Query Registry

This topic contains 6 replies, has 3 voices, and was last updated by  Scott Curtsinger 2 years, 4 months ago.

  • Author
    Posts
  • #25722

    Scott Curtsinger
    Participant

    I'm working on a script that will query 'HKLM:\software\Microsoft\windows\CurrentVersion\Run', capture all Key Names/Data and report a True or False if any keys with empty data values are discovered.

    The true/false evaluation is failing because of how the data is being captured. If any key is there with valid data then it reports True. Instead I need to evaluate each key and value within Run.

    Any help or ideas is greatly appreciated!

    $Keys = Get-Item 'HKLM:\software\Microsoft\windows\CurrentVersion\Run'
    
    ForEach ($Key in $Keys)  
    {
        $Property = @{Name = 'Property'; Expression = {$_}}
        $Value = @{Name = 'Value'; Expression = {$Keys.GetValue($_)}}
        $Key.Property | Select $Property, $Value
    
            $Values =  $Key.Property | Select $value
            
            if ($Values -eq $null) {
                return $false}
             
            else {
                return $true}
    }
    
  • #25723

    Don Jones
    Keymaster

    There's a subtle bit about working with the registry, and some terminology you might not be aware of in PowerShell. If you know all this, I apologize – just trying to start at the beginning.

    In the registry, an ITEM (e.g., Get-ChildItem) is a key. That's what appears on the left-hand pane in Registry Editor.

    What appears on the right-hand pane in the GUI are ITEM PROPERTIES – e.g., Get-ItemProperty.

    To equate this to the file system, an ITEM is a file or folder; an ITEM PROPERTY is whether it's Read-Only, when it was last accessed, etc.

    KEYS in the registry contain multiple ITEM PROPERTIES, it's those item properties that have the values you're after. Right now, you're kinda doing some odd perambulations to get at those; you might consider using Get-ItemProperty instead. For example, given an Item (Key), you could Get-ItemProperty, and then run that through Where-Object to only output those that have null or empty property values. You could then run the results to Measure-Object, and if the resulting Count is greater than zero, you output True.

    • #25730

      Scott Curtsinger
      Participant

      Thanks Don,

      No need to apologize, that makes sense and thank you for the explanation.

      So are you thinking something that looks like this?

      $ItemProperties = Get-ItemProperty 'HKLM:\software\Microsoft\windows\CurrentVersion\Run' | Where-Object {$ItemProperties.ToString() -eq $null}
      
  • #25731

    Don Jones
    Keymaster

    Something like, although I'd need to test and see if $null was the correct comparison. But basically. You could then pipe that to Measure-Object to get a count of how many items matched the criteria, or just let it output them, which is what your code would do.

  • #25750

    Scott Curtsinger
    Participant

    Thanks Don for your help!

    Below is what I ended up with in case anyone is interested or looking for something similar. Little different than what was originally proposed but seems to be working just fine from my limited testing.

    Scott

    $keys = (Get-Item 'HKLM:\software\Microsoft\windows\CurrentVersion\Run').property
    
    ForEach ($key in $keys) {
    
    $return = ""
    Write-Host $key
    
    $regValue =  (Get-Item 'HKLM:\software\Microsoft\windows\CurrentVersion\Run').getvalue($key)
    
    Write-Host $regValue
    
        if ($regValue -eq "") {
            $return = "Null Value Found"
            Write-Host $return }
         
         else {
         $return = "No Null Values"
         Write-Host $return }} 
    
  • #25755

    Peter Jurgens
    Participant

    I found this to be a bit simpler especially if you're sitting at the console and just looking to quickly get the information:

    Get-ItemProperty hklm:\software\micosoft\windows\currentversion\run | Select-Object * -ExcludeProperty ps*
    
  • #25791

    Scott Curtsinger
    Participant

    Thanks Peter!

You must be logged in to reply to this topic.