Editing Windows Registry (section)

== Editing ==

=== Registry editors ===

The registry contains important configuration information for the operating system, for installed applications as well as individual settings for each user and application. A careless change to the operating system configuration in the registry could cause irreversible damage, so it is usually only installer programs which perform changes to the registry database during installation/configuration and removal. If a user wants to edit the registry manually, Microsoft recommends that a backup of the registry be performed before the change.<ref>{{cite web
 | url=http://support.microsoft.com/kb/171325
 | title=Incorrect Icons Displayed for .ico Files
 | date=November 15, 2009
 | access-date=31 March 2012
}}</ref> When a program is removed from control panel, it may not be completely removed and, in case of errors or glitches caused by references to missing programs, the user might have to manually check inside directories such as program files. After this, the user might need to manually remove any reference to the uninstalled program in the registry. This is usually done by using RegEdit.exe.<ref>{{cite web|url=http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/|title=How to Completely Uninstall / Remove a Software Program in Windows without using 3rd Party Software? - AskVG|website=www.askvg.com|date=August 26, 2011 }}</ref> Editing the registry is sometimes necessary when working around Windows-specific issues e.g. problems when logging onto a domain can be resolved by editing the registry.<ref>{{cite web
 | url=http://support.microsoft.com/kb/906866
 | title=You may receive a "STOP 0x00000035 NO_MORE_IRP_STACK_LOCATIONS" error message when you try to log on to a domain
 | date=October 9, 2011
 | access-date=31 March 2012
}} This page tells the user to edit the registry when resolving the issue.</ref>

Windows Registry can be edited manually using programs such as RegEdit.exe, although these tools do not expose some of the registry's metadata such as the last modified date.

The registry editor for the 3.1/95 series of operating systems is RegEdit.exe and for Windows NT it is RegEdt32.exe; the functionalities are merged in Windows XP. Optional and third-party tools similar to RegEdit.exe are available for many Windows CE versions.

Registry Editor allows users to perform the following functions:
* Creating, manipulating, renaming<ref>key renaming is implemented as removal and add while retaining subkeys/values, as the underlying APIs do not support the rename function directly</ref> and deleting registry keys, subkeys, values and value data
* Importing and exporting .<code>REG</code> files, exporting data in the binary hive format
* Loading, manipulating and unloading registry hive format files (Windows NT systems only)
* Setting permissions based on [[Access control list|ACLs]] (Windows NT systems only)
* Bookmarking user-selected registry keys as Favorites
* Finding particular strings in key names, value names and value data
* Remotely editing the registry on another networked computer

=== <code>.REG</code> files ===
<code>.REG</code> files (also known as Registration entries) are text-based human-readable files for exporting and importing portions of the registry using an [[INI file|INI]]-based syntax. On Windows 2000 and later, they contain the string ''Windows Registry Editor Version 5.00'' at the beginning, while on [[Windows 9x]] and NT 4.0 systems, they contain the string ''REGEDIT4''.<ref name="Regfiles">{{Cite web|url=https://support.microsoft.com/en-us/help/310516/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg|title=How to add, modify, or delete registry subkeys and values by using a .reg file|website=support.microsoft.com}}</ref> Windows 2000 and later REG files are [[Unicode]]-based, while on [[Windows 9x]] and NT 4.0 systems, they are [[Windows code page|ANSI]]-based. {{citation needed| date=December 2023}} Windows 9x format <code>.REG</code> files are compatible with Windows 2000 and later.<ref name="Regfiles" /> The Registry Editor on Windows on these systems also supports exporting <code>.REG</code> files in Windows 9x/NT format.{{citation needed| date=December 2023}} Data is stored in <code>.REG</code> files using the following syntax:<ref name="Regfiles" />
<syntaxhighlight lang="registry">
[<Hive name>\<Key name>\<Subkey name>]
"Value name"=<Value type>:<Value data>
</syntaxhighlight>

The Default Value of a key can be edited by using {{code|@}} instead of "Value Name":
<syntaxhighlight lang="registry">
[<Hive name>\<Key name>\<Subkey name>]
@=<Value type>:<Value data>
</syntaxhighlight>

String values do not require a &lt;Value type&gt; (see example), but [[Escape (Programming)|backslashes]] ({{code|\}}) need to be written as a double-backslash ({{code|\\}}), and quotes ({{code|"}}) as backslash-quote ({{code|\"}}).

