Author Posts

July 14, 2016 at 10:48 pm

I'm trying to write a script to modify registry keys. I am using Windows Server 2012. One problem I am having is that I see different key values depending on the command I use.

Discrepancy #1
REG EXPORT "HKEY_CURRENT_USER\Control Panel\Desktop" destination.txt
#The above shows a file with "ScreenSaveTimeout" appearing once with a value of "dword:00000384"

I then use this command:
get-itemproperty-path "HKCU:\Control Panel\Desktop" -name "ScreenSaveTimeOUt"
#The above shows ScreenSaveTimeOut at 900.

Discrepancy #2
REG EXPORT "HKEY_CURRENT_USER\Control Panel\Desktop" destination.txt
#The above shows a file with "SCRNSAVE.EXE="C:\\Windows\\system32\\scrnsave.scr"
# Notice the "\\"

I then use this command:
get-itemproperty-path "HKCU:\Control Panel\Desktop" -name "SCRNSAVE.EXE"
#The above shows SCRNSAVE.EXE with a value of C:\Windows\system32\scrnsave.scr

Why are there different values when I use get-itemproperty and REG EXPORT? My script will rely on the values being evaluated.

July 14, 2016 at 11:14 pm

384 is hexadecimal; its 900 in base10. So it's the same value expressed differently.

REG EXPORT is escaping the backslash, making it two backslashes. PowerShell doesn't. Again, same value, expressed differently.

July 14, 2016 at 11:18 pm

.reg files need backslashes escaped with backslashes

Hexadecimal 384 is decimal 900.

Powershell is displaying the data in a friendly way and handling the conversions.