none
Registry confusion RRS feed

  • Question

  • Hi

    I am using the code below to set a value in the registry

    What value is for is not relevant to problem - but it sets maximum size of ForwardedEvents event log

    Any if I used this code it works fine and sets value:-

      Dim registry = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64).OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents\", True)
            registry.SetValue("MaxSize", 123456) ' in bytes 
            registry.Close()

    screenshot of registry where you can see it has worked

    But I need to set the size to 2GB and since value is in bytes I use code below:-

     Dim registry = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64).OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents\", True)
            registry.SetValue("MaxSize", 2147483648) ' in bytes 
            registry.Close()
    

    but when I use a larger value something odd happens and it changes the type of the registry key from REG_DWORD to REG_SZ as per screenshot

    Why? and how can I get round this please


    Darren Rose

    Wednesday, January 17, 2018 5:43 PM

Answers

  • Hi

    I am using the code below to set a value in the registry

    What value is for is not relevant to problem - but it sets maximum size of ForwardedEvents event log

    Any if I used this code it works fine and sets value:-

      Dim registry = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64).OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents\", True)
            registry.SetValue("MaxSize", 123456) ' in bytes 
            registry.Close()

    screenshot of registry where you can see it has worked

    But I need to set the size to 2GB and since value is in bytes I use code below:-

     Dim registry = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64).OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents\", True)
            registry.SetValue("MaxSize", 2147483648) ' in bytes 
            registry.Close()

    but when I use a larger value something odd happens and it changes the type of the registry key from REG_DWORD to REG_SZ as per screenshot

    Why? and how can I get round this please


    Darren Rose

    Try using 2147483647 instead, as the max value because that is the max value of a 32 bit signed integer. The min value of a 32 bit integer is -2147483648.


    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.


    • Edited by Paul IshakModerator Wednesday, January 17, 2018 6:09 PM
    • Marked as answer by wingers Wednesday, January 17, 2018 6:23 PM
    Wednesday, January 17, 2018 6:08 PM
    Moderator

All replies

  • Further to this

    If I set the size manually view event log and the properties of the Forwarded Events log then the registry correctly shows the value without changing the key type, so I know value is okay and can be used - so must be how I am doing it?


    Darren Rose

    Wednesday, January 17, 2018 5:59 PM
  • Hi

    I am using the code below to set a value in the registry

    What value is for is not relevant to problem - but it sets maximum size of ForwardedEvents event log

    Any if I used this code it works fine and sets value:-

      Dim registry = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64).OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents\", True)
            registry.SetValue("MaxSize", 123456) ' in bytes 
            registry.Close()

    screenshot of registry where you can see it has worked

    But I need to set the size to 2GB and since value is in bytes I use code below:-

     Dim registry = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64).OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents\", True)
            registry.SetValue("MaxSize", 2147483648) ' in bytes 
            registry.Close()

    but when I use a larger value something odd happens and it changes the type of the registry key from REG_DWORD to REG_SZ as per screenshot

    Why? and how can I get round this please


    Darren Rose

    Try using 2147483647 instead, as the max value because that is the max value of a 32 bit signed integer. The min value of a 32 bit integer is -2147483648.


    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.


    • Edited by Paul IshakModerator Wednesday, January 17, 2018 6:09 PM
    • Marked as answer by wingers Wednesday, January 17, 2018 6:23 PM
    Wednesday, January 17, 2018 6:08 PM
    Moderator
  • Hi

    The maximum value is a 32bit number and that is 2,147,483,647 (1 less than you are trying to set)

    Maybe try using a Reg_QWord which is a 64bit number.


    Regards Les, Livingston, Scotland

    Wednesday, January 17, 2018 6:11 PM
  • Thank you both for you replies

    Using 2147483647 does seem to work thank you, should have thought of the max for 32 bit integer

    But if I set the 2Gb limit in Event Viewer then registry value correctly populates as 2147483648 which is above that limit - so odd windows can set it via event viewer and we can't via .NET

    Screenshot below of value showing 2147483648 after setting it via event viewer

     If I use QWord then value sets okay in registry but event viewer then gets confused about size and shows error


    Darren Rose

    Wednesday, January 17, 2018 6:20 PM

  • Screenshot below of value showing 2147483648 after setting it via event viewer

     If I use QWord then value sets okay in registry but event viewer then gets confused about size and shows error


    Darren Rose

    Strange indeed, maybe event viewer is somehow specifying the value of the DWORD as an unsigned 32 bit integer, in which case the max value would be 4294967295

    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.

