Searching the Registry with PowerShell

Anyone who has been responsible for managing Windows machines for any length of time will be familiar with the registry. The registry was originallycreated as a way for the OS to store information about file types. But starting in Windows NT 3.1 and Windows 95, the registry became the standardplace in which the OS and applications can quickly store and retrieve configuration information. Windows 95 introduced regedit, the standard GUIregistry-editing tool; Windows NT provided another GUI registry editor, regedt32, which supported more registry types than regedit did. Windows NT 4.0and Windows 2000 provided both editors. Starting in Windows XP, Microsoft upgraded regedit to support the same data types as regedt32, making thelatter editor obsolete.

Regedit is an extremely useful tool, but searching for data isn't one of its strong suits. Regedit's Find feature, which Figure 1 shows, is basic:Press Ctrl+F, enter a text string, select any of the four check boxes, and click Find Next. Pressing F3 to repeat the search quickly becomes tediouswhen there are many matches.

Figure 1: Regedit Find dialog box 

I decided to rectify this weakness by writing a Windows PowerShell script, Search-Registry.ps1, which can search the registry more flexibly thanregedit. (You can download the script by clicking the download link at the top of this page.) Search-Registry.ps1 improves on regedit's Find feature in four ways:

Many PowerShell-savvy readers will note that PowerShell provides registry "drives" (e.g., HKLM) for accessing the registry. However, these drives workonly on the local computer, not on remote systems. I also considered PowerShell remoting. But remoting requires that PowerShell 2.0 or later beinstalled and enabled on all remote machines-a scenario that doesn't occur by default.

Introducing Search-Registry.ps1

The Search-Registry.ps1 script's command-line syntax is as follows:

Search-Registry [-StartKey] [-Pattern] [-MatchKey] [-MatchValue]
[-MatchData] [-MaximumMatches ] [-ComputerName ]

The -StartKey parameter specifies the registry key location from which to start searching. This is equivalent to selecting a starting location inregedit's left pane before pressing Ctrl+F. The -StartKey parameter string uses the format

subtree:key

where subtree is either the abbreviated PowerShell drive name or the full subtree name, as seen in regedit:

The colon (:) after the subtree name is optional. The key specifies where to start searching. If you omit the key or use a single backslashcharacter (), the script searches the entire subtree. For example, the following strings are all equivalent when used with the -StartKey parameter:

HKLMSOFTWARE
HKLM:SOFTWARE
HKEY_LOCAL_MACHINESOFTWARE

The -StartKey parameter is designated to be in position 1, so as long as you specify its argument first on the command line, the -StartKey parametername is optional. If the -StartKey parameter argument string contains spaces, then surround the string with quotation marks (").

The -Pattern parameter specifies the regular expression pattern that you want to find. The -Pattern parameter is designated to be in position 2, so aslong as you specify its argument second on the command line, the -Pattern parameter name is optional. If the -Pattern parameter argument stringcontains spaces, use quotation marks as appropriate. The regular expression pattern is not case-sensitive. For more information about constructing aregular expression pattern, enter the command

help about_Regular_Expressions 

at the PowerShell command prompt.

The -MatchKey, -MatchValue, and -MatchData parameters specify the kinds of matches that the script should find. These parameters correspond to theKeys, Values, and Data check boxes in regedit's Find dialog box, as Figure 1 shows. Figure 2 illustrates how these items correspond to items in theregistry. I decided to stick with these names instead of the new names (i.e., path, property, value) that PowerShell uses in its registry provider sothat the script uses the same terms that the regedit Find dialog box uses. You must specify at least one of these three parameters, although you canspecify more than one. -MatchKey matches subkey names, -MatchValue matches registry value names, and -MatchData matches the values' data.

Figure 2: How items in the script correspond with items in the registry 

The -MaximumMatches parameter specifies the maximum number of results per searched computer. The default value is 0, which returns the maximum numberof possible matches. This parameter is useful when searching the registry on remote computers; you can use it to minimize the amount of networktraffic.

The -ComputerName parameter searches the registry on the specified computer or list of computers. You can specify one computer name or an array ofnames. This parameter supports pipeline input. The default is to search the local computer's registry.

Search-Registry.ps1 outputs objects that contain the properties that Table 1 lists. Figure 3 shows a sample Search-Registry.ps1 command in a PowerShellconsole window. The script that Figure 3 shows sends its output to Select-Object to select only the Key, Value, and Data properties (the ComputerNameproperty isn't needed because this command searches the local computer's registry). Select-Object then sends this output to Format-List. The listcontains only two matches because of the specified -MaximumMatches parameter.

Figure 3: Running Search-Registry.ps1 

Depending on the OS, some registry locations might be inaccessible (e.g., because of insufficient permissions). These registry locations will outputerrors when Search-Registry.ps1 tries to access them. To ignore these errors, specify the -ErrorAction SilentlyContinue parameter in the script'scommand.

How Does It Work?

Search-Registry.ps1 uses the begin and process scriptblocks because it supports pipeline input. The begin scriptblock contains thescript's initialization code: global variable declarations, parameter validations, and function definitions. The process scriptblock iterates eachcomputer name that's passed to the script and passes the computer name to the search-registry2 function. The search-registry2 function uses theOpenRemoteBaseKey static method of the .NET Microsoft.Win32.RegistryKey class to open the subtree that you request at the command line, and then passeseach computer name to the search-registrykey function. The search-registrykey function searches recursively for the regular expression pattern in aregistry location (i.e., it starts at a specified key and also searches in all subkeys of that key).

Sample Commands

Let's take a look at some real-world examples of how you might use Search-Registry.ps1.

Search-Registry -StartKey HKCR -Pattern"Word.Document.d" -MatchKey 

This command searches the local computer's registry, starting at HKEY_CLASSES_ROOT, for the pattern "Word.Document.d". In regular expressions, aperiod (.) matches any character; a backslash () means "interpret the next character literally." Therefore, "." means ".". A backslash followed bythe letter d (d) indicates "any decimal digit," so this search finds registry subkeys that are named Word.Document.n (where n is anumber). If this command returns a match, then there's probably an application on the local system that can open Microsoft Word documents.

Search-Registry -StartKey HKLM -Pattern$ENV:USERNAME -MatchData 

This command searches HKEY_LOCAL_MACHINE on the local computer for any registry data that contains the current user name.

Search-Registry -StartKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem-Pattern EnableLinkedConnections -MatchValue 

This command determines whether the EnableLinkedConnections registry value is configured on the local computer. (To find out why you might want tosearch for this value, see the Microsoft article "Programs may be unable to access some network locations after you turn on User Account Control inWindows Vista or in Windows 7.")

Get-Content Computers.txt |Search-Registry HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem-Pattern EnableLinkedConnections -MatchValue |Export-CSV C:ReportsEnableLinkedConnections.csv-NoTypeInformation 

This command is the same as the previous one, except that Search-Registry.ps1 searches for the registry value on the computers that are listed in thefile Computers.txt and creates a CSV report.

Hassle-Free Registry Searching

Searching for information in the registry no longer needs to be a tedious exercise. Hitting F3 a couple hundred times in regedit can be a thing of thepast. The next time you need to search the registry, open a PowerShell command window and use Search-Registry.ps1 instead.