Searching the Registry

Welcome Forums General PowerShell Q&A Searching the Registry

Viewing 4 reply threads
  • Author
    Posts
    • #170440
      Participant
      Topics: 7
      Replies: 14
      Points: 29
      Rank: Member

      I have been searching the internet most of the morning for this and I find multiple hits, with very similar code, though they miss the mark for me.

      I have been tasked to find specific values (specifically an email address) and do a find and replace.

      the basics.  Yes I have used get-childitem to riffle through the keys, then for each hive key (foreach)  I use get-itemproperty based on $_.PsPath and match a specific string (the email address).

      This finds the keys that have a subkey with this value, but it returns them all, not just the one subkey.  I ma having issues singling out the subkey with the value.  Because of this, I am being very cautious.  I would like to output the path (got that $_.name), but I cannot get it to single out the subkey with the search value.  $_.Property lists all the subkeys.  As a last test I would like to output the value of that subkey (as a double check before I implement this sucker)

      Thanks.

    • #170449
      Participant
      Topics: 5
      Replies: 2373
      Points: 6,011
      Helping Hand
      Rank: Community MVP

      Please show your code. We are much faster when we can tweak existing code. 😉

    • #170452
      Participant
      Topics: 7
      Replies: 14
      Points: 29
      Rank: Member

      ok, this is kind of where I am at.  I was using a known value and subkey (HKCU:\Console – FaceName : __DefaultTTFont__) to do my search (that way it was found quick and I could test the subkey and values against something known)

      $searchString = “__DefaultTTFont__”

      cd HKCU:
      Get-ChildItem . -rec -ea SilentlyContinue | foreach {
      if ((Get-ItemProperty -path $_.PsPath) -match $searchString)
      {
      write-host “——————————–” -ForegroundColor Yellow
      $subList = Get-ItemProperty -Path $_.PsPath
      # Write-Host $_.name -NoNewline
      # Write-Host “\” -NoNewline
      # Write-Host $_.Property -ForegroundColor Cyan -NoNewline
      # Write-Host ” : ” -NoNewline
      # Get-ItemProperty -Path $_.PSPath -Name “Default”
      # Write-Host -ForegroundColor Green
      # write-host “——————————–” -ForegroundColor Yellow

      }
      }

    • #170455
      js
      Participant
      Topics: 30
      Replies: 828
      Points: 2,556
      Helping Hand
      Rank: Community Hero

      Does this help?

      # get-itemproperty2.ps1
      
      # get-childitem skips top level key properties, use get-item for that
      
      # example pipe to set-itemproperty:
      # ls -r hkcu:\key1 | get-itemproperty2 | where value -match value | 
      #   set-itemproperty -value myvalue -whatif
       
      param([parameter(ValueFromPipeline)]$key)
      
      process { 
        $valuenames = $key.getvaluenames() 
      
        if ($valuenames) { 
          $valuenames | foreach {
            $value = $_
            [pscustomobject] @{
              Path = $key -replace 'HKEY_CURRENT_USER',
          	  'HKCU:' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
              Name = $Value
              Value = $Key.GetValue($Value)
              Type = $Key.GetValueKind($Value)
            }
          }
        } else {
          [pscustomobject] @{
            Path = $key -replace 'HKEY_CURRENT_USER',
              'HKCU:' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
              Name = ''
              Value = ''
              Type = ''
          }
        }
      }
      
      get-childitem -recurse hkcu: | .\get-itemproperty2 | select -first 5
      
      Path                      Name                     Value Type
      ----                      ----                     ----- ----
      HKCU:\AppEvents
      HKCU:\ApplicationDefaults
      HKCU:\Console             CtrlKeyShortcutsDisabled 0     DWord
      HKCU:\Console             CursorSize               25    DWord
      HKCU:\Console             EnableColorSelection     0     DWord
      
    • #171784
      Participant
      Topics: 7
      Replies: 14
      Points: 29
      Rank: Member

      sorry for the late reply.  I found something that worked and the team threw me heavy into the project to get those pieces working.  here is what I found to work:

      ####################################
      # Collect the Registry data
      ####################################
      Write-Host "**************************************************"-ForegroundColor Yellow
      Write-Host "Scanning Registry for " -NoNewline
      Write-host $jEmail -ForegroundColor Cyan
      #grab the registry based on the Hive you need.
      $keys [email protected](Get-Item HKU:\$RegSID\software -ErrorAction SilentlyContinue) + @(Get-ChildItem -Recurse HKU:\$RegSID\software -ErrorAction SilentlyContinue);
      
      ###################################
      # Search (and replace)
      ###################################
      $results = @()
      foreach ($key in $keys){
          foreach ($vname in $key.GetValueNames()){
              $val = $key.GetValue($vname)
              if ($val -like $jEmail){
                  $r = @{}
                  $r.Key = $key.ToString() -replace "HKEY_USERS", "HKU:"
                  $r.SubName = $vname.ToString()
                  $r.Val = $val.ToString()
                  $results += $r
                  }
              }
          }

      This is a specific use of the search and find, but hopefully others who are looking for this can get what they need from it.  Basically it was the “$keys [email protected](Get-Item HKU:\$RegSID\software -ErrorAction SilentlyContinue) + @(Get-ChildItem -Recurse HKU:\$RegSID\software -ErrorAction SilentlyContinue);” piece that I needed.

      thanks for the response.

Viewing 4 reply threads
  • The topic ‘Searching the Registry’ is closed to new replies.