Registry snapshots

News	See also	Recommended Links	Recommended Papers	Microsoft Registry Tools	Commercial tools with trial period
Snapshots	Backups	Monitoring	Tweaking	Humor	Etc

Some antispyware tools (for example HijackThis) can provide a snapshot of important parts of the registry and as such are useful in a wider context. Unfortunately Hijackthis cannot be used in batch mode (or at least I do not know how to use it in a batch mode).

As for monitoring generally periodic snapshots are enough (it's a good practice to dump the content of important parts of your registry in the morning or at the end of the day; it can be a scheduled job), but there are specialized tools too.

The simplest way to say registry is to use Registry Editor provided with Windows. First navigate to either the top of the branch that you wish to watch, or the "My Computer" icon for the entire registry. Right-click and choose export. Under "Save as type", select "Win9x/NT4 Registration Files (*.reg)" and pick somewhere to save the initial version. This will export a text file with the current contents of the registry.

After that you can compare it with existing snapshot using diff command from Cygwin or any other file comparison tool, for example:

diff -u5 old.reg new.reg

Windows XP has REG command line utility, which can be used in scripts to do periodic snapshots of the registry:

Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved


REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

  0 - Succussful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
-- More  --

Several tools from Microft Resource Kits for Windows can do snapshots of the registry:

Windows 2000 Resource Kit Tools

REG: This tool enables you to add, change, delete, search, backup, restore, and perform other operations on registry entries from the command prompt or a batch file. It can be used on both local and remote computers. Note: This version of REG is in fact version 1.10 from the NT4 Resource Kit. It works with Windows 2000 but is not the version 2 that comes with the 2000 Reskit and is very much updated and with differing syntax to version 1.10, nor is it the version 3 that comes bundled with Windows XP (Thanks Pete!)
REGBack: Registry Backup - Registry Backup (RegBack) is a tool for backing up the Windows Registry to files without use of a tape drive. RegBack allows you to back up Registry hives while the system is running and has the hive files open.
REGFind: RegFind is a command-line tool with which you can search the Windows 2000 registry for arbitrary data, key names, or value names and optionally replace any of these with new values.
REGINI: Registry Change by Script - This tool uses character-based batch files to add keys to the Windows 2000 registry by specifying a registry script.
REGRest: Registry Restoration - Registry Restoration (RegRest) restores Registry hive files from backups created by RegBack.
Dureg: Registry Size Estimator - Shows how much data is stored in the registry, or in any registry subtree, key, or subkey.

RegSafe Home Page

RegSafe Professional Edition 2.0 is a suite of tools designed to provide Network Administrators, IS/IT professionals and Power Users with the ability to perform advanced Registry management on 32-bit Windows PCs. RegSafe provides comprehensive Registry editing and management capabilities not found in other professional level Registry editing tools, all from within a protected environment.
Top 5 Reasons For Using RegSafe^®

Protected Environment
RegSafe automatically saves a copy of the Registry before you edit and has "Undo" functions available while editing the Registry. Unlike other Registry editing tools, a mistake made while editing with RegSafe won't trash your system.

Registry Comparison
RegSafe goes beyond simple Registry Editing with its powerful Comparison features. Compare Current or Snapshot Registries, compare keys/values within the same Registry, compare access control lists (ACL) on Windows NT/2000 systems. You name it, RegSafe compares it!

Powerful Export Features
Administrators and other advanced users will appreciate RegSafe's export feature, which allows portions of a Registry or Registry comparison results tree to be exported to a .reg file (Regedit4 format).

Partial or Full Registry Restoration
If an unwanted change to the Registry was made, or a problem with the Registry is detected, RegSafe can perform a partial or full restoration of a Registry snapshot to the current ("live") Registry.

Registry Restoration for Non-booting Systems
RegSafe's Command Prompt SOS technology can restore the Registry even when your system will not boot into Windows. SOS restores the Registry on Windows 9x, ME, NT, 2000 systems with FAT, FAT32 and NTFS-formatted drives. In addition, RegSafe provides Recovery Console restoration on Windows 2000.

Old News

REG Command in Windows XP

Querying keys

REG query allows you to query a single key for a single value, or a range of keys for all their values. This provides you with a quick way to check whether a key has the value you think it does, or in fact whether it has any values associated with it at all:

REG QUERY KeyName [/v ValueName | /ve] [/s]

KeyName [\\Machine\]FullKey
Machine - Name of remote machine, omitting defaults to the current machine (Note: the REG.EXE help syntax is wrong. You should use \\ and NOT \ as written!)

Only HKLM and HKU are available on remote machines

FullKey - in the form of ROOTKEY\SubKey name

ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]

SubKey - The full name of a registry key under the selected ROOTKEY

/v query for a specific registry key
ValueName - The name, under the selected Key, to query

if omitted, all values under the Key are queried

/ve query for the default value or empty value name <no name>

/s queries all subkeys and values

Example:

C:\WINDOWS>reg query \\srv1\hklm\software\symantec ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\symantec
HKEY_LOCAL_MACHINE\software\symantec\InstalledApps
HKEY_LOCAL_MACHINE\softwaresymantec\LiveUpdate
HKEY_LOCAL_MACHINE\software\symantec\NAVMSE
HKEY_LOCAL_MACHINE\software\symantec\Norton AntiVirus
HKEY_LOCAL_MACHINE\software\symantec\Norton AntiVirus NT
HKEY_LOCAL_MACHINE\software\symantec\Shared Technology
HKEY_LOCAL_MACHINE\software\symantec\SharedDefs
HKEY_LOCAL_MACHINE\software\symantec\SharedUsage
HKEY_LOCAL_MACHINE\software\symantec\Symevent

Managing the Windows Registry from the Command Prompt with Reg.exe

Managing the Windows Registry from the Command Prompt with Reg.exe
The command-line utility reg.exe is a powerful and versatile way to manage the Windows XP Registry. This article discusses Its features and application.

