Develop Reference

Use List of Windows accounts to add reg keys using SIDS

edit re explanation to improve answers.
Project
As a third party engineer I am attending a site to install a piece of Software. The Infrastructure is "very" locked down. I will be supplied with an admin account for the day to install the software. However, to make the software work properly FOR ALL USERS (not just admin logged in) I have been instructed by IT dept. to manually create a KEY and then add a string value within created key for every user account on the PC. Our software in a standard environment caters for this with an all users reg key but it doesn't run (not allowed - don't ask!) in these specific places.
The location of where they want the the KEY is within the HKEY_USERS path in the reg:-
HKEY_USERS\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXX\Software\Microsoft\
so lets say 2 people logged in this PC and they need to use our software later on
john.jones
mary.shelley
I need to find the sid relating to john jones and go and add the key to his section in HKEY_USERS
I then need to find mary.shelley sid and then go and the key to her HKEY_USERS section, etc.
Now I know from the environments I work in there could be 20 + user acounts on there so really would like to avoid manually adding they keys over and over for all the accounts on every PC I'm installing at.
A log on script would be better, but this all I have to deal with at present.
State of Script Now
#echo off
REM Read file with user names
FOR /F "usebackq tokens=*" %%G in ("users.txt") do (
REM use user name to find SID
FOR /F "delims=" %%H IN ('"wmic useraccount where name='%%~G' get sid| findstr /vi "SID""') DO (
REM Strip trailing line with CR
FOR /F "delims= " %%I IN ("%%~H") DO (
REM %%I is now the SID of the USER
REG ADD "HKEY_USERS\%%I\Software\Microsoft\addstuffhere" /f
REG ADD "HKEY_USERS\%%I\Software\Microsoft\addstuffhere" /t REG_SZ /d "addstuffhere"" /f
)
)
)
This is pretty much automating the whole thing as planned; loops through a text file of user names of users who use the PC, grabs the SID, applies sid as variable, then is used to write the key in the right place for that user, and on through the list doing to same for every account listed.
The only part that may need altering is the WMIC section is not finding certain users who have bona fide windows accounts.
when I tested the working code on my laptop it worked fine for my administrator account, but me logged in as joe_blogs (e.g.) came up with "no instance available". Because in isolation the WMIC code just brought up only a few not all, so couldn't do what it needed to do.
I know from previous questions this WMIC code brings up every account:-
WMIC Path Win32_UserProfile Where "Special='False' And Not LocalPath='Null'" Get LocalPath,SID | find /v ""
Perhaps that can be incorporated into current working code to make sure every account is catered for.
I know the users all need to have logged in at each PC for this to work, so with regards to the list of user profiles, I can garner that on the day asking "who of your users needs to use our stuff on the PC's" and make the users.txt
thanks - hope that really explains it :/
edit instructions for what I have been asked to do (altered key names slightly for privacy)
1. Log on to the PC with a standard technician admin account
2. Open regedit.exe
3. Navigate to* HKEY_USERS\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXXX- XXXXX\Software\Microsoft\Terminal Server Client\Default\Addins\
a. Right-click Addins > New > Key and create foo
b. Right-click foo > New > String Value and create Name
c. Double-click Name and in Value Data enter† C:\foo\file\foo.dll
4. Repeat step 3 for each user: it should be possible to edit the SID in an exported key by right-clicking on the next
HKEY_USERS entry > Rename > Ctrl+C > Esc then replacing the SID in the exported reg key – this has not been tested but may be worth trying
*The user SID is unique so this has to be done per user. If there are a lot of users listed in the registry it is possible to find which SID belongs to which user by checking the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

