Skip to content

Windows Registry 101

Published by superuser on February 9, 2019

Last updated on November 23, 2019

When working with Windows registry, there are some general things to keep in mind before you destroy your system:

  • contents and registry keys are not case sensitive, but some values can be
  • .reg file configuration lines are applied to the registry in the order they appear in the file
  • if the bottom/intermediate values do not exist, they will be created
  • there is no limit on paths/locations that you can edit in one file
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist contains a list of registry hives – never found it useful… but remember that HKLM is a local PC, HCU is a current user account, and ntuser.dat – a hidden file in the Default user profile – is the template registry file for all newly created accounts – and IMO, that is useful to know
  • you can destroy your Windows by editing registry if you don’t know what you’re doing – this is not a joke
  • PowerShell is great for registry editing, but you might have to get familiar with [gc]::Collect(), -WhatIf and reinstalling

 

.reg FILES SYNTAX

Blank lines are necessary. Multiple values can be entered one below the other for the same key:

Windows Registry Editor Version 5.00

[RegistryPath1]
"DataItemName1"="DataType1:DataValue1"
"DataItemName2"="DataType2:DataValue2"

[RegistryPath2]
"DataItemName3"="DataType3:DataValue3"

Registry keys should be in brackets:

[HKEY_CLASSES_ROOT\.386]

Values go right below keys:

[HKEY_CLASSES_ROOT\.386]
@="vxdfile"
"PerceivedType"="system"

Add a hyphen ()to delete a key:

[-HKEY_CLASSES_ROOT\.386]

Same goes for values:

[HKEY_CLASSES_ROOT\.386]
@=-
"PerceivedType"=-

To rename keys/value, delete the old one and then create a new one:

[-HKEY_LOCAL_MACHINE\SOFTWARE\WorldDomination\Stop\]
[HKEY_LOCAL_MACHINE\SOFTWARE\WorldDomination\Start\]

Comments start with ;

; this will delete the key below because of the - sign
[-HKEY_LOCAL_MACHINE\SOFTWARE\WorldDomination\Start\]

Long lines can be split with \

"REG_EXPAND_SZ"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,\ 52,00,4f,00,46,00,49,00,4c,00,45,00,25,00

Every file should contain a blank line at the end.

 

DATATYPES

Datatype follows = sign after the item’s name (strings don’t need type declaration). There are 14 types of data in the registry, but most of the coding will have to deal with less than a half of those. PowerShell (New-ItemProperty) allows to declare 6 important ones, and has Unknown for the rest. The common ones are (values assigned are random examples and do not have to be valid):

; null-terminated string
"REG_SZ"="Repeat after me: I am free"

; null-terminated string with references to environment variables that
; can be expanded when the value is retrieved (%USERPROFILE% in this example)
"REG_EXPAND_SZ"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,\
52,00,4f,00,46,00,49,00,4c,00,45,00,25,00

; binary data
"REG_BINARY"=hex:00,80,8c,a3,c5,94,c6,01

; 32-bit integer
"REG_DWORD"=dword:00000001

; 64-bit integer
"REG_QWORD"=hex(b):eb,a7,c9,cf,64,9e,d4,01 

; array of null-terminated strings, terminated by 2 null characters
"REG_MULTI_SZ"=hex(7):61,00,00,00,62,00,00,00,00,00

Other data types include:

  • REG_NONE (no defined data type)
  • REG_LINK ( symbolic link, string, path to location)
  • REG_RESOURCE_LIST (string, list of device driver resources)
  • REG_FULL_RESOURCE_DESCRIPTOR (string,  device resource ID)
  • REG_RESOURCE_REQUIREMENTS_LIST (string, device resource list)

REG_DWORD_LITTLE_ENDIAN and REG_QWORD_LITTLE_ENDIAN are equivalent to DWORD/QWORD values, and there is also REG_DWORD_BIG_ENDIAN…

 

ACCESS DENIED 

Getting Access Denied when trying to manipulate registry tells you that this stuff is important and can result in a lot of crying if you mess up. Like with the file system, often you will have to take ownership of the item first, and then give yourself full permissions. If you don’t know how/why to do it, DON’T do it.

Make a note of default permissions if you plan on restoring them later. Some default permission holders include:

  • Trusted Installer: NT SERVICE\TrustedInstaller
  • System: System
  • Administrators: Administrators
  • Your Username: Your Username
  • Users: Users

 

REGEDIT

RegEdit is cool, you can:

  • add keys to favorites – browse to the registry part that you want to save, go to Favorites menu, and Add. You can put any name you want for the saved location. Your saved registry spots will appear in the Favorites menu ready for quick access:

    Working with Windows registry - RegEdit favorites menu
    RegEdit Favorites menu with few saved positions.
  • regedit.exe has a silent import option, use /s switch for silent operation, so you can apply changes from .bat files without cluttering the console
  • if you want to have more then 1 running copy, /m switch will allow you to open multiple copies of regedit
  • exporting keys is done with regedit /e path_to_exported_file “dat_key_u_want_to_export” – for example:
regedt32.exe /e ./ccc.reg "HKEY_LOCAL_MACHINE\SOFTWARE\AAW\Start"

 

COMMAND LINE

Working with Windows registry can also be done with REG utility. I often use it in scripting, when I might have to loop through many small .reg files and apply all their contents. In general, it is a great tool to edit the registry from within other scripts you might be developing. REG has several options:

  • add: add a new subkey/entry
  • compare: compare registry subkeys/entries.
  • copy: copy a subkey to another subkey
  • delete: delete a subkey/entry from the registry
  • export : create a copy of specified subkeys/entries/values in a .reg (text) format
  • import: merge a .reg file containing exported registry subkeys/entries/values into the registry
  • load: write saved subkeys/entries in hive format back to a different subkey
  • query: displays the data in a subkey/value
  • restore: writes saved subkeys/entries in hive format
  • save: save a copy of specified subkey/sentries/values in hive (binary) format
  • unload: remove a section that was loaded using reg load
  • reg /?: list all available commands

 

RELOADING HCU

You can apply any changes in HCU without relogging:

RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True

 

USEFUL STUFF

This is a permanent work-in-progress section, with links to all useful and interesting things that you can achieve with Windows registry:

Published inWindows

Be First to Comment

Leave a Reply