Searching for Data | Microsoft Windows XP Registry Guide (Bpg-Other)

You're going to spend a lot of time searching the registry. I promise. This is particularly true if you're an IT professional responsible for helping users, deploying Windows XP, and so on. This is even true if you're a power user trying to figure out why a program is doing something that you don't particularly like. For instance, you might want to figure out why a program runs every time you start Windows XP. If you don't already know about the Run key, you'd have to search the registry for the program's file name. I spend a lot of time locating programs' settings in the registry and I do that by searching for their names and file names.

You can search key names, value names, and string data. You can also search for partial matches (searching for Windows matches both C:\Windows and Windows XP) or require full matches. The first hit can take a long while to show up, so be patient. It takes even longer if you're searching a remote computer's registry. After Regedit finds a hit, it selects the key or value it found. If Regedit searches to the end of the registry without a match, it displays a message that says, "Finished searching through the registry." Here's how to search using Registry Editor:

On the Edit menu, click Find.
In the Find dialog box, shown in Figure 2-2, type the text you want to find in the Find What box.

Figure 2-2: Use fewer characters and partial matches to get more hits. Use more characters or require full matches to get fewer hits.
To find keys whose name contains the text, select the Keys check box. To find values whose name contains the text, select the Values check box. To find REG_SZ values whose data contains the text, select the Data check box.
Click Find Next.
Press F3 to repeat your search if necessary.

You can significantly cut down the time it takes to search the registry by narrowing the focus to keys, values, or data. For example, if you know that you want to search only for values that contain certain characters in their names, limit your search to value names. If you know that you're searching for data, limit your search to value data. In the Find dialog box, shown in Figure 2-2, clear the Keys, Values, or Data check boxes to prevent Regedit from searching those areas. Selecting the Match Whole String Only check box won't improve turnaround time, but it will reduce the number of hits you receive and, because you don't have to look at as many hits, make searching quicker. Select this check box only if you're 100 percent certain about the name or data for which you're searching; otherwise, you won't find it.

Searching Incrementally

Incremental searching makes finding subkeys and values in long lists much faster. It's a life saver when you're trying to find a subkey in HKCR, because searching takes too long and paging down the long list is mind numbing. Here's how it works: Select the first item in a long list, and then start typing the item you want to find. Regedit selects the first item that matches what you've typed so far. So if you click the first subkey under HKCR and then type wm, Regedit selects wmafile. Type d (without delaying too long so as not to restart the incremental search) and Regedit selects WMDFile. You get the idea. Keep in mind that it won't find keys or values that are collapsed. That is, incremental searching only finds keys that you can see by scrolling the key pane up or down.

Searching in Binary Values

Regedit can't search for REG_DWORD or binary values. It searches only for key names, value names, or string values. This means that you can't use Regedit to find numeric values in REG_DWORD or REG_BINARY values, and you certainly can't find text that Windows XP stores as REG_BINARY values, which is very common.

The solution is straightforward, though. Export the branch that you want to search to a REG file. (See "Exporting Settings," later in this chapter, to learn how to create a REG file.) Then open the REG file in Notepad, and search for the number or binary string you want to find. You have to know how Regedit formats values in REG files to find them, however. Chapter 9, "Scripting Registry Changes," describes the format of REG files in detail. For now, you need to know what the different types of values look like in a REG file, which is what Table 2-3 describes. For example, if you want to find the word Jerry in a REG_BINARY value, you'd convert its letters to their Unicode values, a task that's easy if you know that a capital A has a hex value of 0x0041, a lowercase a has a hex value of 0x0061, and the number 0 has a hex value of 0x0030. Thus, Jerry as a binary string is 0x 4A 0x00 0x65 0x00 0x72 0x00 0x72 0x00 0x79 0x00. If you're not familiar with reverse byte notation and Unicode, see Chapter 1.) To find binary strings in a REG file that contain the word Jerry, search for 4a,00,65,00,72,00,72,00,79.

Table 2-3: REG File Data Formats
Type	In Regedit	In REG files
REG_SZ	Microsoft Windows XP	"Microsoft Windows XP"
REG_DWORD	0x00000009	dword:00000009
REG_BINARY	0XC2 0X00 0X02 0X9E 0X00 0X00 0X3D	hex:c2,00,02,9e,00,00,3d

Table 2-3 contains only REG_SZ, REG_DWORD, and REG_BINARY examples. That's because Regedit uses a variation of REG_BINARY to represent all other value types. In a REG file, for instance, a REG_MULTI_SZ looks like hex(7):4a,00,65,00,72,00,72,00,79,00,00,00. Chapter 9 describes the format of every value type and what they look like in REG files.

