Searching the Registry

Welcome Forums General PowerShell Q&A Searching the Registry

This topic contains 4 replies, has 3 voices, and was last updated by

 
Participant
2 months ago.

  • Author
    Posts
  • #170440

    Participant
    Topics: 7
    Replies: 14
    Points: 29
    Rank: Member

    I have been searching the internet most of the morning for this and I find multiple hits, with very similar code, though they miss the mark for me.

    I have been tasked to find specific values (specifically an email address) and do a find and replace.

    the basics.  Yes I have used get-childitem to riffle through the keys, then for each hive key (foreach)  I use get-itemproperty based on $_.PsPath and match a specific string (the email address).

    This finds the keys that have a subkey with this value, but it returns them all, not just the one subkey.  I ma having issues singling out the subkey with the value.  Because of this, I am being very cautious.  I would like to output the path (got that $_.name), but I cannot get it to single out the subkey with the search value.  $_.Property lists all the subkeys.  As a last test I would like to output the value of that subkey (as a double check before I implement this sucker)

    Thanks.

  • #170449

    Participant
    Topics: 1
    Replies: 1552
    Points: 2,698
    Helping Hand
    Rank: Community Hero

    Please show your code. We are much faster when we can tweak existing code. 😉

  • #170452

    Participant
    Topics: 7
    Replies: 14
    Points: 29
    Rank: Member

    ok, this is kind of where I am at.  I was using a known value and subkey (HKCU:\Console – FaceName : __DefaultTTFont__) to do my search (that way it was found quick and I could test the subkey and values against something known)

    $searchString = "__DefaultTTFont__"

    cd HKCU:
    Get-ChildItem . -rec -ea SilentlyContinue | foreach {
    if ((Get-ItemProperty -path $_.PsPath) -match $searchString)
    {
    write-host "——————————–" -ForegroundColor Yellow
    $subList = Get-ItemProperty -Path $_.PsPath
    # Write-Host $_.name -NoNewline
    # Write-Host "\" -NoNewline
    # Write-Host $_.Property -ForegroundColor Cyan -NoNewline
    # Write-Host " : " -NoNewline
    # Get-ItemProperty -Path $_.PSPath -Name "Default"
    # Write-Host -ForegroundColor Green
    # write-host "——————————–" -ForegroundColor Yellow

    }
    }

  • #170455
    js

    Participant
    Topics: 25
    Replies: 692
    Points: 1,719
    Helping Hand
    Rank: Community Hero

    Does this help?

    # get-itemproperty2.ps1
    
    # get-childitem skips top level key properties, use get-item for that
    
    # example pipe to set-itemproperty:
    # ls -r hkcu:\key1 | get-itemproperty2 | where value -match value | 
    #   set-itemproperty -value myvalue -whatif
     
    param([parameter(ValueFromPipeline)]$key)
    
    process { 
      $valuenames = $key.getvaluenames() 
    
      if ($valuenames) { 
        $valuenames | foreach {
          $value = $_
          [pscustomobject] @{
            Path = $key -replace 'HKEY_CURRENT_USER',
        	  'HKCU:' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
            Name = $Value
            Value = $Key.GetValue($Value)
            Type = $Key.GetValueKind($Value)
          }
        }
      } else {
        [pscustomobject] @{
          Path = $key -replace 'HKEY_CURRENT_USER',
            'HKCU:' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
            Name = ''
            Value = ''
            Type = ''
        }
      }
    }
    
    get-childitem -recurse hkcu: | .\get-itemproperty2 | select -first 5
    
    Path                      Name                     Value Type
    ----                      ----                     ----- ----
    HKCU:\AppEvents
    HKCU:\ApplicationDefaults
    HKCU:\Console             CtrlKeyShortcutsDisabled 0     DWord
    HKCU:\Console             CursorSize               25    DWord
    HKCU:\Console             EnableColorSelection     0     DWord
    
  • #171784

    Participant
    Topics: 7
    Replies: 14
    Points: 29
    Rank: Member

    sorry for the late reply.  I found something that worked and the team threw me heavy into the project to get those pieces working.  here is what I found to work:

    ####################################
    # Collect the Registry data
    ####################################
    Write-Host "**************************************************"-ForegroundColor Yellow
    Write-Host "Scanning Registry for " -NoNewline
    Write-host $jEmail -ForegroundColor Cyan
    #grab the registry based on the Hive you need.
    $keys =@(Get-Item HKU:\$RegSID\software -ErrorAction SilentlyContinue) + @(Get-ChildItem -Recurse HKU:\$RegSID\software -ErrorAction SilentlyContinue);
    
    ###################################
    # Search (and replace)
    ###################################
    $results = @()
    foreach ($key in $keys){
        foreach ($vname in $key.GetValueNames()){
            $val = $key.GetValue($vname)
            if ($val -like $jEmail){
                $r = @{}
                $r.Key = $key.ToString() -replace "HKEY_USERS", "HKU:"
                $r.SubName = $vname.ToString()
                $r.Val = $val.ToString()
                $results += $r
                }
            }
        }

    This is a specific use of the search and find, but hopefully others who are looking for this can get what they need from it.  Basically it was the "$keys =@(Get-Item HKU:\$RegSID\software -ErrorAction SilentlyContinue) + @(Get-ChildItem -Recurse HKU:\$RegSID\software -ErrorAction SilentlyContinue);" piece that I needed.

    thanks for the response.

You must be logged in to reply to this topic.