One of the great features in PowerShell is its ability to treat the registry like a file system. Now you can connect to the registry and navigate it just as you would a directory.
PS C:\> set-location HKLM:System PS HKLM:\System> dir Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System SKC VC Name Property --- -- ---- -------- 4 0 ControlSet001 {} 4 0 ControlSet003 {} 0 0 LastKnownGoodRecovery {} 0 32 MountedDevices {\??\Volume{1edc8241-c4b6-11d9-8 0 4 Select {Current, Default, Failed, LastK 2 6 Setup {SetupType, SystemSetupInProgres 7 0 WPA {} 4 0 CurrentControlSet {} PS HKLM:\> cd currentcontrolset\services\tcpip PS HKLM:\system\currentcontrolset\services\tcpip> dir Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system\currentc ontrolset\services\tcpip SKC VC Name Property --- -- ---- -------- 0 3 Linkage {Bind, Route, Export} 5 16 Parameters {NV Hostname, DataBasePath, Name 0 6 Performance {Close, Collect, Library, Open. 0 1 Security {Security} 0 7 ServiceProvider {Class, DnsPriority, HostsPriori 0 3 Enum {0, Count, NextInstance} PS HKLM:\system\currentcontrolset\services\tcpip>
You can use Get-ItemProperty to view registry keys. For example, if we want to see the keys in our current registry location, we would use an expression like this:
PS HKLM:\system\currentcontrolset\services\tcpip> get-itemproperty . PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system \currentcontrolset\services\tcpip PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\system \currentcontrolset\services PSChildName : tcpip PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry Type : 1 Start : 1 ErrorControl : 1 Tag : 5 ImagePath : System32\DRIVERS\tcpip.sys DisplayName : TCP/IP Protocol Driver Group : PNP_TDI DependOnService : {IPSec} DependOnGroup : {} Description : TCP/IP Protocol Driver PS HKLM:\system\currentcontrolset\services\tcpip>
You can also create a variable for an item's properties. Here we get the registry keys for Parameters from our current location:
PS HKLM:\system\currentcontrolset\services\tcpip> ` >>$ipparams=get-itemproperty Parameters >> PS HKLM:\system\currentcontrolset\services\tcpip>$ipparams PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_M ACHINE\system\currentcontrolset\services\tcpip\P arameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_M ACHINE\system\currentcontrolset\services\tcpip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry NV Hostname : godot DataBasePath : E:\WINDOWS\System32\drivers\etc NameServer : ForwardBroadcasts : 0 IPEnableRouter : 0 Domain : Hostname : godot SearchList : UseDomainNameDevolution : 1 EnableICMPRedirect : 1 DeadGWDetectDefault : 1 DontAddDefaultGatewayDefault : 0 EnableSecurityFilters : 0 TcpWindowSize : 64512 DisableTaskOffload : 1 ReservedPorts : {1433-1434} PS HKLM:\system\currentcontrolset\services\tcpip> PS HKLM:\system\currentcontrolset\services\tcpip> ` >> $ipparams.tcpwindowsize >> 64512 PS HKLM:\system\currentcontrolset\services\tcpip>
We defined $ipparams to hold the registry keys from HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. Invoking the variable lists all the keys and their values.
Alternatively, we can get a specific key and value by specifying a property name:
$ipparams.tcpwindowsize
We can set a registry value using Set-Itemproperty. Here we changed the Domain key under parameters that had no value to a value of SAPIEN:
PS HKLM:\system\currentcontrolset\services\tcpip\parameters> ` >> set-itemproperty -path . -name Domain -value SAPIEN >> PS HKLM:\system\currentcontrolset\services\tcpip\parameters> ` >> (get-itemproperty .).Domain >> SAPIEN PS HKLM:\system\currentcontrolset\services\tcpip\parameters>
To properly use Set-Itemproperty, you should specify a path. In this example we used a "." to indicate the current location, the name of the key and its new value.
Because accessing the registry in PowerShell is like accessing a file system, you can recurse through it, search for specific items, or do a massive search and replace.
You can use New-Item and New-Itemproperty to create new registry keys and properties. Let's change our location to HKEY_Current_User and look at the current items in the root:
PS HKCU:\> dir Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER SKC VC Name Property --- -- ---- -------- 2 0 AppEvents {} 3 32 Console {ColorTable00, ColorTable01, ColorTab.. 26 1 Control Panel {Opened} 0 4 Environment {TEMP, TMP, USERNAME, EnvironmentVari.. 1 6 Identities {Identity Ordinal, Migrated5, Last Us.. 2 0 Keyboard Layout {} 0 0 Network {} 4 1 Printers {DeviceOld} 1 0 S {} 77 0 Software {} 1 0 SYSTEM {} 0 0 UNICODE Program Groups {} 2 0 Windows 3.1 Migration Status {} 0 1 SessionInformation {ProgramCount} 0 7 Volatile Environment {LOGONSERVER, CLIENTNAME, SESSIONNAME.. PS HKCU:\>
Next we'll create a new subkey called PowerShell TFM:
PS HKCU:\> new-item "PowerShell TFM" Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER SKC VC Name Property --- -- ---- -------- 0 0 PowerShell TFM {} PS HKCU:\> cd "PowerShell TFM" PS HKCU:\PowerShell TFM>
We use New-Itemproperty to create registry values:
PS HKCU:\PowerShell TFM> new-itemproperty -path .` >> -name "Pub" -value "SAPIEN" >> PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_... PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER PSChildName : PowerShell TFM PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Pub : SAPIEN PS HKCU:\PowerShell TFM>
We now have a String entry called Pub with a value of SAPIEN. If you want to create a different registry entry such as a DWORD, then use the -PropertyType parameter:
PS HKCU:\PowerShell TFM> new-itemproperty -path . ` >> -PropertyType DWORD -name "Recommend" -value 1 >> PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USE... PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER PSChildName : PowerShell TFM PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry Recommend : 1 PS HKCU:\PowerShell TFM>
To remove an item we call Remove-Itemproperty:
PS HKCU:\PowerShell TFM> remove-itemproperty -path . -name Recommend
We use Remove-Item to remove the subkey we created:
PS HKCU:\> remove-item "PowerShell TFM"
Standard Registry Rules Apply
Since PowerShell takes a new approach to managing the registry, take great care in modifying the registry. Be sure to test your registry editing skills with these new expressions and cmdlets on a test system before even thinking about touching a production server or desktop.