PowerShell/Registry - Wikiversity (2024)

This lesson introduces PowerShell Registry processing.

After completing this lesson, you will be able to:

• Describe basic PowerShell Windows Registry concepts.
• Create PowerShell scripts to manage Registry keys.

1. Wikipedia: Windows Registry
2. Wikipedia: INI file
3. BonusBits: Mastering PowerShell Chapter 16 - The Registry

1. YouTube: Working With Registry Items In Powershell
2. YouTube: Windows PowerShell - How To - Windows Registry

The Get-PSDrive cmdlet gets the drives available in the current session, including logical mapped network drives and drives exposed by Windows PowerShell providers.^[1]

Get-PSDrive -PSProvider Registry

Example output:

PS C:\Windows\system32> Get-PSDriveName Used (GB) Free (GB) Provider Root CurrentLocation---- --------- --------- -------- ---- ---------------Alias AliasC 56.04 408.13 FileSystem C:\ Windows\system32Cert Certificate \D FileSystem D:\Env EnvironmentFunction FunctionHKCU Registry HKEY_CURRENT_USERHKLM Registry HKEY_LOCAL_MACHINEVariable VariableWSMan WSMan

The New-Item cmdlet creates a new item and sets its value.^[2]

$path = 'HKCU:\Software\Scripts'if(!(Test-Path -Path $path)){ New-Item -Path $path}$path = 'HKCU:\Software\Scripts\My Script'if(!(Test-Path -Path $path)){ New-Item -Path $path}

The New-ItemProperty cmdlet creates a new property for an item and sets its value.^[3]

$path = 'HKCU:\Software\Scripts\My Script'$name = 'RunCount'New-ItemProperty -Path $path -Name $name -PropertyType DWord -Value 0

The Get-Item cmdlet gets the item at the specified location.^[4]

$path = 'HKCU:\Software\Scripts\My Script'$key = Get-Item -Path $pathforeach($name in $key.Property){ $property = Get-ItemProperty -Path $path -Name $name Write-Output ($name + ' = ' + $property.$name)}

The Get-ItemProperty cmdlet gets the properties of a specified item.^[5]

$path = 'HKCU:\Software\Scripts\My Script'try{ $name = 'RunCount' $key = Get-ItemProperty -Path $path -Name $name -ErrorAction Stop $runs = $key.RunCount}catch{ $runs = 0}

The Set-ItemProperty cmdlet changes the value of the property of the specified item.^[6]

$path = 'HKCU:\Software\Scripts\My Script'$name = 'RunCount'$runs++Set-ItemProperty -Path $path -Name $name -Value $runs

The Remove-Item cmdlet deletes one or more items.^[7]

$path = 'HKCU:\Software\Scripts\My Script'Remove-Item -Path $path -Confirm

The Remove-ItemProperty cmdlet deletes a property and its value from an item.^[8]

$path = 'HKCU:\Software\Scripts\My Script'$name = 'RunCount'Remove-ItemProperty -Path $path -Name $name -Confirm

1. Review Microsoft TechNet: Use PowerShell to Back Up System State Prior to Making Changes. Use the Checkpoint-Computer cmdlet to create a system restore point.
2. Review Microsoft TechNet: Using the Get-PSDrive Cmdlet. Use the Get-PSDrive cmdlet to display available drives. Identify the drive names supported by the Registry provider. Use a foreach loop and the Get-ChildItem (alias Dir) cmdlet to display the root keys available in the registry drives.
3. Review PowerShell.com: The Registry. Create a script that uses a foreach loop to display all Registry entries that contain the word 'PowerShell' in the key or the value.
4. Review CrucialSecurityBlog: Typed URLs. Create a script that uses a foreach loop to display Internet Explorer history (Internet Explorer Typed Urls).
5. Review Microsoft MSDN: Run and RunOnce Registry Keys. Create a script to add a RunOnce item to automatically run either PowerShell or PowerShell ISE (your choice) at the next logon.
6. Review AskVG.com: How to Enable “Open Command Window Here” Option in Context Menu in Windows Vista and 7. Create a script to delete the 'Extended' item property from the following keys. Be sure to use the -Confirm option and carefully confirm that only the Extended property will be removed. Use Windows Explorer to confirm that 'Open command window here' now appears on the context menu without holding down the Shift key.
   • HKLM:\SOFTWARE\Classes\Directory\shell\cmd
   • HKLM:\SOFTWARE\Classes\Drive\shell\cmd

• The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems.^[9]
• The Registry supports strongly-typed data values, while INI files are text only.^[10]
• Regedit.exe is the built-in Windows Registry editor.^[11]
• The Registry contains two basic elements: keys and values. Registry keys are container objects similar to folders. Registry values are non-container objects similar to files. Keys may contain values or further keys.^[12]
• Keys are referenced with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. Keys must have a case insensitive name without backslashes.^[13]
• The keys at the root level of the hierarchical database are generally named by their Windows API definitions, which all begin "HKEY".^[14]
• HKEY_LOCAL_MACHINE, abbreviated as HKLM, stores settings that are specific to the local computer.^[15]
• HKEY_CURRENT_USER abbreviated HKCU, stores settings that are specific to the currently logged-in user^[16]
• The INI file format is a simple text file with a basic structure composed of sections, properties, and values used primarily in MS-DOS and 16-bit versions of Windows.^[17]
• Windows NT and later versions of Windows use the Registry for configuration settings.^[18]
• Applications built on the .NET Framework and portable applications often use XML-format configuration files rather than the Registry.^[19]
• The PowerShell Registry provider exposes two registry paths: HKLM for HKEY_LOCAL_MACHINE and HKCU for HKEY_CURRENT_USER.^[20]
• The Get-PSDrive cmdlet gets the drives available in the current session, including logical mapped network drives and drives exposed by Windows PowerShell providers.^[21]
• The New-Item cmdlet creates a new item and sets its value.^[22]
• The New-ItemProperty cmdlet creates a new property for an item and sets its value.^[23]
• The Get-Item cmdlet gets the item at the specified location.^[24]
• The Get-ItemProperty cmdlet gets the properties of a specified item.^[25]
• The Set-ItemProperty cmdlet changes the value of the property of the specified item.^[26]
• The Remove-Item cmdlet deletes one or more items.^[27]
• The Remove-ItemProperty cmdlet deletes a property and its value from an item.^[28]

hive

A logical group of keys, subkeys, and values in the Registry that has a set of supporting files containing backups of its data.^[29]

Click on a question to see the answer.

• Flashcards: Quizlet: Windows PowerShell - Registry
• Quiz: Quizlet: Windows PowerShell - Registry