Windows Registry

Tutorial

1
 Table of Contents

Introduction

Chapter I Performing Basic Registry Management

Getting Registry Key Values and Editing Them 4

Searching in the Registry 6

Creating and Deleting a Registry Key 7

Renaming a Registry Key or Parameter 8

Chapter II Fixing Windows Registry Issues

Cleaning the Windows Registry with the Registry Editor 9

Fixing Windows Registry Errors and Broken Items 10

Repairing the Windows Registry 12

Chapter III Backing Up and Restoring the Windows Registry

Backing up a Windows Registry 13

Restoring a Windows Registry 14

Final Word 18

Useful References 19

About Netwrix 21

2
 Introduction

The Windows registry is a database that contains important, machine-specific settings

and information regarding almost everything in your computer — preferences, appli-
cations, users, attached devices and so on. The registry contains two basic elements:
keys and values. The Windows operating system is constantly referring to the registry;
for example, to open a program, install new software or change your hardware,
Windows must check the values of certain keys.

You can change registry key values manually using the built-in Windows Registry Editor
(regedit) in order to improve performance or make Windows work the way you want,
but you need to know what you’re doing or you can seriously damage your OS. Your
registry can also be changed by malware or due to errors during the installation of
programs or drivers. Unwanted changes are likely to cause issues with your Windows
registry and therefore negatively affect the performance of your computer or even
damage it. You can remediate these problems by fixing Windows registry issues or
restoring your registry from a backup.

This tutorial covers all you need to know to effectively manage the Windows registry,
including how to perform basic management tasks, fix registry issues, and back up
and restore your Windows registry.

Introduction 3
 I. Performing Basic Registry
Management

Administrators can perform all typical registry operations using either the “Regedit”
user interface or the reg.exe utility. But there is another option — Windows
PowerShell. PowerShell provides a large set of tools for interacting with the Microsoft
Windows registry, either on the local machine or remotely.

In this chapter, we'll show how to use PowerShell to get, edit, create and delete registry
keys; search the registry; and connect to the registry from a remote computer.

Getting Registry Key Values and Editing Them

To get the values of all the registry keys on a local machine, we first have to find the
Locally path to the registry. Let’s get a list of all the local drives:

get-psdrive

Figure 1.1
Getting a list of the local drives

As you can see, there are two entries for the registry: HKEY_CURRENT_USER (HKCU)
and HKEY_LOCAL_MACHINE (HKLM). These are two logical groups of keys, or “hives,”
in the registry.

Chapter I | Performing Basic Registry Management 4

 Therefore, we can navigate to the local machine registry root key by running the fol-
lowing command:

cd HKLM:\

Alternatively, we can set our current working location to a particular path in the
registry using the Set-Location cmdlet:

set-location -path HKLM:\SOFTWARE\Microsoft\Windows\

CurrentVersion\

Then we can use the Get-ChildItem cmdlet to output all the registry keys in the current
hive with their properties:

Get-childitem

Figure 1.2
Getting a list of the registry keys
with their properties

To get the parameters for a specific key (such as the Run key), we would use Get-Item
cmdlet, specifying the path:

Get-Item -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run

Chapter I | Performing Basic Registry Management 5

Figure 1.3
Getting the parameters
of a specific key

If we want to change one of the parameters for a registry key, we need to use the
Set-ItemProperty cmdlet. For example, we could use the following command to set
a new string value for the “VMware User Process” parameter of the “Run” key:

Set-Itemproperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\

CurrentVersion\Run' -Name 'VMware User Process' -value 'C:\
Program Files\VMware\VMware Tools\vmtoolsd.exe'

PowerShell enables you to connect to a computer’s registry remotely and view it using
Remotely WinRM. To do that, you need to use the Invoke-Command cmdlet:

Invoke-Command –ComputerName dc1 –ScriptBlock { Get-ItemProperty

-Path 'HKCU:\Software\System' -Name WorkingDirectory}

To edit a registry remotely, we first need to connect to it using Enter-PSSession cmdlet:

Enter-PSSession pdc -Credential Enterprise\T.Simpson

The system will prompt you for the password for the user account you specified. After
authentication, you will be able to use PowerShell commands on the remote computer.