For example, to add the values "Value A", "Value B", "Value C", "Value D", "Value E", "Value F", "Value G", "Value H", "Value I", "Value J", "Value K", "Value L", and "Value M" to the {{code|HKLM\SOFTWARE\Foobar}} key:
<syntaxhighlight lang="registry">
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]
"Value A"="<String value data with escape characters>"
"Value B"=hex:<Binary data (as comma-delimited list of hexadecimal values)>
"Value C"=dword:<DWORD value integer>
"Value D"=hex(0):<REG_NONE (as comma-delimited list of hexadecimal values)>
"Value E"=hex(1):<REG_SZ (as comma-delimited list of hexadecimal values representing a UTF-16LE NUL-terminated string)>
"Value F"=hex(2):<Expandable string value data (as comma-delimited list of hexadecimal values representing a UTF-16LE NUL-terminated string)>
"Value G"=hex(3):<Binary data (as comma-delimited list of hexadecimal values)> ; equal to "Value B"
"Value H"=hex(4):<DWORD value (as comma-delimited list of 4 hexadecimal values, in little endian byte order)>
"Value I"=hex(5):<DWORD value (as comma-delimited list of 4 hexadecimal values, in big endian byte order)>
"Value J"=hex(7):<Multi-string value data (as comma-delimited list of hexadecimal values representing UTF-16LE NUL-terminated strings)>
"Value K"=hex(8):<REG_RESOURCE_LIST (as comma-delimited list of hexadecimal values)>
"Value L"=hex(a):<REG_RESOURCE_REQUIREMENTS_LIST (as comma-delimited list of hexadecimal values)>
"Value M"=hex(b):<QWORD value (as comma-delimited list of 8 hexadecimal values, in little endian byte order)>
</syntaxhighlight>
Data from <code>.REG</code> files can be added/merged with the registry by double-clicking these files or using the /s switch in the command line. <code>REG</code> files can also be used to remove registry data.

To remove a key (and all subkeys, values and data), the key name must be preceded by a minus sign ({{code|-}}).<ref name="Regfiles" />

For example, to remove the {{code|HKLM\SOFTWARE\Foobar}} key (and all subkeys, values and data),
<syntaxhighlight lang="registry">
[-HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]
</syntaxhighlight>

To remove a value (and its data), the values to be removed must have a minus sign ({{code|-}}) after the equal sign (<code>=</code>).<ref name="Regfiles" />

For example, to remove only the "Value A" and "Value B" values (and their data) from the {{code|HKLM\SOFTWARE\Foobar}} key:
<syntaxhighlight lang="registry">
[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]
"Value A"=-
"Value B"=-
</syntaxhighlight>

To remove only the Default value of the key {{code|HKLM\SOFTWARE\Foobar}} (and its data):
<syntaxhighlight lang="registry">
[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]
@=-
</syntaxhighlight>

Lines beginning with a semicolon are considered comments:
<syntaxhighlight lang="registry">
; This is a comment. This can be placed in any part of a .reg file
[HKEY_LOCAL_MACHINE\SOFTWARE\Foobar]
"Value"="Example string"
</syntaxhighlight>

=== Group policies ===
{{Main|Group Policy}}
Windows [[Group Policy|group policies]] can change registry keys for a number of machines or individual users based on policies. When a policy first takes effect for a machine or for an individual user of a machine, the registry settings specified as part of the policy are applied to the machine or user settings.

Windows will also look for updated policies and apply them periodically, typically every 90 minutes.<ref>{{cite web|title=Applying Group Policy|url=https://msdn.microsoft.com/en-us/library/windows/desktop/aa373481(v=vs.85).aspx|publisher=Microsoft}}</ref>

Through its ''scope'' a policy defines to which machines and users the policy is to be applied. Whether a machine or user is within the scope of a policy or not is defined by a set of rules which can filter on the location of the machine or user account in organizational directory, specific users or machine accounts or security groups. More advanced rules can be set up using [[Windows Management Instrumentation]] expressions. Such rules can filter on properties such as computer vendor name, CPU architecture, installed software, or networks connected to.

