Windows Registry Keys¶
Structure¶
The Windows registry is structured in a tree format. Each node in the tree is called a registry key, and the child nodes of a node is also called the registry subkeys of the node.
Each node may or may not contain the data entries, where the data entries are called registry values. The registry values is a structure consists of 3 fields:
- The name of the registry value
- The data type of the registry value
- The data of the registry value
For example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListis a registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18is also a registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListhas a registry value whose name, type, and data arePublic,REG_EXPAND_SZ, and%SystemDrive%\Users\PublicHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18has a registry value whose whose name, type, and data areProfileImagePath,REG_EXPAND_SZ, and%systemroot%\system32\config\systemprofile.
Basic Operations¶
Query
reg query <KeyName> [{/v <ValueName> | /ve}] [/s] [/se <Separator>] [/f <Data>] [{/k | /d}] [/c] [/e] [/t <Type>] [/z]
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT" /f "*ProfileList*" /s
- The
<Data>in/f <Data>can be a search pattern with wildcard character ('*'), and it can be the name of the registry keys
Add/Modify
reg add <KeyName> [{/v ValueName | /ve}] [/t DataType] [/s Separator] [/d Data] [/f]
Delete
Reg delete <KeyName> [{/v ValueName | /ve | /va}] [/f]
Getting the Username from the HKEY_USERS values¶
Use one of the followings
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist" /s
Getting the Windows build version¶
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx