="jscript">

These are set to jscript because this script is only to work in IE it's not vital, but it's good a good habit to get into.

Create an Windows Script Host (WScript) shell object
var objShell = new ActiveXObject("");

OK, so we're going to ask the script to create a new ActiveX object (as mentioned, this is just an information carrier) to pass information to a particular target - in this case the Windows Script Host (WScript) shell. The shell is simply interface that enables access to the inner workings of the computer - we need to create this shell object in our script to access the registry.

Accessing the registry
var strRegKey = "HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page";
var strCurrentHomepage = objShell.RegRead(strRegKey);
objShell.RegWrite(strRegKey, "");

Now we've created a shell object, we can access the properties and methods of that object. Two of its methods are called RegRead and RegWrite - they read and write the registry respectively. The example shows the arguments required for these two methods. In both we pass the registry path of the registry item we wish to edit, making sure that we replace any single backslashes \ with a double backslash \\. This is because the backslash character in JScript is special - it's an escape character. The strRegKey string is the path to the value we want to change, you can find more information about how this string is built by looking through the registry using regedit, explained below. It's easy to see how the string relates to the structure of the registry, it's like a filesystem folder path.

Regedit - the registry editor
So you want to find out what the registry looks like to browse through. I'll not kid you - it's massive. You can use regedit, the registry editor (Start Menu --> Run, then type regedit and hit enter or run regedit.exe or regedt32.exe in your Windows directory) to have a look around and adventure. The registry structure is too detailed to go into here, but Wikipedia do an excellent job of it:

A last word just on security
It does seem incredible that Microsoft would create a web browser that could run scripting to read and write the system registry, but that's what they've done. They've tried to correct this problem in IE7 by not allowing the creation of ActiveX controls by default - users must enable this manually (with accompanying nasty messages about potential insecurities). In other supported versions of IE (IE3 - IE6) the default behaviour is that this simply runs with an ActiveX warning message. You can get around these warnings by saving the html file with an hta extension, turning the html file into an HTML application (MSDN). This .hta file only runs locally on a machine and runs without the strict security model the browser uses - no nasty error messages!

Play around with the registry - you could potentially damage something, but stick to the simple stuff and work your way up and it should all be good. Using .hta files is good because it opens all sorts of potential for html/scripting without security restrictions, so you can make cross-domain AJAX calls - something which is not allowed in a webpage) as well as other funky HTML applications to change the settings and tailor your computer.

Windows Script Host programming reference
There's loads of methods and properties of the shell object - you're not limited to reading and writing stuff to the registry - you can set/retrieve/delete user information, network and printer settings, read and write files and much more. You can find details of this at in their Windows Script Host reference: