Read, Set or Delete registry keys and values

The REG command was updated in NT Resource Kit supplement 2 – the syntax for Win 2K/XP is different.

SYNTAX:

REG QUERY RegistryPath ["String"] [/S] [/size] [/list]

REG ADD RegistryPath=Value [DataType]
REG UPDATE RegistryPath=Value
REG DELETE RegistryPath [/FORCE]
REG COPY Source [\Machine] Dest [\Machine]

REG SAVE RegistryPath FileName
REG RESTORE FileName KeyName

REG LOAD FileName KeyName
REG UNLOAD KeyName

REG FIND [ROOTKEY]Key [DataType] SearchStr [ReplaceStr] [-y] [-z[R]]

REG DUMP RegistryPath FileName

REG COMPARE [ROOTKEY]Key [ROOTKEY]Key [-o[M][D]] [-q] [-e]

You can apply any of the above commands to a remote
machine by adding \MachineName to the command line.

Key:

RegistryPath : [ROOTKEY]Key[&qt;&qt;ValueName&qt;&qt;]
where ROOTKEY is one of
HKLM = hkey_Local_machine (default)
HKCR = hkey_classes_root
HKCU = hkey_current_user
HKU = hkey_users

Key = The full name of a key under the selected ROOTKEY.

ValueName = The value, under the selected Key, to edit.
(default is all keys and values)
Enclose ValueNames that containe the character in single quotes.

DataType : REG_SZ | REG_DWORD | REG_EXPAND_SZ | REG_MULTI_SZ
(default = REG_SZ)

Machine : Name of remote machine – omitting defaults to current machine.
Only HKLM and HKU are available on remote machines.

Source : a RegistryPath in the format above.

Dest : a RegistryPath in the format above.

FileName : The filename to save to or restore from (without an extension.)

KeyName : A key name to load the hive file into. (Creating a new key)
specify the key name to UNload with: [ROOTKEY]Key

/S Query all subkeys.

/size Query the size of RegistryPath

/list Search strings from RegistryPath

/FORCE Force a deletion without asking "are you are sure"

SearchStr : Value to search for.

ReplaceStr : Value to replace.

-y : Force case sensitivity for SearchStr

-z : Find non-Unicode-compliant entries or entries missing a trailing
null character. (forces case sensitity)

R : Adjust entry to add Unicode compliancy or the missing null char.

-o Omit screen output of:
M: Matches
D: Differences

-e Sets the error level to the error code that was in effect the last
time the utility was run. By default, the error level is set to
the number of differences that were found.

-q Very quiet, just print the number of differences.notes:
On remote NT machines the file is written to the System32 directory.
On remote Win95 machines the file is written to the Windows directory.
SAVE is identical to BACKUP.

Examples

An example of each command is available from the command line

REG QUERY /?
REG ADD /?
REG UPDATE /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG BACKUP /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG FIND /?
REG DUMP /?
REG COMPARE /?

Hits: 0