After reading your edit, it sounds like there's some room to wiggle here. If we take 2 small liberties, this could be done in a single command line. If one or both liberties can't be taken, let me know.
If WMIC isn't required, and if we can target all SIDs present rather than trying to match names to SIDs, then 'reg.exe' and 'for' can do this quickly. Here's an example with sample output:
(Optional) Enum Profiles:
cmd:
for /f "delims=\ tokens=2" %A in ('reg query hku ^| findstr /i "S-1-5-21-" ^| findstr /v /i "_Classes"') do #echo ;[i] Profile Found: {%A}
output:
;[i] Profile Found: {S-1-5-21-277974881-2357464463-7727422770-1001}
;[i] Profile Found: {S-1-5-21-277974881-2357464463-7727422770-1002}
;[i] Profile Found: {S-1-5-21-277974881-2357464463-7727422770-1007}
Add Key+Value
cmd:
for /f "delims=\ tokens=2" %A in ('reg query hku ^| findstr /i "S-1-5-21-" ^| findstr /v /i "_Classes"') do #(reg add "hku\%A\Software\Microsoft\Terminal Server Client\Default\Addins\FooKey" /v FooName /t REG_SZ /d "C:\foo\file\foo.dll" /f >nul 2>&1 && (echo ;[i] Reg Key Added {%A}) || (echo ;[i] Reg Key Failed To Add {%A}))
output:
;[i] Reg Key Added {S-1-5-21-277974881-2357464463-7727422770-1001}
;[i] Reg Key Added {S-1-5-21-277974881-2357464463-7727422770-1002}
;[i] Reg Key Added {S-1-5-21-277974881-2357464463-7727422770-1007}
(Optional) Verify Success:
cmd:
for /f "delims=\ tokens=2" %A in ('reg query hku ^| findstr /i "S-1-5-21-" ^| findstr /v /i "_Classes"') do #(reg query "hku\%A\Software\Microsoft\Terminal Server Client\Default\Addins\FooKey" /v FooName 2>nul || echo ;[e] Couldn't Find Key {%A})
output:
HKEY_USERS\S-1-5-21-277974881-2357464463-7727422770-1001\Software\Microsoft\Terminal Server Client\Default\Addins\FooKey
FooName REG_SZ C:\foo\file\foo.dll
HKEY_USERS\S-1-5-21-277974881-2357464463-7727422770-1002\Software\Microsoft\Terminal Server Client\Default\Addins\FooKey
FooName REG_SZ C:\foo\file\foo.dll
HKEY_USERS\S-1-5-21-277974881-2357464463-7727422770-1007\Software\Microsoft\Terminal Server Client\Default\Addins\FooKey
FooName REG_SZ C:\foo\file\foo.dll

Not sure if I am understanding your question. My first comment should have made it quite clear. You need to use a FOR /F command to capture the WMIC output. That is the only way you can assign the SID to a variable.
#echo off
REM Read file with user names
FOR /F "usebackq tokens=*" %%G in ("users.txt") do (
REM use user name to find SID
FOR /F "delims=" %%H IN ('"wmic useraccount where name='%%~G' get sid| findstr /vi "SID""') DO (
REM Strip trailing line with CR
FOR /F "delims= " %%I IN ("%%~H") DO (
REM %%I is now the SID of the USER
REG ADD "HKEY_USERS\%%I\Software\Microsoft\addstuffhere" /f
REG ADD "HKEY_USERS\%%I\Software\Microsoft\addstuffhere" /t REG_SZ /d "addstuffhere"" /f
)
)
)

batch script to delete all icons from all users' desktops

Currently looking for a way to delete all icons off of all user desktops. I have experimented until I made the following script that allowed me to delete all from a single user but without hard coding I won't be able to extend this to reach all users on a single PC.
#echo off
cd %%#
del C:\Users\%Userprofile%\Desktop\*.* /s /q
for /r %%# in (.) do rmdir %%# /s
cls
I am now looking to see if it is possible to extend this to multiple users without hard coding paths since I don't happen to know which user might be using the computer at the time.

Since you don't want to hard code path's, we can use the FOR to search for .ico files located in \Desktop for each user. The script bellow will search each users desktop, remove all .ico files, then prompt the user it has finished.
#ECHO OFF
#GOTO :search
:search
FOR /D %%G IN ("C:\Users\*") DO IF EXIST "%%~fG\desktop\*.ico" (
set correctDir=%%G\desktop
goto :foundFile
)
goto :finished
:foundFile
cd "%correctDir%"
del /S *.ico
goto :search
:finished
echo All Icons removed from users desktops!
pause
goto :eof
FOR /D iterates over all directories using the %%G variable. %%~fG expands to the full path to the directory in %%G.
IF EXIST checks if a file exists.
goto :eof exits the script

