Golang Issue reading/writing Windows Defender Registry

[kyohl...@gmail.com]

Good day,

I have been working with the Golang registry and noticed an issue when attempting to access / read from SOFTWARE\Microsoft\Windows Defender.

The following code calls SOFTWARE\Microsoft\Windows NT\CurrentVersion and it outputs the correct information.

winInfo, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE)
check(err)
defer winInfo.Close()

CurrentVersion, _, err := winInfo.GetStringValue("CurrentVersion")
check(err)
fmt.Printf("Value: " + CurrentVersion +"\n")

-----------------
Output:
-----------------
Value: 6.3


However, when attempting to access the Windows Defender registry key using the following code, it doesn't return any information.

regInfo, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows Defender`, registry.QUERY_VALUE)
check(err)
defer regInfo.Close()

BackVersion, _, err := regInfo.GetStringValue("BackupLocation")
check(err)
fmt.Printf("Value: " + BackVersion)

-----------------
Output:
-----------------
The system cannot find the file specified.
Value:

I thought this may be an issue with permissions, so I checked the ACLs for the registry keys and all Authenticated Users do have read access to the object, and Adminstrators have Special permissions to the object. In order to confirm this, I used REG QUERY as shown below from a low privileged user account:

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v BackupLocation
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
BackupLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1909.6-0

After this I thought it may require signed Microsoft binaries in order to access the registry location, I then installed Registry Editor, a 3rd party viewer which was able to access the information. Finally, I thought it could be an issue with programming languages being unable to access the registry, so I tried it using the following Python code:

import errno, os, winreg

RawKey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion",0, winreg.KEY_READ)
print(winreg.QueryValueEx(RawKey,"CurrentVersion"))

RawKey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows Defender",0, winreg.KEY_READ)
print(winreg.QueryValueEx(RawKey,"BackupLocation"))

-----------------
Output:
-----------------
('6.3', 1)  
('C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.1909.6-0', 1)                                                                                                                            

The code above did return the correct information, which leads me to believe that there is an issue with the Golang registry implementation. Either that, or I am not using the registry correctly with Golang.

Any help would be greatly appreciated.

Kind Regards,

Kyhle

[JuciÊ Andrade]

Hi, Kyhle.

I don't know if that is good news for you, but in my computer your Go code works exactly as you expect. Output:

Value: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1909.6-0

$ go version
go version go1.13.4 windows/amd64

[JuciÊ Andrade]

Microsoft Windows [Version 10.0.18362.476]

[Kyhle Ohlinger]

I really don't know, I'm currently using:

OS Name:                   Microsoft Windows 10 Enterprise

OS Version:                10.0.18362 N/A Build 18362

On Friday, November 22, 2019 at 9:50:17 PM UTC+4, JuciÊ Andrade wrote:

Microsoft Windows [Version 10.0.18362.476]

[JuciÊ Andrade]

If you have Delve installed it allows you to execute step-by-step inside Go library code.

Then you will know exactly what happens and will have access to the Windows error code.

[Richard Grosman]

Still exactly the same issue when trying to read a value from registry.