Searching in the Registry

To find particular keys in the registry, use a script like the following, which searches the
registry for keys that contain “Netwrix” in their name:

get-childitem -path hkcu:\ -recurse -ErrorAction

SilentlyContinue | Where-Object {$_.Name -like "*Netwrix*"}

Chapter I | Performing Basic Registry Management 6

 Creating and Deleting a Registry Key
To add a key to the registry, we need to use the New-Item cmdlet. Let’s create a new
key named “NetwrixKey” in the KEY_CURRENT_USER hive:

New-Item –Path "HKCU:\dummy" –Name NetwrixKey

Figure 1.4
Creating a new registry key

And now let’s create a parameter called “NetwrixParam” for our new key and set its
value to the string “NetwrixValue”:

New-ItemProperty -Path "HKCU:\dummy\NetwrixKey" -Name

"NetwrixParam" -Value ”NetwrixValue” -PropertyType "String"

Let’s have a look at it in the registry:

Figure 1.5
Creating a parameter for a new
registry key

Chapter I | Performing Basic Registry Management 7

 Now let’s delete the “NetwrixKey” parameter we just created using the
Remove-ItemProperty cmdlet:

Remove-ItemProperty -Path "HKCU:\dummy\NetwrixKey"

-Name "NetwrixParam"

And then let’s remove the key “NetwrixKey” itself:

Remove-Item -Path "HKCU:\dummy\NetwrixKey" -Recurse

The –Recurse parameter authorizes PowerShell to delete all the subkeys without addi-
tional confirmation (of course, we didn’t create any subkeys in this example).

If you want to delete all subkeys inside the specified key without deleting the key itself,
you should add the “*” symbol at the end of the path:

Remove-Item -Path "HKCU:\dummy\NetwrixKey\*" -Recurse

Renaming a Registry Key or Parameter

To rename a registry key, use the Rename-Item cmdlet:

Rename-Item -Path "HKCU:\dummy\NetwrixKey" NetwrixNewKey

To rename a parameter of a registry key, use the Rename –ItemProperty cmdlet:

Rename-ItemProperty -Path "HKCU:\dummy\NetwrixKey"

-Name "NetwrixParam" -NewName "NetwrixNewParam

Chapter I | Performing Basic Registry Management 8

 II. Fixing Windows Registry
Issues

As the previous chapter illustrates, basic registry management tasks are rather easy.
However, when you’ve been running the Windows OS for some time — installing and
uninstalling programs, swapping in different keyboard and mice, and so on — you end
up with hundreds or even thousands of registry entries that are completely useless.
Each one uses very little hard drive space, but the operating system still has to filter
through all of them each time it refers to the registry, which slows down performance.
By cleaning up the registry, you can get rid of those unwanted entries and make your
system run a little bit faster. Moreover, sometimes it is necessary to fix registry errors,
or repair the registry if a simple fix doesn’t work. For example, malware can mess up
the registry to the point that a repair operation is required.

In this chapter, we will discuss how to clean your Windows registry, fix errors and
repair the registry if necessary.

Cleaning the Windows Registry with

the Registry Editor
Let’s start with cleaning the registry. You can clean your registry manually using the
Windows Registry Editor. Follow these simple steps:

1. Click the Start button and then select Run...

2. Type “regedit” in the text box and press Enter.

3. Locate any applications that have already been uninstalled and delete them:

a. Expand the HKEY_CURRENT_USER section and then expand the Software key.

b. Look for keys for based on the name of the uninstalled applications or the ven-
dor and delete them.

4. Next, find and remove any duplicate keys that the uninstalled application might
have left behind:

a. Press Ctrl+F to open the Find dialog box.

b. Enter the name of the uninstalled application and click OK to search. Each
matching key or value will be highlighted.

Chapter II | Fixing Windows Registry Issues 9

 c. Remove the highlighted key.

d. Press F3 to find the next match and delete it. Repeat this step until you have re-
viewed all highlighted items.

5. Remove unwanted start-up items from the registry:

a. Navigate to the following location: My Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows\Current Version

b. Click Run to list shortcuts to all the executable files that run at startup.

c. Delete any applications that you don’t want to run at Windows startup. Do
an online search to investigate any that are unfamiliar.

d. Repeat the same task for the following key paths as well:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

Fixing Windows Registry Errors and Broken

Items
Before moving on to the actual fixing of errors, let’s discuss why the errors occur.
Common Registry There are several common causes of registry errors. Some are worth worrying about,
Errors and others are not.

