Tuesday, 1 July 2014

Working with the Registry in Command Prompt

Working with the Registry

The Windows registry stores configuration settings. Using the Reg command-line utility, you can view, add, delete, compare, and copy registry entries. Because the Windows registry is essential to the proper operation of the operating system, make changes to the registry only when you know how these changes will affect the system. Before you edit the registry in any way, perform a complete system backup and create a system recovery data snapshot. This way, if you make a mistake, you can recover the registry and the system.
Caution 
Improperly modifying the Windows registry can cause serious problems. If the registry becomes corrupted, you might have to reinstall the operating system. Double-check the commands you use before executing them. Make sure that they do exactly what you intend.

Understanding Registry Keys and Values

The Windows registry stores configuration settings for the operating system, applications, users, and hardware. Registry settings are stored as keys and values, which are placed under a specific root key controlling when and how the keys and values are used.
Table 5-1 lists the registry root keys as well as a description and the reference name you will use to refer to the root key when working with the REG command. Under the root keys, you’ll find the main keys that control system, user, application, and hardware settings. These keys are organized into a tree structure, with folders representing keys. For example, under HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services, you’ll find folders for all services installed on the system. Within these folders are the registry keys that store important service configuration settings and their subkeys.


Table 5-1: Keys in the Windows Registry
Root Key
Reference Name
Description
HKEY_CURRENT_USER
HKCU
Stores configuration settings for the current user.
HKEY_LOCAL_MACHINE
HKLM
Stores system-level configuration settings.
HKEY_CLASSES_ROOT
HKCR
Stores configuration settings for applications and files. Also ensures the correct application is opened when a file is accessed.
HKEY_USERS
HKU
Stores default-user and other-user settings by profile.
HKEY_CURRENT_CONFIG
HKCC
Stores information about the hardware profile being used.

Keys that you want to work with must be designated by their folder path. For example, the path to the DNS key is HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\DNS and, using the abbreviated path HKLM\SYSTEM\CurrentControlSet\Services\DNS, you can view and manipulate this key.

Key values are stored as a specific data type. Table 5-2 provides a summary of the main data types used with keys.
Table 5-2: Registry Key Values and Data Types
Data Type
Description
Example
REG_BINARY
Identifies a binary value. Binary values are stored using base-2 (0 or 1 only) but are displayed and entered in hexadecimal (base-16) format.
01 00 14 80 90 00 00 9c 00
REG_SZ
Identifies a string value containing a sequence of characters.
DNS Server
REG_DWORD
Identifies a DWORD value, which is composed of hexadecimal data with a maximum length of four bytes.
0x00000002
REG_MULTI_SZ
Identifies a multiple string value.
Tcpip Afd RpcSc
REG_EXPAND_SZ
Identifies an expandable string value, which is usually used with directory paths.
%SystemRoot%\dns.exe
So long as you know the key path and understand the available key data types, you can use the REG command to view and manipulate keys in a variety of ways. REG has several different subcommands, and we’ll explore several. The sections that follow discuss each of the following REG subcommands:
  • REG add  Adds a new subkey or entry to the registry
  • REG delete  Deletes a subkey or entries from the registry
  • REG query  Lists the entries under a key and the names of subkeys (if any)
  • REG compare  Compares registry subkeys or entries
  • REG copy  Copies a registry entry to a specified key path on a local or remote system
  • REG restore  Writes saved subkeys, entries, and values back to the registry
  • REG save  Saves a copy of specified subkeys, entries, and values to a file
Note 
The REG command is run using the permissions of the current user. If you want to use a different set of permissions, the easiest way is to log on as that user.

Querying Registry Values

Using REG query, you can read registry values by referencing the full path and name of a key or key value that you want to examine. The basic syntax is
reg query KeyName [/v ValueName]
where KeyName is the name of the key you want to examine and ValueName is an optional parameter that specifies a specific key value. In the following example, you query the DNS key under the current control set:
reg query HKLM\SYSTEM\CurrentControlSet\Services\DNS
Alternatively, if you know the specific key value you want to examine, you can limit the query results using the /V parameter. In this example, you list the value of the ImagePath entry for the DNS key:

reg query HKLM\SYSTEM\CurrentControlSet\Services\DNS /v ImagePath
The key path can also include the UNC name or IP address of a remote computer that you want to examine, such as \\Mailer1 or \\192.168.1.100. However, keep in mind that on a remote computer, you can only work with the HKLM and HKU root keys. In this example, you examine the DNS key on MAILER1:

reg query \\Mailer1\HKLM\SYSTEM\CurrentControlSet\Services\DNS
Note 
If you specify a nonexistent key or value, an error message is displayed. Typically, it reads: ERROR: The system was unable to find the specified registry key or value.

