ListLargeRegistryValues.vbs

1. 'ListLargeRegistryValues v1.0.1, March 2022.
2. 'https://www.reddit.com/user/jcunews1
3. 'https://pastebin.com/u/jcunews
4. 'https://greasyfork.org/en/users/85671-jcunews
5. '
6. 'This script will display top 50 registry values which use more than 2048 Bytes
7.  
8. sub processValues(rootKey, subkeyName)
9.   dim valNames, valTypes, i, sk, dt, ln, j
10.   if (rg.enumValues(rootKey, subkeyName, valNames, valTypes) = 0) and _
11.     (not isnull(valNames)) then
12.     for i = 0 to ubound(valNames)
13.       if not isnull(valNames(i)) then
14.         if subkeyName <> "" then
15.           sk = subkeyName & "\" & valNames(i)
16.         else
17.           sk = valNames(i)
18.         end if
19.         ln = -1
20.         'use less buggy RegRead first
21.        on error resume next
22.         dt = ws.regread(rootKeyNames(rootKey) & "\" & sk)
23.         if err.number = 0 then
24.           on error goto 0
25.           select case vartype(dt)
26.             case 3 ln = 4 'long
27.            case 8 ln = (len(dt) + 1) * 2 'string
28.            case else 'array
29.              if ubound(dt) >= 0 then
30.                 if vartype(dt(0)) = 8 then 'string array
31.                  ln = 2
32.                   for j = 0 to ubound(dt)
33.                     ln = ln + ((len(dt(j)) + 1) * 2)
34.                   next
35.                 else 'byte array
36.                  ln = ubound(dt) + 1
37.                 end if
38.               end if
39.           end select
40.         else
41.           on error goto 0
42.         end if
43.         'use StdRegProv for value types unsupported by RegRead
44.        if ln < 0 then
45.           select case valTypes(i)
46.             case 3 'REG_BINARY
47.              if (rg.getBinaryValue(rootKey, subkeyName, valNames(i), _
48.                 dt) = 0) and (not isnull(dt)) then ln = ubound(dt) + 1
49.             case 5 'REG_DWORD_BIG_ENDIAN
50.              if (rg.getDwordValue(rootKey, subkeyName, valNames(i), _
51.                 dt) = 0) and (not isnull(dt)) then ln = 4
52.             case 11 'REG_QWORD
53.              if (rg.getQwordValue(rootKey, subkeyName, valNames(i), _
54.                 dt) = 0) and (not isnull(dt)) then ln = 8
55.           end select
56.         end if
57.         if ln > 2048 then
58.           rs.addnew rf, array(ln, valNames(i), _
59.             rootKeyNames(rootKey) & "\" & sk)
60.           rs.update
61.         end if
62.       end if
63.     next
64.   end if
65. end sub
66.  
67. sub processSubkeys(rootKey, subkeyName)
68.   processValues rootKey, subkeyName
69.   dim keyNames, kn
70.   if (rg.enumKey(rootKey, subkeyName, keyNames) = 0) and _
71.     (not isnull(keyNames)) then
72.     for each kn in keyNames
73.       if subkeyName <> "" then kn = subkeyName & "\" & kn
74.       processSubkeys rootKey, kn
75.     next
76.   end if
77. end sub
78.  
79. set rs = createobject("adodb.recordset")
80. rs.fields.append "size", 6, 8
81. rs.fields.append "name", 202, 4500
82. rs.fields.append "path", 202, 4500
83. rs.open
84. rf = array("size", "name", "path")
85.  
86. HKEY_CLASSES_ROOT   = 2147483648
87. HKEY_CURRENT_USER   = 2147483649
88. HKEY_LOCAL_MACHINE  = 2147483650
89. HKEY_USERS          = 2147483651
90. HKEY_CURRENT_CONFIG = 2147483653
91. set rootKeyNames = createobject("scripting.dictionary")
92. rootKeyNames.add 2147483648, "HKEY_CLASSES_ROOT"
93. rootKeyNames.add 2147483649, "HKEY_CURRENT_USER"
94. rootKeyNames.add 2147483650, "HKEY_LOCAL_MACHINE"
95. rootKeyNames.add 2147483651, "HKEY_USERS"
96. rootKeyNames.add 2147483653, "HKEY_CURRENT_CONFIG"
97.  
98. 'bug: StdRegProv accesses the registry using the system account.
99. '     so GetExpandedStringValue expands any environment variable from the
100. '     system profile.
101. 'note: GetExpandedStringValue works the same as GetStringValue.
102. 'note: RegRead throws an exception for unsupported value types.
103. 'undocumented: all StdRegProv Enum/Get methods return null for empty values.
104.  
105. set rg = getobject("winmgmts:stdregprov")
106. set ws = createobject("wscript.shell")
107. on error resume next
108. wscript.stdout.write "This script will display top 50 registry values " & _
109.   "which use more than 2048 Bytes." & vbcrlf & "Retriving registry values... "
110. if err.number <> 0 then
111.   on error goto 0
112.   ws.run "cscript.exe //nologo """ & wscript.scriptfullname & """", _
113.     1, true
114.   wscript.quit
115. end if
116. on error goto 0
117. processSubkeys HKEY_CURRENT_USER, ""
118. processSubkeys HKEY_LOCAL_MACHINE, ""
119. wscript.stdout.writeline rs.recordcount & " usable values retrieved." & vbcrlf
120. rs.sort = "size desc"
121. if rs.recordcount > 0 then
122.   rs.movefirst
123.   c = 0
124.   s = ""
125.   do until rs.eof or (c >= 50)
126.     s = s & rs.fields("path") & vbcrlf & "  " & _
127.       rs.fields("name") & " = " & rs.fields("size") & " Bytes" & vbcrlf
128.     wscript.stdout.write s
129.     c = c + 1
130.     rs.movenext
131.   loop
132.   wscript.stdout.write "Press ENTER to exit; or enter 'save' then press " & _
133.     "ENTER, to save list into" & vbcrlf & _
134.     "'Large Registry Values.txt' file on the Desktop... "
135.   if ucase(trim(wscript.stdin.readline)) = "SAVE" then
136.     set f = createobject("scripting.filesystemobject").createtextfile( _
137.       ws.environment("process")("userprofile") & _
138.       "\desktop\Large Registry Values.txt", true)
139.     f.write s
140.   end if
141. else
142.   wscript.stdout.write "Press ENTER to exit..."
143.   wscript.stdin.readline
144. end if
145.