Page 1 of 1
Recovering a Q_WORD value from the registry
Posted: Mon Jan 11, 2010 10:09 pm
by SFSxOI
I know a Q_WORD value is a 64bit value (isn't it?). I'm having a terrible time recovering some Q_WORD values from the registry. How do you get a Q_WORD value from the registry so it matches what the registry value says. I keep getting odd values that don't match what the actual value is, for example, a value that is 1250899906 in the registry comes back as -1688688792 or some value thats the same number of digits but not correct or something.
Re: Recovering a Q_WORD value from the registry
Posted: Mon Jan 11, 2010 11:29 pm
by RASHAD
Re: Recovering a Q_WORD value from the registry
Posted: Wed Jan 27, 2010 11:23 am
by SFSxOI
Finally got a chance to get back to this. Here is what I came up with that works:
Code: Select all
Procedure.s Reg_GetQWORDValue(KeyRoot.i, szKey.s, szValueName.s)
hKey.i
lRegType.i
lBuffSize.i
qResult.q
sTempRet.s
If RegOpenKeyEx_(KeyRoot, szKey, #Null, #KEY_QUERY_VALUE, @hKey) = #ERROR_SUCCESS ; Open the key with query rights
RegQueryValueEx_(hKey, szValueName, 0, @lRegType, @lpData, @lBuffSize) ; Get reg type and buffer size
If lBuffSize = 8 And lRegType = #REG_QWORD ; Check for correct reg type and buffer size
If RegQueryValueEx_(hKey, szValueName, 0, @lRegType, @qResult, @lBuffSize) = #ERROR_SUCCESS ; get QWORD value from qResult
ProcedureReturn Str(qResult)
Else
sTempRet = "Cannot obtain " + szValueName
RegCloseKey_(hKey)
ProcedureReturn sTempRet
EndIf
EndIf
EndIf
RegCloseKey_(hKey)
ProcedureReturn
EndProcedure
; example usage for Windows 7
Reg_GetQWORDValue(#HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat", "TimeLastFormalAssessment")
; NOTE: The value returned from this particular "TimeLastFormalAssessment" QWORD is FILETIME value in Windows 7, needs conversion to date time. Not sure if its also FILETIME value in Windows Vista.
Anyone got a better way ?