decoding REG_BINARY entries

hey all,
does anyone know how to decode the REG_BINARY entries in the
registry? I am able to retrieve the raw data, but I don't know how to make
any sense of it...

for example, if i want to see which services are loading in which order, i
look at
hklm\system\currentcontrolset\control\grouporderlist /V base /T REG_BINARY,
and i get the following data returned...
120000000E00000001000000020000000300000004000000
05000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F000000
100000001100000012000000

I only used this as an example, what I am actually trying to do is query
DHCP servers for the 044 entries (WINS Servers)
(HKLM|Software\Microsoft\DHCPServer\Configuration\OptionInfo\044).. I know
the string value (IP address of the WINS servers), and I can actually do a
reg compare to see if the servers are configured with the proper WINS
servers, so I guess I'm just curious if anyone has been able to figure this
out... Do I need a special decoder ring? (Drink Ovaltine!)
Thanks in advance...

mr_unreliable
Wed Apr 12 12:01:38 CDT 2006

hi gfgfg,

You might try a decoder ring, but I recommend _CASH_.

Here's what you do. Go around to the local Redmond pub,
where all the microsofties hang out and complain about
how they are underpaid and subjected to unrealistic
deadlines.

Make friends with the microsofties, and find out exactly
who is responsible for that registry abomination. (After
all, a respectable coder would have set out the elements
of the entry as understandable sub-keys instead of one
humongous blob).

After finding the culprit, offer him/her a substantial
amount of cash to reveal how to decode that blob.

cheers, jw
____________________________________________________________

You got questions? WE GOT ANSWERS!!! ..(but,
no guarantee the answers will be applicable to the questions)


gfgfg wrote:
> hey all,
> does anyone know how to decode the REG_BINARY entries in the
> registry? I am able to retrieve the raw data, but I don't know how to make
> any sense of it...
>
> for example, if i want to see which services are loading in which order, i
> look at
> hklm\system\currentcontrolset\control\grouporderlist /V base /T REG_BINARY,
> and i get the following data returned...
> 120000000E00000001000000020000000300000004000000
> 05000000060000000700000008000000090000000A0000000B0000000C0000000D0000000F000000
> 100000001100000012000000
>
> I only used this as an example, what I am actually trying to do is query
> DHCP servers for the 044 entries (WINS Servers)
> (HKLM|Software\Microsoft\DHCPServer\Configuration\OptionInfo\044).. I know
> the string value (IP address of the WINS servers), and I can actually do a
> reg compare to see if the servers are configured with the proper WINS
> servers, so I guess I'm just curious if anyone has been able to figure this
> out... Do I need a special decoder ring? (Drink Ovaltine!)
> Thanks in advance...
>
>
>

TDM
Thu Apr 13 09:11:40 CDT 2006


"mr_unreliable" <kindlyReplyToNewsgroup@notmail.com> wrote in message
news:ePyAjJlXGHA.3660@TK2MSFTNGP04.phx.gbl...
> hi gfgfg,
>
> You might try a decoder ring, but I recommend _CASH_.
>

> After finding the culprit, offer him/her a substantial
> amount of cash to reveal how to decode that blob.
>
> cheers, jw
> ____________________________________________________________

I tried the blob decoder project a while back and gave up.

I do have a thought that might work, but this is just a WAG.

If you know of a system that has the correct entry, you could
use WMI to query that value, then use WMI to wirte that value
to the local/remote system. I wrote one a while back that migrates
registry settings for Outlook during a data migration. I recently
posted the 2 function to another thread in this group if you think
you might want to give this a wack.

Watch for line wrap ...

http://groups.google.com/group/microsoft.public.scripting.vbscript/browse_thread/thread/5e5049dce98dd625/9e2c97245c71a7d7?lnk=st&q=%22query+the+registry+subkeys&rnum=1#9e2c97245c71a7d7

TDM

mr_unreliable
Thu Apr 13 12:11:59 CDT 2006



TDM wrote:
> If you know of a system that has the correct entry, you could
> use WMI to query that value, then use WMI to wirte that value
> to the local/remote system. I wrote one a while back that migrates
> registry settings for Outlook during a data migration.

