How to Manage the Windows Registry with PowerShell?

I. Introduction

In this chapter, we will study different PowerShell cmdlets that will allow us to read and modify elements of the Windows Registry, whether they are Registry keys or Registry values.

The cmdlets we will study will allow you to manipulate the Windows Registry in your PowerShell scripts. After reading this chapter, you will be able to perform the following actions:

  • Retrieve a value from the Windows Registry
  • Search for a registry key
  • Create a new registry key or modify an existing registry key
  • Create a new value in the registry or modify an existing value
  • Rename or delete a registry key or value

This chapter is available in video format:

II. What is the Windows Registry?

The Windows Registry is an essential component within Microsoft operating systems. It's a component to know, as every IT professional needs to manipulate it sooner or later! The Windows registry is a structured database where the system and applications store a lot of information, particularly about their configuration. Essential data for the proper functioning of the system and the applications you install are stored in the registry.

As you can understand, the Windows Registry is a pivotal component of the Windows operating system. In fact, to talk about this component, different terms are used: the registry, the registry database, or the Windows Registry, the latter being the official term.

Often, we use it without realizing it from the Windows graphical interface: modifying a setting can change the associated value in the registry.

It contains settings related to Windows services, file associations (for example, associating Microsoft Word with the “docx” extension), application configuration and data, your machine's hardware configuration, information about user profiles, and group policies.

To delve deeper into this topic, I recommend reading this article:

III. Retrieve a Value from the Registry

On a Windows machine, if you're curious to consult the list of your drives with the cmdlet “Get-PSDrive”, you'll notice that there are two drives with the provider (Provider) “Registry”. This corresponds to the Windows Registry. We have “HKCU” for the “HKEY_CURRENT_USER” hive and “HKLM” for the “HKEY_LOCAL_MACHINE” hive.

Get-PSDrive

We can position ourselves in the “HKLM” drive using the “cd” command or the “Set-Location” cmdlet. Then, if we list the contents of the folder with the alias “dir” or the cmdlet “Get-ChildItem”, we will list the keys at the root of this hive.

Set-Location HKLM:
dir

Similarly, we can move within a branch directly provided we know the path:

Set-Location -Path “HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”

To retrieve the value of a registry value, we will need to use the cmdlet “Get-ItemProperty” followed by the path to the key and the name of the value located in this key. Here's an example with the value “ProfilesDirectory” located in the branch “HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”. 

Get-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” -Name “ProfilesDirectory”

By using the Get-ChildItem command, we can search for a key in the registry. Depending on what we're looking for and the filter, the result will be more or less easily exploitable. We will rely on the “-Recurse” parameter to search for the key from the root of the hive, then with “Where-Object”, we will filter the result.

For example, to search under the “HKCU” hive for keys whose name contains the term “IT-CONNECT”, it would be:

Get-ChildItem -Path “HKCU:” -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -Like “*IT-CONNECT*”}

Let's now see how to manipulate the registry beyond simply viewing a value.

IV. Manipulating Registry Keys with PowerShell

A. Creating a Key in the Registry

The “New-Item” cmdlet, which we also use to create a folder or file, will be useful for creating the key. For example, to create the “IT-CONNECT” key at the root of the “HKEY_CURRENT_USER” hive, it would be:

New-Item -Path “HKCU:” -Name “IT-CONNECT”

From the Registry Editor (regedit.exe), we can view our modification:

B. Renaming a Key in the Registry

To rename a key, we'll simply use the “Rename-Item” cmdlet with the path of the key to rename (Path parameter) and the new name to assign to it (NewName parameter):

Rename-Item -Path “HKCU:\IT-CONNECT” -NewName “ITCONNECT”

C. Deleting a Key in the Registry

To delete a key in the registry, we'll use the “Remove-Item” cmdlet by specifying the path to the key to be deleted. For example:

Remove-Item -Path “HKCU:\ITCONNECT”

Let's see how to perform similar operations on registry values.

V. Manipulating Values in the Registry with PowerShell

A. Creating a Value in the Registry

Directly in the “HKCU:IT-CONNECT” key created previously, we'll create a value named “ITConnectWebsite” of string type with the data value “www.it-connect.fr”. For this, we'll use the “New-ItemProperty” cmdlet:

New-ItemProperty -Path “HKCU:\IT-CONNECT” -Name “ITCONNECTWebsite” -Value “www.it-connect.fr” -PropertyType “String”
Modify Registry PowerShell

For the value type, the possible values for the “-PropertyType” parameter are: Binary, DWord, ExpandString, MultiString, String, and QWord. This corresponds to the types of values accepted by the Windows Registry.

B. Renaming a Value in the Registry

To rename the previously created value, we'll use “Rename-ItemProperty” specifying the old name and the new name, as well as the path:

Rename-ItemProperty -Path “HKCU:\IT-CONNECT” -Name “ITCONNECTWebsite” -NewName “IT-ConnectWebsite”

C. Changing the Value of a Registry Value

To modify the data of our value, another cmdlet will come into play: “Set-ItemProperty”. We'll specify the path to the key where the value is located (-Path), the name of the concerned value (-Name) then the value to associate with the “Data” field (-Value): 

Set-ItemProperty -Path “HKCU:\IT-CONNECT” -Name “IT-ConnectWebsite” -Value “https://www.it-connect.fr”

D. Deleting a Value in the Registry

Finally, we'll learn how to delete the value we've just created and manipulated. The cmdlet to use for deleting the value is “Remove-ItemProperty”. Again, we must specify several parameters: the path to the key (-Path) and the name of the value to delete (-Name): 

Remove-ItemProperty -Path “HKCU:\IT-CONNECT” -Name “IT-ConnectWebsite”

VI. Conclusion

With the various commands and examples in this article, you are able to manipulate the Windows Registry with PowerShell. If you can remotely access your servers and machines in your network using WinRM, you can certainly remotely consult the Windows Registry of another machine. You just need to rely on the Invoke-Command cmdlet or create a remote PowerShell connection.

PowerShell does not include cmdlets for backing up or restoring the registry. You will need to continue using the historical commands to perform these actions, namely “reg export” and “reg import”.

Previous Topic
Back to Lesson
Next Topic
Share on X Share on Facebook Share on Linkedin Send by e-mail

You May Also Like

Linux - How to Forward Logs to Graylog Using Rsyslog

Linux : send logs to Graylog with rsyslog

Florian Burnel 0
Wazuh - XDR - create a cybersecurity laboratory

XDR : deployment of Wazuh to create a cybersecurity lab

Mickaël Dorigny 0
PowerShell - Create a Windows Event Log Entry

How do I use PowerShell to create an event in a Windows log?

Florian Burnel 0