Thursday, 23 November 2017

PowerShell Get-ItemProperty cmdlet returns garbled registry values with artifacts, regedit shows ellipses ("...") after the registry value.

We've recently stumbled upon a problem with reading registry entries using PowerShell where the Get-ItemProperty or Get-Item cmdlet returns garbled registry values with artifacts.

You'll notice that Regedit shows ellipses ("...") after the registry value.

For example here's the ODBC settings for the Oracle ODBC driver.



If you double click the registry value however it shows correctly.

When you try get the value using PowerShell things get very messy
Get-ItemProperty -LiteralPath "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\ODB
C\ODBCINST.INI\Oracle in client" -Name Driver


If you read the registry value using WMI using the standard WMI registry provider, this shows the string correctly.

What is happening here is that the string in the registry is stored as a null-terminated string, and after the null terminator a lot of binary data has been dumped that we're not meant to see. Obviously this data should really be stored in another REG_BINARY key, however this has not been done.

You can clean the string by calling substring on the index of the first null character. 



if ($driver.Driver.Contains($null))
{
    $driver.Driver.Substring(0, $driver.Driver.IndexOf($null))
}



Problem solved.






No comments:

Post a Comment