Skip to main content

I made a GIF!

Post a Comment

Explaining Jason Stangroome's "PowerShell Registry Find and Replace" article

On 2007-08-02, Jason Stangroome posted a blog article "PowerShell Registry Find and Replace" at URL http://blog.stangroome.com/2007/08/02/powershell-registry-find-and-replace/ . The article is still there, however the PowerShell code is presented without a examples or a usage statement. Hence I am re-posting his content here, reformatted for legibility and with an example.

PowerShell function Find-RegistryValue requires one parameter, -seek, of type string. The string should be wrapped in single or double quotes and contain appropriate character escapes; for example use '\\' versus '\'.

The -regpath parameter is automatically populated by Get-Location, do not attempt to provide it as a string.  Instead use Set-Location Registry::[...] first to provide the proper context before running Find-RegistryValue.

function Find-RegistryValue (
[string] $seek = $(throw “seek required.”),
[System.Management.Automation.PathInfo] $regpath = (Get-Location)
){
if ($regpath.Provider.Name -ne “Registry”) {
throw “regpath required.”
}
$keys = @(Get-Item $regpath -ErrorAction SilentlyContinue)
$keys += @(Get-ChildItem -recurse $regpath -ErrorAction SilentlyContinue)
$results = @();
foreach ($key in $keys) {
foreach ($vname in $key.GetValueNames()) {
$val = $key.GetValue($vname);
if ($val -match $seek) {
$r = @{};
$r.Key = $key;
$r.ValueName = $vname;
$r.Value = $val;
$results += $r;
}
}
}
$results;
}


A series of examples

  • Command Find-RegistryValue -seek \VisualStudio\ fails because the current location is not a registry path; run Set-Location Registry::[...]
> Find-RegistryValue -seek \VisualStudio\
regpath required.
At Find-RegistryValue:6 char:3
+         throw “regpath required.”
+         ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (regpath required.:String) [], RuntimeException
    + FullyQualifiedErrorId : regpath required.
  • Command Find-RegistryValue -seek \Microsoft\ fails because the '\' character is interpreted as escaping the next character 'M'; replace all '\' with '\\' and wrap the string in quotes (single or double) if the string contains any spaces.
> Set-Location Registry::HKCU

 > Find-RegistryValue -seek \Microsoft\
[...]
parsing "\Microsoft\" - Unrecognized escape sequence \M.
At Find-RegistryValue:15 char:8
+             if ($val -match $seek) {
+                 ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException

parsing "\Microsoft\" - Unrecognized escape sequence \M.

  • Command Find-RegistryValue -seek '\\Microsoft\\' succeeded and produced results.
> Find-RegistryValue -seek '\\Microsoft\\'
[...]
ValueName 192
Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\[...]
Value {C:\ProgramData\Microsoft\Windows\Start Menu\Programs\[...].lnk, C:\Program Files\Microsoft\[...].exe}

PowerShell function Replace-RegistryValue requires two parameters, -seek and  -swap, both of type string.  Running Find-RegistryValue first is highly recommended as it is only reads.


function Replace-RegistryValue (
[string] $seek = $(throw “seek required.”),
[string] $swap = $(throw “swap required.”),
[System.Management.Automation.PathInfo] $regpath = (Get-Location)
){
$find = Find-RegistryValue -seek $seek -regpath $regpath;
$results = @();

 foreach ($target in $find) {
$nval = $target.Value -replace $seek, $swap;
$r = @{};
$r.Key = $target.Key;
$r.ValueName = $target.ValueName;
$r.OldValue = $target.Value;
$r.NewValue = $nval;
$results += $r;
$wKey = (Get-Item $r.Key.PSParentPath).OpenSubKey($r.Key.PSChildName, “True”);
$wKey.SetValue($target.ValueName, $nval);
}
$results;
}

Microsoft have issued the following warning with respect to the Windows Registry:

 "Modifying the Windows Registry incorrectly can cause serious, system-wide problems that may require you to re-install Windows to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk."

 Note: What you see when opening the registry editor or backing it up, may vary slightly according to your operating system.

 Additional disclaimer: 

 This information is provided "as is", without warranty of any kind, express or implied, including, but not limited, to the warranties of merchantability, fitness for a particular purpose, and non-infringement.

 In no event shall the authors be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.
Labels:

Comments

roendi said…
Hi Guys
I have big trouble with this.
The small example is not working.

Set-Location Registry::HKCU
Find-RegistryValue -seek '\\Microsoft\\'

The Objetct not found find-registry Value

What I need to do? Please Help


10/07/2019 06:46:00 AM
roendi said…
Hi Guys
The small Test is on my Maschine not working

Set-Location Registry::HKCU
Find-RegistryValue -seek '\\Microsoft\\'

It say find-registry falue is not a cmdlet.

I have Windows 10 Build 1903

Please help

Thanks in advantage
10/07/2019 06:49:00 AM
Post a Comment

Popular posts from this blog

Cisco ASA ICMP packet-tracer

Occasionally devices fail to respond to a ping.  This can result from devices being off-line, having a local firewall enabled or the perimeter firewall configuration.  The Cisco ASA ICMP packet-tracer options differ from the TCP or UDP command options.  An example is below: packet-tracer input outside icmp A.B.C.D 8 0 E.F.G.H The ICMP type is "8" (echo request) with code"0" (none).  There are no options on destination IPv4 address E.F.G.H. Complete ICMP documentation at URL http://www.iana.org/assignments/icmp-parameters/ Complete Cisco ASA packet-tracer documentation at URL http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Post a Comment
Read more

Xfce4 lock screen not working

Xfce4 would not start a screensaver on my Linux system.  Researching it, it ran xflock4 from the command line ad received an error: Property "/general/LockCommand" does not exist on channel "xfce4-session". To fix this, additional configuration needed, but no hacks. First, verify xflock4 and xfconf-query are available. $ which xflock4 xfconf-query /bin/xflock4 /bin/xfconf-query Next  install a lock screen package that provides 'xlock', 'slock', 'i3lock' or similar.  $ sudo yum install -y xlockmore-gtk i3lock Last, add an executable (with options) as /general/LockCommand in the xfce4-session settings. $ xfconf-query -c xfce4-session --create -p /general/LockCommand --set "xlock -mode matrix" --type  string $ xfconf-query -c xfce4-session --create -p /general/LockCommand --set "i3lock -c 000000" --type string Test by running xflock4 from the command line or through the GUI.
7 comments
Read more

X11 Forwarding issue solved

TL;DR Disabling IPv6 necessitates SSHd AddressFamily is "inet" for X11 Forwarding to work. Issue OpenSSH assumes both IPv6 and IPv4 protocols are enabled, and default SSHd AddressFamily value "any" is valid. Quickly skimming the OpenSSH source code, it was not obvious why SSHd does not fail gracefully, selecting only an available IP address family. Therefore, for X11 Forwarding to work correctly, in /etc/ssh/sshd_config we must choose: Defaults - IPv6 enabled and SSHd AddressFamily value " any " Custom - IPv6 disabled and SSHd AddressFamily value " inet " Background PuTTY was not creating a $HOME/.Xauthority file on ssh login and no X11 applications would run, despite setting $DISPLAY.  PuTTY was correctly configured with: X11 Forwarding enabled X display location empty Remote authentication protocol MIT-Magic-Cookie-1 X authority file for local display empty On the initial ssh login there should be a .Xauthority notic
12 comments
Read more