Comparing Registry Keys

With REG compare, you can compare registry entries and values between two systems or between two different keys on the same system. Performing registry comparisons is useful in the following situations:
  • When you are trying to troubleshoot service and application configuration issues  At such times, it is useful to compare the registry configurations between two different systems. Ideally, these systems include one that appears to be configured properly and one that you suspect is misconfigured. You can then perform a comparison of the configuration areas that you suspect are causing problems.
  • When you want to ensure an application or service is configured the same way on multiple systems  Here you would use one system as the basis for testing the other system configurations. Ideally, the basis system is configured exactly as expected before you start comparing its configuration to other systems.
The basic syntax for REG compare is
reg compare KeyName1 KeyName2 [/v ValueName]
where KeyName1 and KeyName2 are the names of the subkeys that you want to compare and ValueName is an optional parameter that specifies a specific key value to compare. The key name can include the UNC name or IP address of a remote computer that you want to examine. In the following example, you compare the DNS key under the current control set on MAILER1 and MAILER2:

reg compare \\Mailer1\HKLM\SYSTEM\CurrentControlSet\Services\DNS 



\\Mailer2\HKLM\SYSTEM\CurrentControlSet\Services\DNS
If the keys are configured the same, the output is


Results Compared: Identical



The operation completed successfully.
If the keys are configured differently, the output shows the differences. Any differences that begin with the < character pertain to the first key specified and differences that begin with the > character pertain to the second key specified. The output will also state


Results Compared: Different



The operation completed successfully.
Tip 
Differences are displayed because the /Od parameter is assumed by default. Using additional parameters, you can also specify that you want to see all differences and matches (/Oa), only matches (/Os), or only the results (/On).
Additionally, if you want to compare all subkeys and entries recursively, you can add the /S parameter, as shown in the following example:


reg compare \\Mailer1\HKLM\SYSTEM\CurrentControlSet\Services\DNS 



\\Mailer2\HKLM\SYSTEM\CurrentControlSet\Services\DNS /s
Now the key, all subkeys, and all related entries for the DNS key on MAILER1 and MAILER2 are compared.

Saving and Restoring Registry Keys

Before modifying registry entries, it is a good idea to save the keys you will use. If anything goes wrong, you can restore those keys to their original settings. To save a copy of a registry subkey and all its related subkeys and values, use REG save, as shown here: 

reg save KeyName "FileName"
where KeyName is the path to the subkey you want to save and FileName is the text name of the registry hive file you want to create. The subkey path can include the UNC name or IP address of a remote computer. However, on a remote computer, you can only work with the HKLM and HKU root keys. Additionally, the file name must be enclosed in double quotation marks and should end in the .hiv extension to indicate it is a registry hive file, as shown in the following example:
reg save HKLM\SYSTEM\CurrentControlSet\Services\DNS "DNSKey.hiv"
Here, you are saving the DNS subkey and its related subkeys and values to the file named Dnskey.hiv. The file name can also include a directory path, as shown in this example:

reg save \\Mailer1\HKLM\SYSTEM\CurrentControlSet\Services\DNS



"\\Mailer1\SavedData\DNSKey.hiv"
If the registry hive file exists, you will be prompted to overwrite the file. Press Y to overwrite. If you want to force overwrite without prompting, use the /Y parameter.
To restore a registry key that you saved previously, use Reg restore. The syntax for REG restore is

reg restore KeyName "FileName"
where KeyName is the path to the subkey you want to save and FileName is the text name of the registry hive file you want to use as the restore source. Unlike REG copy, REG restore can be used only on a local computer, meaning you cannot restore registry keys on a remote computer using the command. You can, however, start a remote desktop session on the remote computer and then use the remote desktop logon to restore the registry key on the local computer.
An example using REG restore is shown here:

reg restore HKLM\SYSTEM\CurrentControlSet\Services\DNS "DNSKey.hiv"
Here, you are restoring the DNS key saved previously to the DNSKey.hiv file.

