共用方式為


Problem: WMI StdRegProv Class can return junk characters when using the GetStringValue on windows 2003/XP/Vista and Windows 2008

Under a specific set of conditions, the StdRegProv GetStringValue method will return a string of data from a random memory location. The string value must have been created and valid data written into the key name. Once the key name is cleared to a zero length, all subsequent reads will return the invalid data. To reproduce this behavior you can follow these simple steps:

On any windows 2003/XP or Vista/Windows 2008 system do the following:

1. Start RegEdit on your machine.

2. Create a test key: HKEY_LOCAL_MACHINE\SYSTEM\CustomKey

3. Add a string value to the key: SimpleString set it to the value “Test”.

4. Run the simple VBS provided below, the value of SimpleString should be “Test”.

5. In regedit, highlight the key value SimpleString, right click and select the “Modify Binary Data” option.

6. Remove all of the data from the window, you should see only the byte offset of “0000” displayed to the left in the dialog. Click OK to save.

7. Run the simple VBS from step 6 once again. You will notice a bunch of what appears to be junk characters displayed on the screen.

The simple VBS test script would be:

const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_
strComputer & "\root\default:StdRegProv")
objReg.GetStringValue HKEY_LOCAL_MACHINE,"SYSTEM\CustomKey","SimpleString",strVal
wscript.echo "StringValue: " & strVal

The cause of the issue is that the registry provider for WMI does not properly initialize the temporary string variable and sends back an address pointing to an uninitialized buffer of memory. The memory buffer is properly allocated, space is initially set aside for the string value, however, nothing is written into the memory location.

A possible work around for this issue is to use the low level registry APIs to read the registry data.

The registry key must have had a string value written to it initially, then that value replaced by no data. This same scenario can occur when a registry based GPO has a string value that is modified to zero length and the GPO is not disabled.

On windows 2008 R2/Windows 7 and on Windows 2012 both server and client, this issue has been corrected. The script will display nothing, the null or empty string is returned to the client by the GetStringValue method.