Reading NT's Registry with REG Query

Windows NT 4 with Resource Kit

The Microsoft ® Windows NT ® Server 4.0 Resource Kit contains, among many others, REG.EXE.

This tool can read and write Windows NT's registry.

The syntax for querying the registry is shown below:

Command-line registry manipulation utility version 1.00.
Copyright Microsoft Corporation 1997.  All rights reserved.

REG QUERY RegistyPath [\\Machine] [/S]

  RegistryPath	[ROOTKEY\]Key[\ValueName]
    ROOTKEY	[ HKLM | HKCU | HKCR | HKU | HKCC ]
           	Optional.  When omitted HKLM is assumed.
    Key    	The full name of a registry key under the selected ROOTKEY.
    ValueName	The value, under the selected Key, to query.
             	Optional.  When omitted all keys and values under the Key
             	are listed.
  Machine	Name of remote machine - omitting defaults to current machine.
         	Only HKLM and HKU are available on remote machines.
  /S, /s 	Queries all subkeys.

Examples:

  REG QUERY HKLM\Software\Microsoft\ResKit\Setup\InstallDir
  Displays the value of the InstallDir registry entry.

  REG QUERY HKLM\Software\Microsoft\ResKit\Setup /S
  Displays all keys and values under the Setup sub-key.

View this sample batch file that uses REG QUERY to get the Country setting from the registry.

 

Windows 2000

In Windows 2000, REG.EXE version 2.0 was added as an additional tool on the CD-ROM. It has to be installed manually, though (on the CD-ROM run "\SUPPORT\TOOLS\SETUP.EXE").
Note the new /V and /VE switches:

Registry Console Tool For Windows 2000 - version 2.0
Copyright (C) Microsoft Corp. 1981-1999.  All rights reserved

REG QUERY KeyName [/v ValueName | /ve] [/s]

  KeyName    [\\Machine\]FullKey
    Machine  Name of remote machine - omitting defaults to the current machine
             Only HKLM and HKU are available on remote machines
    FullKey  ROOTKEY\SubKey
    ROOTKEY  [ HKLM | HKCU | HKCR | HKU | HKCC ]
    SubKey   The full name of a registry key under the selected ROOTKEY
  ValueName  The value name, under the selected Key, to query
             When omitted, all values under the Key are queried
  /ve        query the empty value name <no name>
  /s         queries all subkeys and values

Examples:

  REG QUERY HKLM\Software\Microsoft\ResKit /v Version
    Displays the value of the registry value Version

  REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /s
    Displays all subkeys and values under the registry key Setup

Because of REG 2.0's new /V (and /VE) switch(es), batch files written for REG 1.00 will fail with REG 2.0 and later versions, as will REG 2.0 based batch files with REG 1.00.
IEVer.bat is an example of a batch file capable of using any version of REG.EXE so far.

 

Windows XP

As of Windows XP, REG.EXE version 3.0 is a native command.
Its syntax remained unchanged since version 2.0:

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved


REG QUERY KeyName [/v ValueName | /ve] [/s]

  KeyName    [\Machine\]FullKey
    Machine - Name of remote machine,  omitting defaults to the current machine
         Only HKLM and HKU are available on remote machines
    FullKey  - in the form of ROOTKEY\SubKey name
         ROOTKEY  [ HKLM | HKCU | HKCR | HKU | HKCC ]
         SubKey  - The full name of a registry key under the selected ROOTKEY
  /v  query for a specific registry key   
         ValueName  - The name, under the selected Key, to query
         if omitted, all values under the Key are queried
  /ve query for the default value or empty value name <no name>
  /s  queries all subkeys and values

Examples:

  REG QUERY HKLM\Software\Microsoft\ResKit /v Version
    Displays the value of the registry value Version

  REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /s
    Displays all subkeys and values under the registry key Setup

 

Windows 7

In Windows 7, REG.EXE version 6.1 is a native tool. Unfortunately, it does not display its version anymore.
Several new switches were added:

REG QUERY KeyName [/v [ValueName] | /ve] [/s]
          [/f Data [/k] [/d] [/c] [/e]] [/t Type] [/z] [/se Separator]

  KeyName  [\\Machine\]FullKey
           Machine - Name of remote machine, omitting defaults to the
                     current machine. Only HKLM and HKU are available on
                     remote machines
           FullKey - in the form of ROOTKEY\SubKey name
                ROOTKEY - [ HKLM | HKCU | HKCR | HKU | HKCC ]
                SubKey  - The full name of a registry key under the
                          selected ROOTKEY

  /v       Queries for a specific registry key values.
           If omitted, all values for the key are queried.