For instance, the administrator can create a policy with one set of registry settings for machines in the accounting department and policy with another (lock-down) set of registry settings for kiosk terminals in the visitors area. When a machine is moved from one scope to another (e.g., changing its name or moving it to another organizational unit), the correct policy is automatically applied. When a policy is changed it is automatically re-applied to all machines currently in its scope.

The policy is edited through a number of administrative templates which provides a user interface for picking and changing settings. The set of administrative templates is extensible and software packages which support such remote administration can register their own templates.

=== Command line editing ===
{{Infobox software
| name = reg
| logo = 
| screenshot = 
| screenshot size = 
| caption = 
| developer = [[Microsoft]]
| released = 
| latest release version = 
| latest release date = 
| operating system = [[Microsoft Windows]]
| genre = [[Command (computing)|Command]]
| license = [[Proprietary software|Proprietary]] [[commercial software]]
| website = {{URL|https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg}}
}}
{{Infobox software
| name                   = regini
| logo                   = 
| screenshot             = 
| screenshot size        = 
| caption                = 
| developer              = [[Microsoft]]
| released               = 
| latest release version = 
| latest release date    = 
| operating system       = [[Microsoft Windows]]
| genre                  = [[Command (computing)|Command]]
| license                = [[Proprietary software|Proprietary]] [[commercial software]]
| website                = {{URL|https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini}}
}}
The registry can be manipulated in a number of ways from the [[command line interface|command line]]. The <code>Reg.exe</code> and <code>RegIni.exe</code> utility tools are included in Windows XP and later versions of Windows. Alternative locations for legacy versions of Windows include the Resource Kit CDs or the original Installation CD of Windows.

Also, a <code>.REG</code> file can be imported from the command line with the following command:

 RegEdit.exe /s ''file''

The /s means the file will be ''silent merged'' to the registry. If the <code>/s</code> parameter is omitted the user will be asked to confirm the operation. In Windows 98, Windows 95 and at least some configurations of Windows XP the <code>/s</code> switch also causes <code>RegEdit.exe</code> to ignore the setting in the registry that allows administrators to disable it. When using the <code>/s</code> switch <code>RegEdit.exe</code> does not return an appropriate return code if the operation fails, unlike <code>Reg.exe</code> which does.

 RegEdit.exe /e ''file''

exports the whole registry in V5 format to a UNICODE <code>.REG</code> file, while any of

 RegEdit.exe /e ''file'' HKEY_CLASSES_ROOT[\&lt;key&gt;]
 RegEdit.exe /e ''file'' HKEY_CURRENT_CONFIG[\&lt;key&gt;]
 RegEdit.exe /e ''file'' HKEY_CURRENT_USER[\&lt;key&gt;]
 RegEdit.exe /e ''file'' HKEY_LOCAL_MACHINE[\&lt;key&gt;]
 RegEdit.exe /e ''file'' HKEY_USERS[\&lt;key&gt;]

export the specified (sub)key (which has to be enclosed in quotes if it contains spaces) only.

 RegEdit.exe /a ''file''

exports the whole registry in V4 format to an ANSI <code>.REG</code> file.

 RegEdit.exe /a ''file'' ''&lt;key&gt;''

exports the specified (sub)key (which has to be enclosed in quotes if it contains spaces) only.

It is also possible to use <code>Reg.exe</code>. Here is a sample to display the value of the registry value Version:
<syntaxhighlight lang="text">
Reg.exe QUERY HKLM\Software\Microsoft\ResKit /v Version
</syntaxhighlight>
Other command line options include a [[VBScript]] or [[JScript]] together with [[Windows Script Host|CScript]], [[Windows Management Instrumentation|WMI]] or <code>WMIC.exe</code> and [[Windows PowerShell]].