Extreme care must be taken when writing or working with scripts which are intended to delete files/folders. A single minor mistake can end up in a disaster.
For example this code: cd "MyFolder" & del /q *.* is extremely dangerous it delete all files from current directory with the assumption that previous cd command have changed the current directory to MyFolder, So in case of failure del command will delete all files from current directory which is not MyFolder. But this code is safe: cd "MyFolder" && del /q *.*. The del command will be executed only if the cd command have successfully changed the current directory to MyFolder.
Now back to your original problem of extending your code to wipe out 'Desktops' of all other users of the PC.
The first thing that should be considered is that a normal user typically does not have access to desktop folders of other users because of NTFS file system permissions which avoids non Administrators from accessing other users profile. So the resulting script will have to run with administrative privileges. Even running the script as Administrator does guarantee the success because each user can explicitly deny access to his/her user profile files/folders even to Administrators.
The other thing is while it is mostly the case that the desktop directory of each user is placed in a folder named Desktop located in the %USERPROFILE% directory e.g. C:\Users\John\Desktop but this is not always the case. In fact the desktop directory of each user can defined to be located anywhere and placed in a folder other than Desktop.
This is the case for other special folders other than Desktop.
So the correct approach is to first retrieve a list of user profiles from registry and then for each user profile query the location of user's desktop.
:: WipeDesktops.cmd
:: This script should be runned as Administrator to be able to access and delete the 'Desktop' contents of other users.
#echo off
setlocal EnableExtensions EnableDelayedExpansion
:: To turn TestMode off It is highly recommended that to invoke the script with "/TestMode:Off" switch rather than manually setting TestMode to 0
set "TestMode=1"
set "DeleteCommandConfirm=rd /s"
set "DeleteCommandUnsafe=rd /s /q"
for /F "tokens=1,2 delims=:" %%A in ("%~1") do if /i "%%A"=="/TestMode" (
if /i "%%B"=="Off" (set "TestMode=0") else set "TestMode=1"
)
set "DeleteCommand=%DeleteCommandConfirm%"
if %TestMode% NEQ 0 (
echo Running in Test Mode
set "DeleteCommand=echo %DeleteCommand%"
) else (
set "DeleteCommand=2>nul %DeleteCommand%"
)
set "SID_Prefix=S-1-5-21-"
set "ProfileList=HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
set "ShellFoldersBase=Software\Microsoft\Windows\CurrentVersion\Explorer"
set "ShellFolders=%ShellFoldersBase%\Shell Folders"
set "UserShellFolders=%ShellFoldersBase%\User Shell Folders"
for /F "delims=" %%K in ('reg query "%ProfileList%" /k /f "%SID_Prefix%"') do (
set "ProfileKey=%%~K"
set "ProfileKey=!ProfileKey:HKEY_LOCAL_MACHINE\=HKLM\!"
if "!ProfileKey!" NEQ "!ProfileKey:HKLM\=!" (
set "ProfilePath="
for /F "tokens=2*" %%A in ('reg query "!ProfileKey!" /v "ProfileImagePath" 2^>nul') do (
set "ProfilePath=%%~B"
)
if defined ProfilePath if exist "!ProfilePath!\" (
set "Desktop="
set "SID=!ProfileKey:%ProfileList%\=!"
for %%S in ("%UserShellFolders%", "%ShellFolders%") do (
if not defined Desktop (
for /F "tokens=2*" %%A in ('reg query "HKU\!SID!\%%~S" /v "Desktop" 2^>nul') do (
set "Desktop=%%~B"
)
if defined Desktop (
REM %USERPROFILE% value is different for each user so it can not be expanded
for %%A in ("!ProfilePath!") do set "Desktop=!Desktop:%%USERPROFILE%%=%%~A!"
if not exist "!Desktop!\" set "Desktop="
)
)
)
if not defined Desktop set "Desktop=!ProfilePath!\Desktop"
REM Skip network paths
if "!Desktop:~0,2!" NEQ "\\" if exist "!Desktop!\" (
cd /d "!Desktop!" 2>nul && (
echo Removing 'Desktop' contents in !Desktop! ...
REM Since there is an open handle to the 'Desktop' folder, The contents of the folder will be removed but the folder itself remains.
%DeleteCommand% "!Desktop!"
)
)
)
)
)
For safety reasons it has 2 modes of operation:
Test Mode (the default): In this mode it only shows the commands along with the path that it can delete but no actual deletion will be performed
Normal Mode (invoke with /TestMode:Off switch) which will list and actually deletes the detected user desktops.
How it works
It first retrieves a list user profiles from registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList each of them located under a registry key with a name that is equal to the corresponding user SID beginning with S-1-5-21-
for each SID key it queries the value of ProfileImagePath to obtain the location of the user profile directory.
Then it queries the location of user's desktop from two registry locations in the listed order:
HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
and uses the value of ProfileImagePath to resolve the value of %USERPROFILE% variable for that user which is typically present in the special locations under the User Shell Folders key
Finally if the location of user's desktop can not be determined through registry then the default path of %USEPROFILE%\Desktop is assumed.
What is missing?
Shared user desktop is not covered, which is commonly located at %ALLUSERSPROFILE%\Desktop or %PUBLIC%\Desktop depending on windows version.
But the definite location can be obtained from these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
So I'll leave it to you to do the rest and complete the missing part.