Orphaned entries. Orphaned entries occur when you uninstall software and small
fragments of registry entries are left behind. Registry cleaner software will often
claim these are an immediate issue, but in reality, they will just use up a few kilo-
bytes of free space on your disk.

Duplicate keys. Duplicate keys are made when you reinstall, upgrade or update
software on your machine, including the operating system. Registry cleaner soft-
ware will state that your programs will be confused by the duplicate entries, slow-
ing your machines performance, but that is not true.

Fragmented registry. The registry can also fragment when software is uninstalled,
upgraded or updated.

System shutdown errors. Each time your computer shuts down, a copy of the
registry is saved to system memory. If your computer is turned off, crashes or dies
without going through the normal shutdown routine, it could cause an issue in the
future, but this is unlikely.

Chapter II | Fixing Windows Registry Issues 10

 Malware. Many types of malware attack and modify the registry. In particular, mal-
ware is regularly designed to change the values of startup keys so it will be activat-
ed each time you restart the PC. Changes to the registry by malware require im-
mediate attention.

If a recent change to your system caused errors in your registry, you can revert your
Fixing Windows computer's registry settings using a Windows restore point. If your computer has
Registry Errors with System Restore enabled, restore points will be created automatically when major
changes are made to the system, such as the installation of new drivers. You can also
System Restore
create restore points manually.

1. To open the System Restore window, click the Start menu and enter "restore" in the
search box.

2. Select System Restore from the list of results.

3. Select a restore point. Windows will select the most recent restore point. If the er-
ror has been around for a while, click Show more restore points to see previous
ones. Each restore point will have a timestamp as well as a brief description of why
the restore point was created.

4. Click Scan for affected programs to see all of the programs and drivers that will be
deleted from the computer and all programs that will likely not work correctly if you
proceed with the restore. A system restore will not affect any of your personal files.

5. Click Next and then Finish to start the restore process. This may take a few minutes.
Your computer will reboot after the restore is complete.

Another way to fix a corrupted registry is to run the System File Checker:
Fixing Broken Registry
Items with System 1. Run cmd.exe with administrator rights.
File Checker
2. In the command window, type “sfc /scannow” and press Enter.

3. Wait until the scan is complete and then reboot if needed.

Windows 10 allows you to reset your computer and leave all your files untouched. This
Refreshing option completely refreshes your system files and may help you fix registry issues.
the Windows System Here are the steps to follow:

1. Go to Settings and click Update and Security.

2. Select Recovery.

3. In the Reset This PC section, click Get Started and then click Keep My Files.

4. Click Next twice and then click Finish.

Chapter II | Fixing Windows Registry Issues 11

 Repairing the Windows Registry
Simply trying to fix the error might not always work. Sometime you need to repair your
registry to fix the issue.

Newer versions of Microsoft Windows include an automatic repair feature. When you
Repairing the Registry run Automatic Repair, it will attempt to fix corrupt registry keys and repair invalid keys.
with Automatic Repair Take these steps:

1. Open the Settings panel.

2. Go to the General section.

3. On the Advanced Startup panel, click Restart now.

4. On the Choose an option screen, click Troubleshoot.

5. On the Advanced Options screen, click Automated Repair.

6. Choose an account and login when prompted to do so.

7. Automatic repair will start and your computer may reboot during this process.

To repair the registry with the DISM command follow these steps:
Repairing the Registry
with the DISM 1. Run cmd.exe with administrator rights.
Command
2. Run the following command: DISM /Online /Cleanup-Image /ScanHealth

3. Wait until the scan process completes.

If these methods didn’t fix your registry problems, then you probably will have to re-
install Windows from scratch.

Chapter II | Fixing Windows Registry Issues 12

 III. Backing Up and Restoring
the Windows Registry

You should back up your registry on a regular schedule and before any major change
so you can restore it if the installation of a program or driver causes issues. The cor-
ruption of a registry file during the installation process can lead to poor performance
or even the operating system crashing. With a backup of the registry, you can always
revert unwanted changes and restore the performance of your operating system.

In this chapter, we will see how to make a backup of your Windows registry and
several methods for restoring it.