Registry permissions can be manipulated through the command line using <code>RegIni.exe</code> and the <code>[http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en SubInACL.exe]</code> tool. For example, the permissions on the {{code|HKEY_LOCAL_MACHINE\SOFTWARE}} key can be displayed using:

<syntaxhighlight lang="text">
SubInACL.exe /keyreg HKEY_LOCAL_MACHINE\SOFTWARE /display
</syntaxhighlight>

=== PowerShell commands and scripts ===
[[File:PowerShell registry provider.png|thumb|Using PowerShell to navigate the registry]]

[[Windows PowerShell]] comes with a registry provider which presents the registry as a location type similar to the file system. The same commands used to manipulate files and directories in the file system can be used to manipulate keys and values of the registry.<ref name=Payette-Siddaway-2018>{{cite book|url=https://books.google.com/books?id=jDszEAAAQBAJ|title=Windows PowerShell in Action|last1=Payette|first1=Bruce|last2=Siddaway|first2=Richard|publisher=[[Manning Publications]]|date=2018|access-date=August 28, 2021|pages=7–8, 24, 608, 708–710|edition=Third|isbn=9781633430297}}</ref>

Also like the file system, PowerShell uses the concept of a ''current location'' which defines the context on which commands by default operate. The <code>Get-ChildItem</code> (also available through the aliases <code>ls</code>, <code>dir</code> or <code>gci</code>) retrieves the child keys of the current location. By using the <code>Set-Location</code> (or the alias <code>cd</code>) command the user can change the current location to another key of the registry.<ref name=Payette-Siddaway-2018/> Commands which rename items, remove items, create new items or set content of items or properties can be used to rename keys, remove keys or entire sub-trees or change values.

Through PowerShell scripts files, an administrator can prepare scripts which, when executed, make changes to the registry. Such scripts can be distributed to administrators who can execute them on individual machines. The PowerShell Registry provider supports transactions, i.e. multiple changes to the registry can be bundled into a single atomic transaction. An atomic transaction ensures that either all of the changes are committed to the database, or if the script fails, none of the changes are committed to the database.<ref name=Payette-Siddaway-2018/><ref>{{cite book|url=https://books.google.com/books?id=apztCAAAQBAJ|title=Windows PowerShell in 24 Hours, Sams Teach Yourself|last=Warner|first=Timothy L.|publisher=[[Sams Publishing]]|date=May 2015|access-date=August 28, 2021|page=[https://books.google.com/books?id=apztCAAAQBAJ&pg=PT49 19], [https://books.google.com/books?id=apztCAAAQBAJ&pg=PT241 211]|isbn=9780134049359}}</ref>

=== Programs or scripts ===
The registry can be edited through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll).<ref>{{cite web | url = http://www.windowsdevcenter.com/lpt/a/5016 | title = Reading and Writing Registry Values with Visual Basic | access-date = 2007-07-19}}</ref> List of registry API functions:
{{div col|colwidth=15em}}
* {{tt|RegCloseKey}}
* {{tt|RegConnectRegistry}}
* {{tt|RegCreateKey}}
* {{tt|RegCreateKeyEx}}
* {{tt|RegDeleteKey}}
* {{tt|RegDeleteValue}}
* {{tt|RegEnumKey}}
* {{tt|RegEnumKeyEx}}
* {{tt|RegEnumValue}}
* {{tt|RegFlushKey}}
* {{tt|RegGetKeySecurity}}
* {{tt|RegLoadKey}}
* {{tt|RegNotifyChangeKeyValue}}
* {{tt|RegOpenKey}}
* {{tt|RegOpenKeyEx}}
* {{tt|RegQueryInfoKey}}
* {{tt|RegQueryMultipleValues}}
* {{tt|RegQueryValue}}
* {{tt|RegQueryValueEx}}
* {{tt|RegReplaceKey}}
* {{tt|RegRestoreKey}}
* {{tt|RegSaveKey}}
* {{tt|RegSetKeySecurity}}
* {{tt|RegSetValue}}
* {{tt|RegSetValueEx}}
* {{tt|RegUnLoadKey}}
{{div col end}}