Adding Registry Keys

To add subkeys and values to the Windows registry, use REG add. The basic syntax for creating a key or value is

reg add KeyName /v ValueName /t DataType /d Data
where KeyName is the name of the key you want to examine, ValueName is the subkey or key value to create, DataType is the type of data, and Data is the actual value you are inserting. That seems like a lot of values, but it is fairly straightforward. Consider the following example:

reg add HKLM\SYSTEM\CurrentControlSet\Services\DNS /v DisplayName



/t REG_SZ /d "DNS Server"
Here, you add a key value called DisplayName to the DNS key in the registry. The key entry is a string with the “DNS Server” value. Note the double-quotation marks. The quotation marks are necessary in this example because the string contains a space.
When you set expandable string values (REG_EXPAND_SZ), you must use the caret (^) to escape the percent symbols (%) that designate the environment variable you use. Consider the following example:

reg add HKLM\SYSTEM\CurrentControlSet\Services\DNS /v ImagePath



/t REG_EXPAND_SZ /d ^%SystemRoot^%\System32\dns.exe
Here, you enter ^%SystemRoot^% so that the SystemRoot environment variable is properly entered and interpreted.
When you set non-string values, you don’t need to use quotation marks, as shown in this example:

reg add HKLM\SYSTEM\CurrentControlSet\Services\DNS /v ErrorControl



/t REG_DWORD /d 0x00000001

Copying Registry Keys

Using REG copy, you can copy a registry entry to a new location on a local or remote system. The basic syntax for REG copy is

reg copy KeyName1 KeyName2
where KeyName1 is the path to the subkey you want to copy and KeyName2 is the path to the subkey destination. Although the subkey paths can include the UNC name or IP address of a remote computer, REG copy is limited in scope with regard to which root keys you can use when working with remote source or destination keys, as follows:
  • A remote source subkey can use only the HKLM or HKU root keys.
  • A remote destination subkey can use only the HKLM or HKU root keys.
In the following example, you copy the DNS subkey on the local system to the DNS subkey on MAILER2:

reg copy HKLM\SYSTEM\CurrentControlSet\Services\DNS



    \\Mailer2\HKLM\SYSTEM\CurrentControlSet\Services\DNS
By adding the /S parameter, you can copy the specified subkey as well as all subkeys and key entries under the specified subkey. In this example, the DNS subkey and all related subkey and values are copied:

reg copy HKLM\SYSTEM\CurrentControlSet\Services\DNS



    \\Mailer2\HKLM\SYSTEM\CurrentControlSet\Services\DNS /s
If values exist at the destination path, REG copy will prompt you to confirm that you want to overwrite each existing value. Press Y or N as appropriate. You can also press A to overwrite all existing values without further prompting.
Note 
If you don’t want prompts to be displayed, you can use the /F parameter to force overwrite without prompting. However, before you copy over existing registry keys, you may want to save the key so that it can be restored if problems occur. To do this, use REG save and REG restore as discussed earlier in the section of this chapter titled “Saving and Restoring Registry Keys.”

Deleting Registry Keys

To delete subkeys and values from the Windows registry, use REG delete. REG delete has several different syntaxes. If you want to delete a subkey and all subkeys and entries under the subkey, use the following syntax:

reg delete KeyName
where KeyName is the name of the subkey you want to delete. Although the subkey path can include the UNC name or IP address of a remote computer, a remote source subkey can use only the HKLM or HKU root keys. Consider the following example:
reg delete \\Mailer1\HKLM\SYSTEM\CurrentControlSet\Services\DNS2
Here you delete the DNS2 subkey and all subkeys and entries under the subkey on MAILER1.
If you want to limit the scope of the deletion, specify that only a specific entry under the subkey should be deleted using the following syntax:


reg delete KeyName /v ValueName
where KeyName is the name of the subkey you want to work with and ValueName is the name of the specific entry to delete. As before, the subkey path can include the UNC name or IP address of a remote computer. However, a remote source subkey can use only the HKLM or HKU root keys. In this example, you delete the Description entry for the DNS2 subkey on MAILER2:

reg delete \\Mailer2\HKLM\SYSTEM\CurrentControlSet\Services\DNS2 /v 



Description
Tip 
In both cases, you will be prompted to confirm that you want to delete the specified entry permanently. Press Y to confirm the deletion. You can force deletion without prompting using the /F parameter. Another useful parameter is /Va. Using the /Va parameter, you can specify that only entries under the subkey should be deleted. In this way, subkeys under the designated subkey are not deleted.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)