Backing up a Windows Registry

Back up your registry regularly, and also before you attempt to change, create or re-
move registry settings and hives or install new system drivers, so you can revert to the
old version if something goes wrong. Follow these steps to create a backup:

1. Press the Windows button and the R button simultaneously to open the Run
window.

2. Type “regedit” to open the registry editor and press Enter.

3. Click File > Export.

4. In the dialogue box, enter a name for the backup file (for example “rgbkp2018”),
select the location where you want to export registry file and click Save to create
and save the backup.

Figure 3.1
Backing up a Windows registry

Chapter III | Backing Up and Restoring the Windows Registry 13

 You can also back up your registry automatically with third-party registry cleaning soft-
ware like CCleaner Registry Cleaner.

Restoring a Windows Registry

You can restore your registry in several different ways. Here are the most common
methods:

From Safe Mode Using System File Checker

From the command prompt By resetting the PC

Using System Restore Using the DISM command

Using Automatic Repair By reinstalling Windows from scratch

This is the most basic method. First, boot Windows in Safe Mode by pressing the F8
Restoring the button while turning your computer on. When you boot in Safe Mode, Windows loads
Registry Backup a minimal environment that helps ensure a stable system and protect vital files and
drivers from corruption. Once you’ve booted into Safe Mode, perform the following
from Safe Mode commands:

1. Press the Windows button and the R button simultaneously to open the Run
window.

2. Type “regedit” and press Enter.

3. Click File > Import to import a registry file.

4. In the Import Registry dialogue box, browse to the location where you saved the
file of your backup and click Open.

Figure 3.2
Restoring a Windows registry
from a backup file

Alternatively, a slightly quicker method is to browse to the location with the backup,
right-click the file and select Merge. The file will be automatically imported to your
registry.

Chapter III | Backing Up and Restoring the Windows Registry 14

 In some situations, the Windows system will not boot into Safe Mode, so you need to
Restoring the Registry manually restore your registry from the command prompt. To do this, you’ll need your
from the Command original Windows OS disk or an ISO image on the bootable flash drive with your
Windows operating system.
Prompt
Tap the F8 button before Windows starts and choose Repair My Computer. If F8
doesn’t work, boot from your CD or flash drive by selecting your CD-ROM or flash drive
as a primary bootable device in the BIOS and enter the repair Windows mode from
there. After booting the Windows OS setup, go to System Recovery and select the com-
mand prompt.

We’ll be assuming your Windows directory is located on the C drive. Enter these com-
mands to change your working directory to the directory with your backup:

Cd /d C:\windows\System32\config
xcopy *.* C:\RegBack\
cd RegBack
dir

Then replace the current registry settings with the ones from the backup using these
commands:

copy /y software ..
copy /y system ..
copy /y sam ..

Note that the two periods are part of the command.

After this process completes, restart your computer.

Restoring
the Windows Registry
with System Restore
You can also restore your computer's registry using a Windows system restore point.
If your computer has System Restore enabled, restore points will be created automa-
tically when major changes are made to the system, such as the installation of new
drivers. You can also create restore points manually.
1. To open the System Restore window, click the Start menu and enter "restore" in the
search box.

2. Select System Restore from the list of results.

3. Select a restore point. Windows will select the most recent restore point. If the
registry corruption has been around for a while, click Show more restore points to
see earlier ones. Each restore point will have a timestamp as well as a brief descrip-
tion of why the restore point was created.

Chapter III | Backing Up and Restoring the Windows Registry 15

 4. Click Scan for affected programs to see all of the programs and drivers that will be
deleted from the computer and all programs that will likely not work correctly if
you proceed with the restore. A system restore will not affect any of your person-
al files.

5. Click Next and then Finish to start the restore process. This may take a few min-
utes. Your computer will reboot after the restore is complete.