    Wednesday, January 17, 2018 11:17 PM
    Moderator

  • Screenshot below of value showing 2147483648 after setting it via event viewer

     If I use QWord then value sets okay in registry but event viewer then gets confused about size and shows error


    Darren Rose

    Strange indeed, maybe event viewer is somehow specifying the value of the DWORD as an unsigned 32 bit integer, in which case the max value would be 4294967295

    Darren, I know you marked this as resolved, but just as a learning experience, try something like this:

     registry.SetValue("MaxSize", UInt32.MaxValue) ' in bytes 


    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.


    Wednesday, January 17, 2018 11:19 PM
    Moderator
  • Strange indeed, maybe event viewer is somehow specifying the value of the DWORD as an unsigned 32 bit integer, in which case the max value would be 4294967295

    Darren, I know you marked this as resolved, but just as a learning experience, try something like this:

     registry.SetValue("MaxSize", UInt32.MaxValue) ' in bytes 



    Just tried that and it sets it as 4294967295 but changes type from REG_DWORD to REG_SZ

    Darren Rose

    Wednesday, January 17, 2018 11:23 PM

  • Just tried that and it sets it as 4294967295 but changes type from REG_DWORD to REG_SZ

    Darren Rose

    Hmm... Not sure why the discrepancy exists.... I'll do some tests and see what I figure out  in a little while...

    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.

    Wednesday, January 17, 2018 11:24 PM
    Moderator
  • Strange indeed, maybe event viewer is somehow specifying the value of the DWORD as an unsigned 32 bit integer, in which case the max value would be 4294967295

    Darren, I know you marked this as resolved, but just as a learning experience, try something like this:

     registry.SetValue("MaxSize", UInt32.MaxValue) ' in bytes 



    Just tried that and it sets it as 4294967295 but changes type from REG_DWORD to REG_SZ

    Darren Rose

    I have done some testing, and I now believe that event viewer is setting the "-" values, and not "+" values.

    Basically I think what you screenshotted was a negative DWORD in the registry, hence the parenthesis. See my pic below.

    Observe this example:

        My.Computer.Registry.SetValue("HKEY_CURRENT_USER\MyTestKey","MyTestKeyValue2", Int32.MinValue, Microsoft.Win32.RegistryValueKind.DWord)


    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.

    Wednesday, January 17, 2018 11:31 PM
    Moderator
  • no because even for lower values you see the parenthesis

    the value is showing as HEX (DECIMAL)


    Darren Rose

    Wednesday, January 17, 2018 11:37 PM
  • no because even for lower values you see the parenthesis

    the value is showing as HEX (DECIMAL)


    Darren Rose

    I see that now, but nonetheless, this is what is happening.

    Here is the final proof:

        Sub d()
            My.Computer.Registry.SetValue("HKEY_CURRENT_USER\MyTestKey", "MyTestKeyValue1", Int32.MinValue, Microsoft.Win32.RegistryValueKind.DWord)
            My.Computer.Registry.SetValue("HKEY_CURRENT_USER\MyTestKey", "MyTestKeyValue2", Int32.MaxValue, Microsoft.Win32.RegistryValueKind.DWord)
    
        End Sub


    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.

    Wednesday, January 17, 2018 11:38 PM
    Moderator
  • So even though int32.minvalue is a negative value when adding it to registry it can't show negative so shows it as value I wanted

    Okay was handy working out why, but at least I can use that or just use my figure less 1 to get it working without changing value type

    Thanks


    Darren Rose

    Wednesday, January 17, 2018 11:44 PM
  • So even though int32.minvalue is a negative value when adding it to registry it can't show negative so shows it as value I wanted

    Okay was handy working out why, but at least I can use that or just use my figure less 1 to get it working without changing value type

    Thanks


    Darren Rose

    Its because the bytes are all 0's. If you modify the binary value in the registry you will see that.

    Hire Me For This Job!
    Don't forget to vote for Helpful Posts and Mark Answers!
    *This post does not reflect the opinion of Microsoft, or its employees.

    Wednesday, January 17, 2018 11:47 PM
    Moderator