           Argument to this switch can be optional only when specified
           along with /f switch. This specifies to search in valuenames only.

  /ve      Queries for the default value or empty value name (Default).

  /s       Queries all subkeys and values recursively (like dir /s).

  /se      Specifies the separator (length of 1 character only) in
           data string for REG_MULTI_SZ. Defaults to "\0" as the separator.

  /f       Specifies the data or pattern to search for.
           Use double quotes if a string contains spaces. Default is "*".

  /k       Specifies to search in key names only.

  /d       Specifies the search in data only.

  /c       Specifies that the search is case sensitive.
           The default search is case insensitive.

  /e       Specifies to return only exact matches.
           By default all the matches are returned.

  /t       Specifies registry value data type.
           Valid types are:
             REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ,
             REG_DWORD, REG_QWORD, REG_BINARY, REG_NONE
           Defaults to all types.

  /z       Verbose: Shows the numeric equivalent for the type of the valuename.

Examples:

  REG QUERY HKLM\Software\Microsoft\ResKit /v Version
    Displays the value of the registry value Version

  REG QUERY \\ABC\HKLM\Software\Microsoft\ResKit\Nt\Setup /s
    Displays all subkeys and values under the registry key Setup
    on remote machine ABC

  REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /se #
    Displays all the subkeys and values with "#" as the seperator
    for all valuenames whose type is REG_MULTI_SZ.

  REG QUERY HKLM /f SYSTEM /t REG_SZ /c /e
    Displays Key, Value and Data with case sensitive and exact
    occurrences of "SYSTEM" under HKLM root for the data type REG_SZ

  REG QUERY HKCU /f 0F /d /t REG_BINARY
    Displays Key, Value and Data for the occurrences of "0F" in data 
    under HKCU root for the data type REG_BINARY

  REG QUERY HKLM\SOFTWARE /ve 
    Displays Value and Data for the empty value (Default)
    under HKLM\SOFTWARE

Most batch files written with REG.EXE version 2.0 or 3.0 in mind will still work with version 6.1.
Batch files using version 6.1's new switches will fail with older REG.EXE versions, of course.

A technique to read the registry for any Windows / REG version since NT 4:

:: For REG.EXE 1.00:
FOR /F "tokens=1*" %%A IN ('REG.EXE QUERY "HKLM\Software\Microsoft\Internet Explorer\Version" 2ˆ>NUL ˆ| FIND "REG_SZ"') DO FOR %%C IN (%%B) DO SET IEVer=%%C
:: For more recent versions (2.0 and later):
FOR /F "tokens=2*" %%A IN ('REG.EXE QUERY "HKLM\Software\Microsoft\Internet Explorer" /V "Version" 2ˆ>NUL ˆ| FIND "REG_SZ"') DO SET IEVer=%%B

The trick is that the "wrong" version of the command won't produce any output, so FOR /F won't loop and hence won't set the variable.
2>NUL suppresses any visible error messages.

The nested FOR loop in the first FOR /F command is a workaround, because NT 4's FOR /F doesn't seem to handle REG.EXE's whitespace consistently.
For REG 2.0 and later the code can be simplified:

FOR /F "tokens=2*" %%A IN ('REG.EXE QUERY "HKLM\Software\Microsoft\Internet Explorer" /V "Version" 2ˆ>NUL ˆ| FIND "REG_SZ"') DO SET IEVer=%%B
Note: As Szépe Viktor pointed out, the 2 in "tokens=2*" fails if the name of the value contains spaces.
Increase the tokens value with 1 for each space (or group of spaces!).
See FOR /F tokens and delims step by step for a detailed explanation.
 

Version 6.1's new /F switch is quite useful for searching the registry, as is demonstrated in GetUninstall.bat.
This batch file searches for uninstall commands, showing only the commands for programs with a specified search string in their name.


page last uploaded: 23 November 2011, 10:53