[Plugins-writers] Windows Registry Access

From: MadHat (madhat@private)
Date: Wed May 18 2005 - 12:25:26 PDT

OK, I have been asked to write a scan that, with proper credentials,  
can determine if the Windows XP Pro SP2 personal firewall is enabled  
or not.  It sounds pretty simple.  Check access, check the Windows  
version, check for the Service (SharedAccess) and then check a single  
registry entry (SYSTEM\CurrentControlSet\Services\SharedAccess 
\Parameters\FirewallPolicy\StandardProfile\EnableFirewall).  If it is  
a 1, it is enabled, otherwise it is a 0 and not enabled (as far as I  
can tell).

I already enabled remote administration and allowing for local users  
to log in.

So if the user I am using to log in with is not an Admin I always get  
0.  If I use an Admin account I get, nothing for that reg item.  I  
can connect from another windows box with regedit and the same  
account and browse to the reg entry, but I can't seem to get it with  

My google-foo is failing me. Any ideas?   I seem to remember reading  
of restricted registry access, but everything I can find about using  
winreg and the local security policy editor seem to not have any  
effect on me getting a return for the key I want.


Here is the basic (stripped down) idea of what I am trying.

key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\";
item = "CurrentVersion";
ver = string(registry_get_sz(key:key, item:item));
# if it is XP
if (ver == '5.1') {
   # if the service is running
   if("SharedAccess" >< services ) {
     key = "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters 
     item = "EnableFirewall";
     enabled = string(registry_get_sz(key:key, item:item));
     # if the firewall is enabled
     if (int(enabled) != 1) {
       # report not enabled
   } else {
     # report service not running

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Wed May 18 2005 - 12:26:12 PDT