PowerShell can access the registry like any PowerShell drive. Two drives are available: HKCU (HKEY_CURRENT_USER) and HKLM (HKEY_LOCAL_MACHINE). Navigate to HKLM or HKCU like so:
cd hklm:
cd hkcu:
Isn’t that simple? Now you can use the dir or ls command (aliases for get-childitem) to list the content. The result:
I usually create another PS drive that maps to HKLM\System\CurrentControlSet\Services with the command (in the profile):
New-PSDrive -Name regsvc -root “hklm:\system\currentcontrolset\services” -PSProvider registry
The get-childitem cmdlet only returns subkeys and not the properties of a key (see this page for more information). To get at the properties of a key, use the get-childitemproperty cmdlet. For example:
cd hkcu:\Keyboard Layout\Preload
get-itemproperty
To create a key in the registry, use the mkdir command as you would with a folder on the file system. For example:
mkdir hkcu:\myregkey
The above command creates the key myregkey is HKEY_CURRENT_USER. To remove it use rmdir or remove-item.
If you want to create an extra property, use the new-itemproperty cmdlet. That cmdlet takes a few parameters like the name of the property (-name), the type of the property (-propertytype) and the value (-value). As property type you can use: string, expandstring, binary, dword and multistring. An example:
New-ItemProperty HKCU:\myregkey -name myprop -propertytype DWord -value 1
This is all fine for local registry access but what if you want to work with remote registries? Well, sadly, that is not possible with native PowerShell commands. Because PowerShell can use any .NET class, you could use the OpenRemoteBaseKey method of the RegistryKey .NET class but I don’t think it is always worth the hassle. To work with remote registries, you can use the REG.EXE application. To see if the file is available to you, use get-command reg.exe | fl. If available, you will get information about the location of the tool, the version and so on. On Vista, you will see that it is part of the operating system. For example, to query for a value on a remote system (one line):
reg query \geba-vista\hklm\system\currentcontrolset\services\lanmanserver\parameters /v nullsessionpipes
After an external command like above, use $lastexitcode to check for errors. In this case, if $lastexitcode returns 1, an error happened. Naturally, if you use reg.exe for remote registry access you just get text back and not objects. You will have to do some text parsing to get to the data you are interested in.
For those who just cannot resist using .NET, to do the same thing as the reg query command above:
$key=”system\currentcontrolset\services\lanmanserver\parameters”
$keytype=[Microsoft.Win32.RegistryHive]::LocalMachine
$server=”servername”
$remotebase=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($keytype,$server)
$regkey=$remotebase.OpenSubKey($key)
$regkey.GetValue(”nullsessionpipes”)
The last command returns the following:
netlogon
lsarpc
samr
browser
Of course, that is much easier to work with than the text returned by reg.exe. It’s just a collection of strings.
Post a Comment