Delete random services with number name script (ex. 10009752)

I work for a IT consulting company and one of our clients got hit with a virus that created a bunch of random exe files on the PC and then it created services to try to run those files automatically. I've since removed the virus from all machines, but there are a lot of orphaned services left I need to remove.
All in all there are 4,000 unique services combined from all of the computers at their facility. The services are random numbers and I am hoping to find a way to remove them with a script of some sort, but I can't figure out how to do a wildcard for the commands I know....
I've tried
reg delete hklm\system\currentcontrolset\services\1*
and
sc delete \\pcname 1*
without any luck. Any help would be appreciated so I don't have to go to each machine (again) and manually delete the services. Sorry I am always learning new scripts by going out and seeing what other people have created, but I can't find anything to even build off of for this situation.
Thank you in advance.

We can imagine a script that get all services names and check if the name is numeric, if so delete the service :
#echo off
SETLOCAL ENABLEDELAYEDEXPANSION
for /f "tokens=1 delims= " %%a in ('tasklist') do (
set "$service=%%a"
echo !$service:.exe=! | findstr "^[-][1-9][0-9]*$ ^[1-9][0-9]*$ ^0$">nul && call:delete %%a || echo %%a is not numeric
)
exit/b
:delete
echo %1 is Numeric
echo here the command to delete the service (%1)echo off
Put the command to remove the service in the :delete label
Using #Endoro's solution to check if a value is Numeric :

#echo off
setlocal
set "root_key=HKLM\system\currentcontrolset\services"
for /f "tokens=5 delims=\" %%A in ('reg query "%root_key%"') do (
call :check_key "%%~A"
if errorlevel 1 call :del_key "%%~A"
)
goto :eof
:check_key
setlocal enabledelayedexpansion
set "filtered="
set "original=%~1"
if not defined original exit /b 0
for /f "delims=0123456789" %%A in ("!original!") do set "filtered=%%~A"
if not defined filtered exit /b 1
exit /b 0
:del_key
echo "%~1"
rem sc stop "%~1"
rem sc delete "%~1"
goto :eof
Use of reg query to loop through the services key. The 5th token
delimited after \ is the key name of the service.
call :check_key with the for loop delimits on digits 0 to 9. If
filtered is not defined, then only digits existed in the key name
so it will exit the label setting errorlevel 1.
If errorlevel 1 is caught in the main for loop, then call :del_key
runs sc stop to stop the service and sc delete deletes the service
key. Remove the rem before the sc commands to enable them.
Created for local machine use though some minor changes could do remote use.

You can use a VbScript for that, simple, first instance the WMI service:
Computer = "." 'IP or Network Name ("." is Local host)
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & Computer & "\root\cimv2") 'If your user have the access
or.. if you need use other user.
Computer = "." 'IP or Network Name
UserAndDomain = ".\Administrator" 'Account WITH domain "\"
Pass = "" ' Account Password
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objSWbemLocator.ConnectServer(Computer, "Root\CIMv2", UserAndDomain , Pass)
Now obtain the Services Collection:
Set colServices = objWMIService.ExecQuery("Select * from Win32_Service") ' Where Name ='" & strServiceName & "'" or "Like = 'Someting%'"
'Or
Set colServices = objSWbemServices.InstancesOf("Win32_Service")
And then to delete:
For Each Service in colServices
If IsNumeric(Service.Name) Then 'Or other condition.
Service.Delete
End If
Next

A bit more challenging - Batch script to add domain user to local administrator group Windows 7

I would like to write a script that will add a domain user to the local administrator group.
I already tried
NET LOCALGROUP Administrators "domain\domainuser" /ADD
but I get the Access Denied error.
The problem is that if I want to run it as domain user, it does not have local admin rights, and if as local admin, it does not have access to the domain names. (I don't want to use domain admin)
If I manually right click the computer icon, than manage, I type in the computer name/local admin user/pass, than in Local Users and Groups -> Groups folder I want to add user to Administrators, I am prompted to log in again. If I log in than with a domain user, it works.
My question is, if it is possible to do the same (or something similar) with batch script?

