HTML Examples - VBScript Reads Registry

In July 1998, the html file shown below was recieved when you requested

http://support.microsoft.com/support/kb/articles/q151/7/23.asp

The url displayed as

http://register.microsoft.com/regwiz/wiz110.asp?CancelURL=file%3AA%3A%5Ctechnical%5CWinExplorer%5CWinExplorerDesktopIcons%2Ehtm&FinishURL=http%3A%2F%2Fsupport%2Emicrosoft%2Ecom%2Fsupport%2Fkb%2Farticles%2Fq151%2F7%2F23%2Easp

Which loosly translates to

http://register.microsoft.com/regwiz/wiz110.asp?
   CancelURL=file:A:\technical\WinExplorer\WinExplorerDesktopIcons.htm
  &FinishURL=http://support.microsoft.com/support/kb/articles/q151/7/23.asp

Which appears to mean

http://register.microsoft.com/regwiz/wiz110.asp?
   CancelURL=The calling page (this file syntax won't work with Netscape)
  &FinishURL=The page I want

(Netscape requires different slashes than IE4 to read a file from a floppy.)

It appears that if you are running Windows 98, then this page is pulling data out of the registry and sending it back to Microsoft. If true, this is a major security / privacy problem.

Specifically, it appears to return "RegWizCtrl.MSID" and either an operating system version number or information on whether or not this software was registered. I don't know enough to be sure.

The file shown below was reformatted to make it easier to read. In addition, the 2 registry keys that the script appears access are highlighted in red. (Scripting and Active X need to be disabled to capture this.)

<HTML>
<TITLE>Microsoft Corporation</TITLE>
<OBJECT ID="RegWizCtrl" STYLE="display: none" 
        CLASSID="CLSID:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00" 
        WIDTH=0 HEIGHT=0>
</OBJECT>
<SCRIPT FOR=window EVENT=onload LANGUAGE="JavaScript">
<!--
 if (navigator.userAgent.indexOf("MSIE") >= 0 &&  
     navigator.userAgent.indexOf("Windows 98") >= 0)
   location.href = CheckFlags();
 else
   location.href = "/REGWIZ/wiz110.asp?CRF=Y&RWI=Y&CancelURL=
     file%3AA%3A%5Ctechnical%5CWinExplorer%5CWinExplorerDesktopIcons%2Ehtm
     &FinishURL=http%3A%2F%2Fsupport%2Emicrosoft%2Ecom%2Fsupport%2Fkb%2Farticles%2Fq151%2F7%2F23%2Easp"
//-->
</SCRIPT>

<SCRIPT LANGUAGE="VBScript">
<!--
 Function CheckFlags()
	on error resume next
	document.vlinkColor = document.bgColor
	document.alinkColor = document.bgColor
	document.linkColor = document.bgColor
	aProdKeys = Array("SOFTWARE\Microsoft\Windows\CurrentVersion", _
			  "SOFTWARE\Microsoft\Windows NT\CurrentVersion")
	sBuffer = "/REGWIZ/wiz110.asp?
           CRF=Y
           &RegMSID=" & RegWizCtrl.MSID & "
           &CancelURL=file%3AA%3A%5Ctechnical%5CWinExplorer%5CWinExplorerDesktopIcons%2Ehtm&FinishURL=http%3A%2F%2Fsupport%2Emicrosoft%2Ecom%2Fsupport%2Fkb%2Farticles%2Fq151%2F7%2F23%2Easp"
	for iCounter = LBound( aProdKeys ) to UBound( aProdKeys )
	  RegWizCtrl.IsRegistered = aProdKeys( iCounter )
	  if RegWizCtrl.IsRegistered then
	    if err.number = 0 then
	      sBuffer = sBuffer & "&D=" & CStr( iCounter )
	    end if
	  end if
	  if err.number then err.clear
	next
	CheckFlags = sBuffer
 End Function
rem -->
</SCRIPT>

<BODY BGCOLOR="#FFFFFF" leftmargin=0 TEXT="#336699" LINK="#003366" 
      VLINK="#0099cc" ALINK="#003366" TOPMARGIN=0>
<!--TOOLBAR_START-->
<!--TOOLBAR_EXEMPT-->
<!--TOOLBAR_END-->
<FONT FACE="Verdana, Arial, Helvetica" SIZE=2>
<BR>
<A HREF="/REGWIZ/wiz110.asp?
    CRF=Y&RWI=Y
    &CancelURL=file%3AA%3A%5Ctechnical%5CWinExplorer%5CWinExplorerDesktopIcons%2Ehtm
    &FinishURL=http%3A%2F%2Fsupport%2Emicrosoft%2Ecom%2Fsupport%2Fkb%2Farticles%2Fq151%2F7%2F23%2Easp">
    If your browser doesn't support JavaScript, click here to continue.
</FONT>
</BODY>
</HTML>