I would call that "reverse engineering".

Yes, that is a workable solution, of the "brute force" sort.
But still, it would still be preferable for microsoft to use more
descriptive sub-keys, then just pack everything into a big blob.

cheers, jw

gfgfg
Thu Apr 13 13:08:40 CDT 2006

yes, I have been able to copy the registry value successfully from a known
working system, so there is no real urgency there, I only wanted to know if
it was possible to decode that pig.....
I guess there are two things that bother me...

1.) why does this particular entry require a reg_binary entry as opposed to
a string value, which are used with Ip addresses quite liberally (see
hklm\system\currentcontrolset\services\tcpip\parameters\interfaces\xxxxxxxx,
e'g.)

2.) I can get this information easily using other methods, but this relies
on using system tools, of which MS if fond of changing the
syntax/name/functionality/errorlevels, just for kicks..(see choice.exe or
gettype.exe in 2000 and 2003 for examples) I am trying to get away from
that, which is why i started using vbscript in the first place...
rcmd \\dhcpservername netsh dhcp server dump | for /f "tokens=8*" %i in
('find /I "optionvalue 44"') do echo %i %j

this works very well, it's very quick, and obviously, someone who wrote the
netsh command has access to the encoding for dhcp reg entries (unless it's
stored in the dhcp.mdb file, but i'm on a rant here), but it requires remote
command server to be installed (not a problem for me, but it makes this
method unportable), and that the netsh command retain it's synatax over the
next revisions (no guarantee on that)...



anyway, i plan on figuring this POS out, as I am clearly not a well man...
if i can figure out how to cheat on my freecell statistics, i can figure
this out...

;)












"TDM" <rpuffd@gmail.com> wrote in message
news:OFJ3wQwXGHA.3840@TK2MSFTNGP02.phx.gbl...
>
> "mr_unreliable" <kindlyReplyToNewsgroup@notmail.com> wrote in message
> news:ePyAjJlXGHA.3660@TK2MSFTNGP04.phx.gbl...
>> hi gfgfg,
>>
>> You might try a decoder ring, but I recommend _CASH_.
>>
>
>> After finding the culprit, offer him/her a substantial
>> amount of cash to reveal how to decode that blob.
>>
>> cheers, jw
>> ____________________________________________________________
>
> I tried the blob decoder project a while back and gave up.
>
> I do have a thought that might work, but this is just a WAG.
>
> If you know of a system that has the correct entry, you could
> use WMI to query that value, then use WMI to wirte that value
> to the local/remote system. I wrote one a while back that migrates
> registry settings for Outlook during a data migration. I recently
> posted the 2 function to another thread in this group if you think
> you might want to give this a wack.
>
> Watch for line wrap ...
>
> http://groups.google.com/group/microsoft.public.scripting.vbscript/browse_thread/thread/5e5049dce98dd625/9e2c97245c71a7d7?lnk=st&q=%22query+the+registry+subkeys&rnum=1#9e2c97245c71a7d7
>
> TDM
>

TDM
Thu Apr 13 15:20:52 CDT 2006


"mr_unreliable" <kindlyReplyToNewsgroup@notmail.com> wrote in message
news:uIdg8zxXGHA.3448@TK2MSFTNGP03.phx.gbl...
>
>
> TDM wrote:
>> If you know of a system that has the correct entry, you could
>> use WMI to query that value, then use WMI to wirte that value
>> to the local/remote system. I wrote one a while back that migrates
>> registry settings for Outlook during a data migration.
>
> I would call that "reverse engineering".
>
> Yes, that is a workable solution, of the "brute force" sort.
> But still, it would still be preferable for microsoft to use more
> descriptive sub-keys, then just pack everything into a big blob.
>
> cheers, jw

I couldn't agree with you more.

TDM