Maybe, from vbs
GetObject("WinNT://" + WScript.CreateObject("WScript.Network").ComputerName + "/Administrators").Add "WinNT://DomainName/UserName"

I have solved it with another way, using 2 batch files
So I give you my code:
This one creates a folder in c: , than it creates a text file, it copies the name of the current user in it, than the other batch file in the same folder, and finaly runs it as local admin. If you write the password correctly(password will not appear as " * " when you write it):
mkdir c:\tempfiles$
break>c:\tempfiles$\temp.txt
echo %username% >> "c:\tempfiles$\temp.txt"
copy "%~dp0\admin.bat" "c:\tempfiles$"
runas /noprofile /env /user:%computername%\<LOCAL ADMIN USER> "C:\tempfiles$\admin.bat"
pause
rmdir /s /q "c:\tempfiles$"
The admin.bat, takes the user name writen in the text file (if this wasn't, it would take the %username% as the local admin username to add it, because we run it as the local admin)
The copy for the batch file is only necessary so you can run it from anywhere. For example if you would have it on a server's mapped drive it would not work.
set /p u=<c:\tempfiles$\temp.txt
net localgroup Administrators /add <DOMAIN NAME>\%u%
I have tried it on multiple computer, on most of it, it runs. On some of the computers it does not, probably because of the local policy of my company. I did not figgured that out yet.
For any questions or suggestions, feel confident to write your opinion.

The purpose of this batch file is to get the domain group members and add them to a local group. You must right click this file and select Run as Administrator.
#echo off
setlocal EnableDelayedExpansion
set /p v1=[Enter Domain Group Name]
set /p v2=[Enter domain name: xxx.com ]
set /p v3=[Enter Localgroup "Name"]
For /F "skip=8 tokens=1 delims= " %%G IN ('net group %v1% /domain' ) ^
DO if %%G neq The net localgroup %v3% %v2%\%%G /add
timeout /t 1
For /F "skip=8 tokens=2 delims= " %%G IN ('net group %v1% /domain' ) ^
DO if %%G neq command net localgroup %v3% %v2%\%%G /add
timeout /t 1
For /F "skip=8 tokens=3 delims= " %%G IN ('net group %v1% /domain' ) ^
DO if %%G neq completed net localgroup %v3% %v2%\%%G /add
timeout /t 1

batch file goto next xcopy command if windows "Admin" username has changed

I want to be able to run just one instance of xcopy rather than many, from a usb drive to .\admin\desktop on the computer I have plugged it in, however there might be some computers I get on that have the admin username changed to the name of the person. Is there a generic batch namimg convention for the admin user account for windows? If so I'd like to just use that whatever it may be instead of listing everyone's username for every computer and guessing what it might be without looking everytime.
Here is what I have so far, it works well if I know for a fact that the "Admin" user is still labeled "Admin."
#echo off
xcopy "%~dp0M1k_SWPCB\*.*" "C:\Documents and Settings\Admin\Desktop\SWPCB\" /d /s /h /v /c /f /k /y
pause
I tried 'All Users' as well, but in some cases the directory doesn't exist and it will not work. Plus if the computer has multiple users I don't want it on everyones' desktop.
Any help would be much appreciated.
Thanks

All users have a SID identifier and the local admin account always ends with the -500 suffix, so you can get the Admin username by checking the SID's on the Registry:
#Echo OFF
FOR /F "Tokens=*" %%# IN ('Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" ^| FIND "-500"') DO (
FOR /F "Tokens=2,*" %%A IN ('Reg Query "%%#" /v "ProfileImagePath" ^| FIND /V "%%#"') DO (
Echo Admin SID: %%~n#
Echo Admin Folder: %%B
)
)
Pause>NUL&Exit
Output:
Admin SID: S-1-5-21-148789306-3749789949-2179752015-500
Admin Folder: C:\Users\Administrador
Another way to do it is with an VBScript, you can use it in your Batch file and write the Admin name to a textfile, then next you will set a variable with the content of the textfile. (I don't wrote this function):
Set objNetwork = CreateObject("Wscript.Network")
objComputerName = objNetwork.ComputerName
Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)
qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'"
For Each Admin In objwmi.ExecQuery(qry)
If (Left(Admin.sid, 6) = "S-1-5-" And Right(Admin.sid,4) = "-500") Then MsgBox Admin.name)
Next
PS: Maybe someone will post other solution saying that listing the group names is another choice... but groupnames is not a generic solution 'cause the native language.