Newer versions of Microsoft Windows, starting from Windows XP, include an auto-
Restoring the Registry matic repair feature. When you run Automatic Repair, it will attempt to fix corrupt
with Automatic Repair registry keys and repair invalid keys. In Windows 10, take these steps (note that in
Windows XP, Windows Vista and Windows 7, the steps might be different):

1. Open the Settings panel.

2. Go to the Update & Security section and click Recovery.

3. On the Advanced Startup panel, click Restart now.

4. After the computer reboots, on the Choose an option screen, click Troubleshoot.

5. On the Advanced Options screen, click Automated Repair.

6. Choose an account and log in when prompted to do so.

7. Automatic repair will start. Your computer might reboot during this process.

Another way to fix a corrupted registry is to run the System File Checker:
Restoring
the Registry with 1. Run cmd.exe with administrator rights.
System File Checker
2. In the command window, type “sfc /scannow” and press Enter.

3. Wait until the scan is complete and then reboot if needed.

Windows 10 allows you to reset your computer and leave all your files untouched. This
Restoring the Registry option completely refreshes your system files and may help with restoring the registry
by Resetting the PC after a system crash. Here are the steps to follow:

1. Go to Settings and click Update and Security.

2. Select Recovery.

3. In the Reset This PC section, click Get Started and then click Keep My Files.

4. Click Next twice and then click Finish.

Chapter III | Backing Up and Restoring the Windows Registry 16

 To restore the registry with the DISM command follow these steps:
Restoring the Registry
with the DISM 1. Run cmd.exe with administrator rights.
command
2. Run the following command: DISM /Online /Cleanup-Image /ScanHealth

3. Wait until the scan process completes.

If these methods didn’t fix your registry problems, then you probably will have to re-
Reinstalling Windows install Windows from scratch, which will reset the registry to factory settings.

Chapter III | Backing Up and Restoring the Windows Registry 17

 Final Word

In this tutorial you’ve learned how to manage your registry using PowerShell and other
tools. However, keep in mind that even one incorrect change to the registry can lead
your operating system to the blue screen of death. Therefore, before you make any
changes to your registry, be 100% sure of what you are changing, have current back-
ups of your system and data, and track all the changes you make.

In fact, routinely tracking changes to your registry is a smart strategy. For example,
one of the first steps malware often takes is to change registry startup keys. If you spot
those changes quickly, you can take steps to block the malicious software before it
does real damage to your systems and data. To learn more about tracking changes to
your Windows registry, check out the following resources:

Webinar | Detecting Windows Registry Attacks

How-to | How to Detect Modifications to Startup Items in the Windows Registry

Final Word 18
 Useful References
If you want to master other Windows management skills, take a look at the following
resources:

Blog post | How to Add, Delete and Change Local Users and Groups with PowerShell
Manage
Blog post | Protecting Credentials in Windows Server 2016

How-to | How to List All User Accounts on a Windows System

How-to | How to Get a List of Local Administrators

How-to | How to List Local Groups

How-to | How to Get Local Group Members Report

How-to | How to Find Shared Folders

How-to | How to Get Server Inventory across Your Network

eBook | Windows PowerShell Scripting Tutorial for Beginners

How-to | How to Detect Who Installed What Software on Your Windows Server
Monitor
How-to | How to Detect Who Created a Scheduled Task on Windows Server

How-to | How to Detect Who Deleted a DHCP Reservation

How-to | How to Monitor Deletions of DNS Records

How-to | How to Enable Video Recording of Changes in Your Windows Server

eBook | Gaining Control over Windows Server Configurations

Blog post | Top 10 Best Windows Server Monitoring Software Tools

Quick Reference Guide | Windows Server Auditing

Secure
How-to | How to Detect Modifications to Startup Items in Windows Registry

Best Practices | Windows Server Hardening Checklist

SysAdmin magazine | Hardening Windows Server Security

eBook | Windows Server 2016 Security 19

Netwrix Auditor for Windows Server

Enable continuous monitoring of your

Windows Server environment

Promptly spot improper server configuration changes, whether

accidental or deliberate, with complete details on all modifications.

Minimize costly system downtime and business disruptions

by automating Windows Server auditing.

Spot and resolve issues faster and better with human-readable

reports that eliminate the struggle to analyze mountains of
cryptic log data.

Download Free 20-Day Trial

20
 About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim
control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000
organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value
of enterprise content, pass compliance audits with less effort and expense, and increase the productivity
of IT teams and knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc.
5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

Next Steps
Free trial – Set up Netwrix in your own test environment: netwrix.com/freetrial

In-Browser Demo – Take an interactive product demo in your browser: netwrix.com/browser_demo

Live Demo – Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request Quote – Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539