Managing the Registry | Internet Forensics

One of the great features in PowerShell is its ability to treat the registry like a file system. Now you can connect to the registry and navigate it just as you would a directory.

 PS C:\> set-location HKLM:System PS HKLM:\System> dir    Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System SKC  VC Name                          Property ---  -- ----                          --------   4   0 ControlSet001                 {}   4   0 ControlSet003                 {}   0   0 LastKnownGoodRecovery         {}   0  32 MountedDevices                {\??\Volume{1edc8241-c4b6-11d9-8   0   4 Select                        {Current, Default, Failed, LastK   2   6 Setup                         {SetupType, SystemSetupInProgres   7   0 WPA                           {}   4   0 CurrentControlSet             {} PS HKLM:\> cd currentcontrolset\services\tcpip PS HKLM:\system\currentcontrolset\services\tcpip> dir    Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentc ontrolset\services\tcpip SKC  VC Name                          Property ---  -- ----                          --------   0   3 Linkage                       {Bind, Route, Export}   5  16 Parameters                    {NV Hostname, DataBasePath, Name   0   6 Performance                   {Close, Collect, Library, Open.   0   1 Security                      {Security}   0   7 ServiceProvider               {Class, DnsPriority, HostsPriori   0   3 Enum                          {0, Count, NextInstance} PS HKLM:\system\currentcontrolset\services\tcpip>

You can use Get-ItemProperty to view registry keys. For example, if we want to see the keys in our current registry location, we would use an expression like this:

 PS HKLM:\system\currentcontrolset\services\tcpip> get-itemproperty . PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system                   \currentcontrolset\services\tcpip PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system                   \currentcontrolset\services PSChildName     : tcpip PSDrive         : HKLM PSProvider      : Microsoft.PowerShell.Core\Registry Type            : 1 Start           : 1 ErrorControl    : 1 Tag             : 5 ImagePath       : System32\DRIVERS\tcpip.sys DisplayName     : TCP/IP Protocol Driver Group           : PNP_TDI DependOnService : {IPSec} DependOnGroup   : {} Description     : TCP/IP Protocol Driver PS HKLM:\system\currentcontrolset\services\tcpip>

You can also create a variable for an item's properties. Here we get the registry keys for Parameters from our current location:

 PS HKLM:\system\currentcontrolset\services\tcpip> ` >>$ipparams=get-itemproperty Parameters >> PS HKLM:\system\currentcontrolset\services\tcpip>$ipparams PSPath                       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_M ACHINE\system\currentcontrolset\services\tcpip\P                                arameters PSParentPath                 : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_M ACHINE\system\currentcontrolset\services\tcpip PSChildName                  : Parameters PSDrive                      : HKLM PSProvider                   : Microsoft.PowerShell.Core\Registry NV Hostname                  : godot DataBasePath                 : E:\WINDOWS\System32\drivers\etc NameServer                   : ForwardBroadcasts            : 0 IPEnableRouter               : 0 Domain                       : Hostname                     : godot SearchList                   : UseDomainNameDevolution      : 1 EnableICMPRedirect           : 1 DeadGWDetectDefault          : 1 DontAddDefaultGatewayDefault : 0 EnableSecurityFilters        : 0 TcpWindowSize                : 64512 DisableTaskOffload           : 1 ReservedPorts                : {1433-1434} PS HKLM:\system\currentcontrolset\services\tcpip> PS HKLM:\system\currentcontrolset\services\tcpip> ` >> $ipparams.tcpwindowsize >> 64512 PS HKLM:\system\currentcontrolset\services\tcpip>

We defined $ipparams to hold the registry keys from HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Invoking the variable lists all the keys and their values.

Alternatively, we can get a specific key and value by specifying a property name:

 $ipparams.tcpwindowsize

We can set a registry value using Set-Itemproperty. Here we changed the Domain key under parameters that had no value to a value of SAPIEN:

 PS HKLM:\system\currentcontrolset\services\tcpip\parameters> ` >> set-itemproperty -path . -name Domain -value SAPIEN >> PS HKLM:\system\currentcontrolset\services\tcpip\parameters> ` >> (get-itemproperty .).Domain >> SAPIEN PS HKLM:\system\currentcontrolset\services\tcpip\parameters>

To properly use Set-Itemproperty, you should specify a path. In this example we used a "." to indicate the current location, the name of the key and its new value.

Because accessing the registry in PowerShell is like accessing a file system, you can recurse through it, search for specific items, or do a massive search and replace.

You can use New-Item and New-Itemproperty to create new registry keys and properties. Let's change our location to HKEY_Current_User and look at the current items in the root:

 PS HKCU:\> dir    Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER SKC  VC Name                           Property ---  -- ----                           --------   2   0 AppEvents                      {}   3  32 Console                        {ColorTable00, ColorTable01, ColorTab..  26   1 Control Panel                  {Opened}   0   4 Environment                    {TEMP, TMP, USERNAME, EnvironmentVari..   1   6 Identities                     {Identity Ordinal, Migrated5, Last Us..   2   0 Keyboard Layout                {}   0   0 Network                        {}   4   1 Printers                       {DeviceOld}   1   0 S                              {}  77   0 Software                       {}   1   0 SYSTEM                         {}   0   0 UNICODE Program Groups         {}   2   0 Windows 3.1 Migration Status   {}   0   1 SessionInformation             {ProgramCount}   0   7 Volatile Environment           {LOGONSERVER, CLIENTNAME, SESSIONNAME.. PS HKCU:\>

Next we'll create a new subkey called PowerShell TFM:

 PS HKCU:\> new-item "PowerShell TFM"    Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER SKC  VC Name                           Property ---  -- ----                           --------   0   0 PowerShell TFM                 {} PS HKCU:\> cd "PowerShell TFM" PS HKCU:\PowerShell TFM>

We use New-Itemproperty to create registry values:

 PS HKCU:\PowerShell TFM> new-itemproperty -path .` >> -name "Pub" -value "SAPIEN" >> PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_... PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER PSChildName  : PowerShell TFM PSDrive      : HKCU PSProvider   : Microsoft.PowerShell.Core\Registry Pub          : SAPIEN PS HKCU:\PowerShell TFM>

We now have a String entry called Pub with a value of SAPIEN. If you want to create a different registry entry such as a DWORD, then use the -PropertyType parameter:

 PS HKCU:\PowerShell TFM> new-itemproperty -path . ` >> -PropertyType DWORD -name "Recommend" -value 1 >> PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USE... PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER PSChildName  : PowerShell TFM PSDrive      : HKCU PSProvider   : Microsoft.PowerShell.Core\Registry Recommend    : 1 PS HKCU:\PowerShell TFM>

To remove an item we call Remove-Itemproperty:

 PS HKCU:\PowerShell TFM> remove-itemproperty -path . -name Recommend

We use Remove-Item to remove the subkey we created:

 PS HKCU:\> remove-item "PowerShell TFM"

Standard Registry Rules Apply

Since PowerShell takes a new approach to managing the registry, take great care in modifying the registry. Be sure to test your registry editing skills with these new expressions and cmdlets on a test system before even thinking about touching a production server or desktop.