Enumerate

Commands

regedit

GUI

reg query HKLM\Software

Lists all subkeys and values

reg query HKCU

Lists subkeys and values under the HKCU registry hive.

reg export HKLM\Software filename.reg

Exports to a .reg file.

Get-ChildItem -Path Registry::HKEY_LOCAL_MACHINE\Software

Enumerates registry keys and values under HKLM in PowerShell.

(Get-Item -Path Registry::HKEY_LOCAL_MACHINE\Software).Property

Lists all value names under a registry key in PowerShell.

Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\Software

Retrieves properties (values) of the Run key in PowerShell.

Displays values and data for keys under the "Run" key:

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

reg query HKCU\Control Panel\Desktop /v Wallpaper

Shows the current desktop wallpaper path.

Replace "Wallpaper" with the name of the desired value.

reg query HKLM /f "Chrome" /t REG_SZ

Searches all keys under HKLM (local machine hive) for values containing "Chrome" of type REG_SZ (string).

reg query HKLM /s /f "Explorer" /t REG_DWORD

Searches all subkeys under HKLM for values containing "Explorer" of type REG_DWORD (32-bit integer).

reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v Shell /ve

Displays only empty values for the "Shell" value.

reg export HKCU\Software\MyApp C:\Backup\MyAppSettings.reg

Exports the "MyApp" key and its subkeys to a .reg file for backup or transfer.

Remote registry: Use \ComputerName\ before the root key to query a remote computer's registry.

Last updated 1 year ago