Many [[programming language]]s offer built-in [[runtime library]] functions or [[class (computer science)|classes]] that wrap the underlying Windows APIs and thereby enable programs to store settings in the registry (e.g. <code>Microsoft.Win32.Registry</code> in [[Visual Basic .NET|VB.NET]] and [[C Sharp (programming language)|C#]], or <code>TRegistry</code> in [[Delphi (programming language)|Delphi]] and [[Free Pascal]]). [[Component Object Model|COM]]-enabled applications like [[Visual Basic 6]] can use the [[Windows Scripting Host|WSH]] <code>WScript.Shell</code> object. Another way is to use the Windows Resource Kit Tool, <code>Reg.exe</code> by executing it from code,<ref>{{cite web | url = http://www.petri.co.il/reg_command_in_windows_xp.htm | title = REG command in Windows XP | access-date = 2007-07-19}}</ref> although this is considered poor programming practice.

Similarly, [[scripting language]]s such as [[Perl]] (with <code> Win32::TieRegistry</code>), [[Python (programming language)|Python]] (with winreg), [[Tcl|TCL]] (which comes bundled with the registry package),<ref>{{Cite web|url=http://www.tcl.tk/man/tcl8.6/TclCmd/registry.htm|title=registry manual page – Tcl Bundled Packages|website=www.tcl.tk|access-date=2017-12-14}}</ref> [[Windows Powershell]] and [[Windows Scripting Host]] also enable registry editing from scripts.

=== Offline editing ===
The offreg.dll<ref>{{cite web | url = https://msdn.microsoft.com/en-us/library/ee210757.aspx | title = Offline Registry Library | access-date = 2014-06-04}}</ref> available from the [[Windows Driver Kit]] offers a set of APIs for the creation and manipulation of currently not loaded registry hives similar to those provided by advapi32.dll.

It is also possible to edit the registry (hives) of an offline system from [[Windows PE]] or [[Linux]] (in the latter case using [[open source]] tools).

=== COM self-registration ===
Prior to the introduction of registration-free [[Component Object Model|COM]], developers were encouraged to add initialization code to in-process and out-of-process binaries to perform the registry configuration required for that object to work. For in-process binaries such as .DLL and .OCX files, the modules typically exported a function called DllInstall()<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/windows/desktop/bb759846(v=vs.85).aspx|title=DllInstall Function|publisher=[[Microsoft]]|access-date=2012-03-22|date=2012-03-07}}</ref> that could be called by installation programs or invoked manually with utilities like Regsvr32.exe;<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/ms859484.aspx|title=Regsvr32|publisher=[[Microsoft]]|access-date=2012-03-22}}</ref> out-of-process binaries typically support the commandline arguments /Regserver and /Unregserver that created or deleted the required registry settings.<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/05c9yccf(v=vs.80).aspx|title=How to: Register Automation Servers|access-date=2012-03-22|publisher=[[Microsoft]]}}</ref>  COM applications that break because of [[DLL Hell]] issues can commonly be repaired with RegSvr32.exe or the /RegServer switch without having to re-invoke installation programs.<ref>{{cite web|url=http://support.microsoft.com/kb/291893|title=How to re-register PowerPoint 2000, PowerPoint 2003, PowerPoint 2007 and PowerPoint 2010|publisher=[[Microsoft]]|access-date=2012-03-22|date= January 2012}}</ref>

=== Advanced functionality ===
Windows exposes APIs that allows user-mode applications to register to receive a notification event if a particular registry key is changed.<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/windows/desktop/ms724892(v=vs.85).aspx|title=RegNotifyChangeKeyValue function|publisher=Microsoft}}</ref>  APIs are also available to allow kernel-mode applications to filter and modify registry calls made by other applications.<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/windows/hardware/ff560895(v=vs.85).aspx|title=Registering for Notifications|publisher=Microsoft}}</ref>

Windows also supports remote access to the registry of another computer via the <code>RegConnectRegistry</code> function<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/windows/desktop/ms724840(v=vs.85).aspx|title=RegConnectRegistry function|publisher=Microsoft}}</ref> if the Remote Registry service is running, correctly configured and its network traffic is not firewalled.<ref>{{cite web|url=http://support.microsoft.com/kb/314837|title=How to Manage Remote Access to the Registry|publisher=Microsoft}}</ref>