Bookmarking Favorite Keys

Regedit, including the versions that come with Windows 2000 and Windows XP, adopts one of Microsoft Internet Explorer's most useful features: Favorites. This enables you to bookmark the subkeys that you edit most frequently and return to them quickly. Clicking a subkey on the Favorites menu is certainly a better alternative to clicking your way through the key pane or, worse yet, trying to remember where Windows XP stores the Run key in the registry. Adding a key to Favorites is easy, and after you add it, you can click its name on the Favorites menu (Figure 2-3) and go straight to that key.

click to expand
Figure 2-3: Bookmark your most-used keys to return to them quickly.

To add a key to Favorites, click it, and then click Favorites, Add To Favorites. In the Add To Favorites dialog box, type a descriptive name for your shortcut. I typically name shortcuts with the root key and last couple of subkeys, such as HKCU\…\Windows\CurrentVersion, so I can quickly tell whether the shortcut is in HKCU or HKLM (they have similar structures). Using the full name, like HKCU\Software\Microsoft\Windows\CurrentVersion, isn't practical, because it makes the menu too wide.

You might like to have some help getting your Favorites menu going. Thus, the following list shows you what I typically put on mine:

HKCR\CLSID
HKCU\Control Panel\Desktop
HKCU\Software\Microsoft\Active Setup\Installed Components
HKCU\Software\Microsoft\Internet Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Policies
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
HKLM\SOFTWARE\Policies
HKLM\SYSTEM\CurrentControlSet\Control

Removing a key from Favorites is also easy. On the Favorites menu, click Remove Favorite, and then click the keys you want to remove. If you want to rename keys in Favorites, you can edit the key HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites and rename shortcuts or change their targets.

Tip

Regedit displays keys in the order that you added them; it doesn't sort them alphabetically. If you really want this list to be in alphabetical order, export HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites to a REG file. Edit the REG file to sort the keys in alphabetical order, or any other order that you prefer, and then import the REG file back in to the registry after removing the Favorites key. The Favorites menu is resorted. Save this REG file, by the way, so you can use your favorites elsewhere.

Using Better Techniques

After a while, you'll know enough about the registry in Windows XP to make searching much faster. You'll know where to begin and end your searches so that you don't waste your time searching parts of the registry where you're not going to find what you want. Click a subkey near where you want to begin, and then search. As you repeat your search by pressing F3, keep an eye on the status bar and note the key that contains the current hit. After you've gone past the branch that you think should contain the value, quit searching.

Here's an example of focusing a search. When you build a default user profile, which you learn about in Chapter 10, "Deploying User Profiles," you'll load the hive file you're building and check it for references to the current user profile folder, which you don't want to deploy to desktops throughout the organization. To narrow your search on that hive, you'll select the hive's first key in the registry and then search for the path, deciding along the way about what to do with any references to it that you find. After you're out of that hive, though, quit searching so that you don't waste your time and accidentally change values you don't intend to change.

Other examples of focusing searches to find data faster are:

Limiting your search to HKCR when you want to find values related to file associations. For that matter, do an incremental search to speed things up.
Looking only in the branches HKCU\Software and HKLM\SOFTWARE to find programs' settings. And if you know the names of the vendor and program, you can go straight to the key that contains its settings because you know that programs store their settings in HKCU and HKLM in the branch Software\Company\Program\Version.
Searching HKCU if you know you're searching for per-user settings, and search HKLM if you know you're searching for per-machine settings.
Searching the branch HKLM\System if you're after device driver and service settings.

Shareware Search Tools

A variety of shareware tools are available for searching the registry. They are far more advanced than Regedit and designed specifically to make digging around the registry easier and quicker. You can download evaluation versions of these tools at any shareware site. Try http://www.zdnet.com/downloads or http://www.tucows.com. Here are some of the most popular:

Registry Crawler 4.0 from 4Developers at http://www.4developers.com
Registry Toolkit from Funduc Software at http://www.funduc.com
Resplendent Registrar from Resplendence Sp at http://www.resplendence.com
Registry Detective from PC Magazine at http://www.pcmagazine.com

Registry Crawler is my personal favorite but the other tools also get good results. Registry Crawler not only searches the registry faster than Regedit, but it has features that make the task easier. You can access it quickly from the system tray. It presents a list of matches that you see all at once, rather than bouncing around from hit to hit, and you can export the results to a REG file. It also enables you to search the registries of multiple computers at one time if you have access to them over a network. Its most powerful feature is its search-and-replace capability, however, which enables you to replace all instances of a value with another.