Windows, reg value interpretation and publishing

Sometimes you want to monitor a registry value and publish it without installing a heavy remote management infrastructure, heres how to do that.

For this demo the Teamviewer client/server is installed and the ID for connecting to it is made available to any machine that can retrieve a list of the local groups on that windows system.

Teamviewer is like RDP but works over port 80 and 443, its encrypted and allows a remote console without complex setup. It works across OSX, Windows and Linux so its rather unbiquitous.

The key piece of information to have is the ID or TVID.. which is a three digit triplet of numbers that act like an address or phone number to connect with a system that has already started and connected with the Internet connection directory service. Where possible Teamviewer uses local peer to peer connections, and fallsback to a remote proxy service to ensure connections are made.

The Teamviewer "Host" package is a Microsoft Software Installer package, a kind of atomic database installation package which makes distributing and installing signed packages easy. This [.msi] also accepts command line arguments to control the level of detail exposed to the end User upon installation.

Often you may want to have an end user install it or install it using a GPO, and then either automatically, or on-demand summon the current TeamViewer ID so that you can open a concurrent console with a system to debug or help out an end user.

@echo off

taskkill /IM TeamViewer.exe

FOR /F "skip=2 tokens=2*" %%i IN ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer\Version6" /V "ClientID"') do set /a "LAD=%%j"

net localgroup | find /i "%LAD%" > nul && goto exists

net localgroup %LAD% /ADD /COMMENT:"TeamViewer ID"

taskkill /IM TeamViewer.exe

exit /B 0

When Teamviewer installs it creates a unique TVID and stores it in the systems registery.

This can be fetched using the SQL "like" command line tool [ reg query ] but the value is in [ hex ].

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer\Version6" /V "ClientID"
>    ClientID    REG_DWORD    0x1a3c3d6b

This then needs to be parsed and converted into decimal so a user can type it into a remote Teamviewer client to connect to the system with the TVID which is acting as the console server.
FOR /F "skip=2 tokens=2*" %%i IN ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer\Version6" /V "ClientID"') do ...

Which means

skip=2 - number of lines to skip at the beginning of the file

tokens=2* - tokens to be passed to FOR body, skipping the first token and only passing the second token and all others assigned to i,j,k ect.. then "do" something
Which converts the token 0x1a3c3d6b  into a decimal number
set /a "LAD=%%
>  440124987
Basically the "set /a" command [evaluates] the expression which is prefixed with a 0x string that indicates it is in [ hex ]  and the result is displayed in decimal form.
Once its in decimal form, its possible to create a [net local group] on the local windows system and annotate the local group with a description.

 net localgroup | find /i "%LAD%" > nul && goto exists
Searches the local group list from the result of "net localgroup" for an existing group by the name of the decimal TVID number, if it finds one it doesn't bother to create one (avoiding a collision error that would raise a script error) and exits the routine.

net localgroup %LAD% /ADD /COMMENT:"TeamViewer ID"

But if such a local group does not exist, it creates a localgroup with the TVID as its name and changes the description for the local group to indicate what this group is for.. in a way it creates a [value] = [key] pair which can be indexed and searched for using a remote tool or simple command line script.

Listing local groups are then accessible using common command line tools, gui tools, or even remote mangement tools and powershell commands.

There are pros and cons to using [value]=[key] or [key]=[value] order when repurposing the local groups list as a generically accessible string array.

There are name space collison possibilities, ease of search string matching depending on the method used, eye ease of finding, or security issues (minor obscuring by obfuscating what its for.. the description isn't always displayed by default).. even organizational procedures regarding local group naming conventions.. but none of that distracts from the cool factor of "intepreting and publishing" an arbitrary reg value which could be accessed using generic tools, or logged in an event log or emailed.