Search the registry

Windows 7's REG, version 6.1, has a /F (Find) switch for the Query command that allows us to specify a pattern instead of an exact value to look for.

The command REG Query /? will display the following help:

REG Query KeyName [/v [ValueName] | /ve] [/s]
          [/f Data [/k] [/d] [/c] [/e]] [/t Type] [/z] [/se Separator]

  KeyName  [\\Machine\]FullKey
           Machine - Name of remote machine, omitting defaults to the
                     current machine. Only HKLM and HKU are available on
                     remote machines
           FullKey - in the form of ROOTKEY\SubKey name
                ROOTKEY - [ HKLM | HKCU | HKCR | HKU | HKCC ]
                SubKey  - The full name of a registry key under the
                          selected ROOTKEY

  /v       Queries for a specific registry key values.
           If omitted, all values for the key are queried.

           Argument to this switch can be optional only when specified
           along with /f switch. This specifies to search in valuenames only.

  /ve      Queries for the default value or empty value name (Default).

  /s       Queries all subkeys and values recursively (like dir /s).

  /se      Specifies the separator (length of 1 character only) in
           data string for REG_MULTI_SZ. Defaults to "\0" as the separator.

  /f       Specifies the data or pattern to search for.
           Use double quotes if a string contains spaces. Default is "*".

  /k       Specifies to search in key names only.

  /d       Specifies the search in data only.

  /c       Specifies that the search is case sensitive.
           The default search is case insensitive.

  /e       Specifies to return only exact matches.
           By default all the matches are returned.

  /t       Specifies registry value data type.
           Valid types are:
             REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ,
             REG_DWORD, REG_QWORD, REG_BINARY, REG_NONE
           Defaults to all types.

  /z       Verbose: Shows the numeric equivalent for the type of the valuename.

Examples:

  REG Query HKLM\Software\Microsoft\ResKit /v Version
    Displays the value of the registry value Version

  REG Query \\ABC\HKLM\Software\Microsoft\ResKit\Nt\Setup /s
    Displays all subkeys and values under the registry key Setup
    on remote machine ABC

  REG Query HKLM\Software\Microsoft\ResKit\Nt\Setup /se #
    Displays all the subkeys and values with "#" as the seperator
    for all valuenames whose type is REG_MULTI_SZ.

  REG Query HKLM /f SYSTEM /t REG_SZ /c /e
    Displays Key, Value and Data with case sensitive and exact
    occurrences of "SYSTEM" under HKLM root for the data type REG_SZ

  REG Query HKCU /f 0F /d /t REG_BINARY
    Displays Key, Value and Data for the occurrences of "0F" in data 
    under HKCU root for the data type REG_BINARY

  REG Query HKLM\SOFTWARE /ve 
    Displays Value and Data for the empty value (Default)
    under HKLM\SOFTWARE

As you probably know, searching the registry can be very time consuming.
Using the correct switches may save us a lot of time.

To search part of the registry, use the following syntax:

REG Query HKxx\subkey [/D|/K|/V] /F "search_pattern" /S [/E] [/C]

To search an entire registry hive, just omit the subkey:

REG Query HKxx [/D|/K|/V] /F "search_pattern" /S [/E] [/C]

Use /D to search the data (i.e. the registry values' values), /K to search for matching key names, /V to search for matching value names, or none of these switches to search keys, values and data.
Searches with /K or /V are fast, searches with /D or none of these switches are slow.
So make sure to use /K or /V if you do not need to search the registry data.

Use /C for cases sensitive searches, and /E for exact matches only (no partial matches).
My guess is that using /E and /C would make searches a fraction faster, especially when searching registry data.

To search remote registries, use:

REG Query \\remote_pc\HKxx\subkey [/D|/K|/V] /F "search_pattern" /S [/E] [/C]

Some examples:

Search for the string "C:\Program Files (x86)\ATI" in "HKEY_LOCAL_MACHINE\Software", no exact match (i.e. partial matches are allowed), case insensitive, search in keys, values and data:

REG Query HKLM\Software /F "C:\Program Files (x86)\ATI" /S

On my computer this search takes about 61 seconds.

Search for all values named "AppPath" in "HKEY_LOCAL_MACHINE\Software", exact matches only (e.g. RestoreAppPath is not a valid match), case insensitive:

REG Query HKLM\Software /V /F AppPath /S /E

On my computer this search takes about 7.5 seconds.

The same registry tree was searched, yet the difference in time is striking.
Searching for keys (/K) is even faster! Search for keys named "9.0":

REG Query HKLM\Software /K /F 9.0 /S /E

On my computer this search only takes 6 seconds.

 

 

My first batch file to take advantage of this technique is GetUninstall.bat.
It searches the registry for uninstall commands and displays only the ones whose name matches the specified search string.

 

 

 page last uploaded: 15 April 2011, 09:41