Good day,
I have been working with the Golang registry and noticed an issue when
attempting to access / read from *SOFTWARE\Microsoft\Windows Defender.*
The following code calls *SOFTWARE\Microsoft\Windows NT\CurrentVersion* and
it outputs the correct information.
winInfo, err := registry.OpenKey(registry.LOCAL_MACHINE,
`SOFTWARE\Microsoft\Windows
NT\CurrentVersion`, registry.QUERY_VALUE)
check(err)
defer winInfo.Close()
CurrentVersion, _, err := winInfo.GetStringValue("CurrentVersion")
check(err)
fmt.Printf("Value: " + CurrentVersion +"\n")
-----------------
*Output:*
-----------------
Value: 6.3
However, when attempting to access the Windows Defender registry key using
the following code, it doesn't return any information.
regInfo, err := registry.OpenKey(registry.LOCAL_MACHINE,
`SOFTWARE\Microsoft\Windows
Defender`, registry.QUERY_VALUE)
check(err)
defer regInfo.Close()
BackVersion, _, err := regInfo.GetStringValue("BackupLocation")
check(err)
fmt.Printf("Value: " + BackVersion)
-----------------
*Output:*
-----------------
The system cannot find the file specified.
Value:
I thought this may be an issue with permissions, so I checked the ACLs for
the registry keys and all Authenticated Users do have read access to the
object, and Adminstrators have Special permissions to the object. In order
to confirm this, I used REG QUERY as shown below from a low privileged user
account:
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v
BackupLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
BackupLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\platform\
4.18.1909.6-0
After this I thought it may require signed Microsoft binaries in order to
access the registry location, I then installed Registry Editor, a 3rd party
viewer which was able to access the information. Finally, I thought it
could be an issue with programming languages being unable to access the
registry, so I tried it using the following Python code:
import errno, os, winreg
RawKey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows
NT\CurrentVersion",0, winreg.KEY_READ)
print(winreg.QueryValueEx(RawKey,"CurrentVersion"))
RawKey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows
Defender",0, winreg.KEY_READ)
print(winreg.QueryValueEx(RawKey,"BackupLocation"))
-----------------
*Output:*
-----------------
('6.3', 1)
('C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.1909.6-0', 1)
The code above did return the correct information, which leads me to
believe that there is an issue with the Golang registry implementation.
Either that, or I am not using the registry correctly with Golang.
Any help would be greatly appreciated.
Kind Regards,
Kyhle
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/4bcde4b8-e1c2-49ae-8564-7f459688b9a0%40googlegroups.com.
