Search registry key or value and delete for all users with VBScript

Are you running your installation/uninstallation from System Context (NT Authority\System) and want to delete user registry? You can do that by parsing all the users in HKEY_USERS key.

Under HKEY_USERS you will find user IDs starting with S-1-5-21. We need to search under all keys which are starting with S-1-5-21 and see if we can find our registry key, this way we delete the information from all the users.

For this example, let’s say I want to delete a REGISTRY KEY under HKCU\Printers\Connections and a REGISTRY VALUE under HKCU\Printers\ConvertUserDevModesCount.

As you can see, under HKCU\Printers\Connections we have MyTestConnection registry key and under HKCU\Printers\ConvertUserDevModesCount we have \\MyTestConnection registry value.

The script to parse all the HKU registry and find something like Test and delete is the following:

on error resume next

'----------------------------------------------------------------------------------------------------------------
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_USERS = &H80000003
strComputer = "."
Set WShell = CreateObject( "WScript.Shell")
Set FSO = CreateObject( "Scripting.FileSystemObject")
Set WNetwork = CreateObject("WScript.Network")
'----------------------------------------------------------------------------------------------------------------
Set objRegistry=GetObject( "winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys
Set objReg = GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
'----------------------------------------------------------------------------------------------------------------
For Each objSubkey In arrSubkeys
strValueName = "ProfileImagePath"
strSubPath = strKeyPath & "\" & objSubkey
objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue
correct_in strValue
Next
strUserName = WNetwork.username
If UCase(strUserName) = "SYSTEM" Then
string1 = "S-1-5-21"
string2 = "Classes"
string3 = "Printers\Connections"
objReg.EnumKey HKEY_USERS, "", arrsubkeys
For Each Subkey In arrSubKeys
If InStr(1,Subkey, string1,1)And (InStr(1,Subkey, string2,1) = "0") Then
objReg.EnumKey HKEY_USERS,Subkey & "\Printers\Connections",arrSubKeys2
For Each Subkey2 In arrSubKeys2
If (InStr(Subkey2,"Test")) Then
clean "HKEY_USERS\" & Subkey & "\Printers\Connections\" & Subkey2 & "\"
End If
Next
objReg.EnumValues HKEY_USERS,Subkey & "\Printers\ConvertUserDevModesCount",arrValueNames,arrValueTypes
For i=0 To UBound(arrValueNames)
If (InStr(arrValueNames(i),"Test")) Then
clean2 Subkey & "\Printers\ConvertUserDevModesCount",arrValueNames(i)
End If 
Next 
End If
Next
Else
clean "HKEY_CURRENT_USER"
End If
'----------------------------------------------------------------------------------------------------------------
Sub clean(id)
Dim WshShell
On Error Resume Next
Set WshShell = CreateObject("WScript.Shell")
KeyName = id
WshShell.RegDelete KeyName
WshShell.RegDelete KeyName
End Sub
'----------------------------------------------------------------------------------------------------------------

'----------------------------------------------------------------------------------------------------------------
Sub clean2(id,id2)
Dim WshShell
On Error Resume Next
Set WshShell = CreateObject("WScript.Shell")
strComputer = "."
Set objRegistry=GetObject( "winmgmts:\\" & strComputer & "\root\default:StdRegProv")
KeyName = id
KeyValue = id2
objRegistry.DeleteValue HKEY_USERS,KeyName,KeyValue
End Sub
'----------------------------------------------------------------------------------------------------------------

You can dowload the script from here:

 

Once you run the script it will delete the above mentioned registry entries.

Leave a comment

Your email address will not be published. Required fields are marked *

20 + 16 =