Windows Registry Commands

Windows Registry

The windows registry is a hierarchical database that contains configuration settings and options for thw Windows OS applications, hardware and user preferences. It acts as a central repository for system setting, replacing older configuration files like INI files .

Key features of windows registry

• stores system-wide and user-specific settings.

• used by the Windows OS, drivers, services and applications

• helps configure and control hardware and software behaviour.

• Enables automatic startup settings for programs.

Windows Registry Structure

The registry is organiazed into hierarchical structure, similar to folders in a file system.

1. Hive - A root-level container storing registry data(like a drive)

2. Key - A subfolder inside a hive (can contain more keys or values).

3. Value - A specific settings stored inside a key( like a file with data).

Example :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

Here:

• HKEY_LOCAL_MACHINE → Hive

• SOFTWARE → Key

• Microsoft → Subkey

• Windows → Subkey

• CurrentVersion → Contains various values related to the windows version

Main Registry Hives

The registry file located in directory:-

%SystemRoor%\System32\Config

This Directory includes the following files

Registry Files

• Default - The default registry file (imp).

• SAM - The Security ACcounts Manager registry file (imp).

• Security - The security registry file (imp).

• Software - The application software registry file (imp).

• System - The system registry file (imp).

• Default.sav - A backup copy of the default registry file.

• Software.sav - A backup copy of application software registry file (imp).

• System.sav - A backup copy of system registry file (imp).

• autoexec.nt and config.nt - Files that initialize MS-DOS enviornment (old windows)

• AppEvent.evt - The application event log file (old windows).

• SecEvent.evt - The security event file (old windows)

• SysEvent.evt - The system event log file (old windows)

• Userdiff - the file that migrates preexisting user profile from previous version of windows.

Opening The Registry editor

C:\Windows\regedit.exe

Managing the Windows registry from command prompt

Viewing Registry Command Options

reg /?

Common Registry Commands

Query Registry

reg QUERY hkcu\software\microsoft\windows\currentversion\policies\exporer /v nodesktop

Add a Registry Entry

reg ADD hkcu\software\microsoft\windows\currentversion\policies\explorer /v nodesktop /t reg_dword /f /d 1

nodesktop means there will be no icons on desktop

Delete a Registry Entry

reg DELETE hkcu\software\microsoft\windows\currentversion\policies\exploror /v nodesktop \f

Save Registry Key

save in binary form

reg SAVE hkcu\software\microsoft\windows\currentversion\policies\explorer hkcu_explorer.hiv

Restore Registry Key

reg restore hkcu\software\microsoft\windows\currentversion\policies\explorer hkcu_explorer.hiv

Export Registry Key

save in human readable form

reg EXPORT hkcu\software\microsoft\windows\currentversion\policies\explorer hkcu_explorer.reg

Import Registry Key

reg IMPORT hkcu_explorer.reg

Copy Registry Key

reg COPY hkcu\software\microsoft\windows\currentversion\policies\explorer hklm\software\microsoft\windows\currentversion\policies\explorer /f

Compare Registry Keys

reg COMPARE hkcu\software\microsoft\windows\currentversion\policies\explorer hklm\software\microsoft\windows\currentversion\policies\explorer

Useful Registry Modification

Disable USB Device

reg ADD hklm\system\currentcontrolset\services\usbstor /v Start /t reg_dword /f /d 4

Add Programs to Windows Startup

reg ADD hkcu\software\Microsoft\windows\currentversion\run /v program_name /t reg_sz /f /d "C:\\path\\to\program.exe

Query USB Devices

reg QUERY HKEY_LOCAL_MACHINE\SYSTEM\controllerset002\Enum\USBSTOR\

Query Mounted Devices

reg QUERY HKEY_LOCAL_MACHINE\SYSTEM\mounteddevices

Query Recent Application

reg QUERY HKEY_CURRENT_USER\software\microsoft\windows\currentversion\search recentapps

Find Windows Install Time and Date

the output will be UNIX hex so convert it.

reg QUERY "HKLM\SOFTWARE\Microsoft\windows NT\currentversion" /v InstallDate

Modify Utilman.exe to cmd.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\currentversion\Image File Execution Option\Utilman.exe /t REG_SZ /v Debugger /d "%systemroot%\system32\cmd.exe" /g

Password Mining

reg QUERY HKLM /f passw /t REG_SZ /s
reg QUERY HKCU /f passw /t REG_SZ /s

Saving Windows Passwords

mkdir c:\pass
reg SAVE hklm\sam c:\pass\sam
reg SAVE hklm\system c:\pass\system

Windows Explorer Policy Settings (Registry Keys)

These registry keys can be found at:

• For Current User: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

• For All Users: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Each key should be set as a REG_DWORD (1 to Enable, 0 to Disable).

🧷 List of Registry Restrictions in Windows 11