Many will be familiar with the graphical interface tool regedit.exe that is available for editing the Windows Registry. Less familiar, however, is the command-line utility reg.exe that also comes with Windows XP. This accessory will do anything that regedit.exe can do and has the additional facility of being directly usable in scripts. It is a common tool for system administrators with many computers to manage but can also be useful to the more experienced home PC user. I will discuss some aspects that may be of interest to this latter group. More details can be found at this Microsoft site. There is also information in the Windows XP Help and Support Center.

Registry editing is not for everybody but it is not as fearsome an operation as it is sometimes made out to be. Just be sure to follow the iron-clad rule to back up the Registry first before editing. There are many useful tweaks that involve a simple Registry edit and reg.exe provides a way that is simpler and safer in some ways than Regedit. It also provides a way to back up keys or entire hives of the Registry into files that can be stored off the main drive.

Like some other command-line utilities, the reg command is a shell or console that has its own set of sub-commands. An complete command will consist of reg subcommand variables Table I lists these subcommands and some are discussed in more detail in sections that follow. The commands can be carried out on remote networked computers as well as the local computer but I will confine the discussion to operations involving just the local computer.

Table I. Subcommands for reg.exe
Subcommand Function

add Adds a new subkey or entry to the registry

delete Deletes a subkey or entries from the registry

query Displays the data in a subkey or a value

compare Compares specified registry subkeys or entries

copy Copies a subkey to another subkey.

save Saves a copy of specified subkeys, entries, and values of the registry in hive (binary) format

restore Writes saved subkeys and entries in hive format back to the registry

load Writes saved subkeys and entries in hive format back to a different subkey

unload Removes a section of the registry that was loaded using reg load

export Creates a copy of specified subkeys, entries, and values into a file in REG (text) format

import Merges a REG file containing exported registry subkeys, entries, and values into the registry

Back to top

Reg add

This command is used to add keys and values to the Registry. The syntax is given by REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f] Table II explains the entries.

Table II. Parameters in REG ADD command
Parameter Description

KeyName Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys

/v ValueName Adds or changes a value

/ve Changes a key's default value

/t Type The type of value: REG_BINARY, REG_DWORD, REG_SZ, REG_MULTI_SZ, etc. The default is REG_SZ

/s Separator Specifies the character used to separate strings in REG_MULTI_SZ entries. The default is /0

/d Data The data to assign to a value

/f Forces overwriting of existing values with prompting

Back to top

REG ADD provides a quick and simple method for adding new keys to the Registry or modifying old ones. As an example, let's look at how to add the sub- key "HackersAreUs" to the Local Machine Software key. The command would be REG ADD HKLM\Software\HackersAreUsNow let's add a value named "Stuff" and make it a binary entry with data "0001". The command would be REG ADD HKLM\Software\HackersAreUs /v Stuff /t REG_BINARY /d 0001 The two commands could have been executed as a single command but I have split them to make the process clearer. I have used upper case for REG ADD but that is for clarity and is not required.

Reg delete

Keys and values can be deleted in a similar but somewhat simpler fashion. The syntax is REG DELETE KeyName [/v ValueName | /ve | /va] [/f] Table III describes the parameters.

Table III. Parameters in REG DELETE command
Parameter Description

KeyName Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys

/v ValueName Deletes a value

/ve Deletes a key's default value

/va Deletes all values from a key

/f Forces deletion with prompting

Table I. Subcommands for reg.exe
Subcommand	Function
add	Adds a new subkey or entry to the registry
delete	Deletes a subkey or entries from the registry
query	Displays the data in a subkey or a value
compare	Compares specified registry subkeys or entries
copy	Copies a subkey to another subkey.
save	Saves a copy of specified subkeys, entries, and values of the registry in hive (binary) format
restore	Writes saved subkeys and entries in hive format back to the registry
load	Writes saved subkeys and entries in hive format back to a different subkey
unload	Removes a section of the registry that was loaded using reg load
export	Creates a copy of specified subkeys, entries, and values into a file in REG (text) format
import	Merges a REG file containing exported registry subkeys, entries, and values into the registry

Table II. Parameters in REG ADD command
Parameter	Description
KeyName	Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys
/v ValueName	Adds or changes a value
/ve	Changes a key's default value
/t Type	The type of value: REG_BINARY, REG_DWORD, REG_SZ, REG_MULTI_SZ, etc. The default is REG_SZ
/s Separator	Specifies the character used to separate strings in REG_MULTI_SZ entries. The default is /0
/d Data	The data to assign to a value
/f	Forces overwriting of existing values with prompting

Table III. Parameters in REG DELETE command
Parameter	Description
KeyName	Complete Registry key name. Uses abbreviations HKCR, HKCU, HKLM, and HKU for root keys
/v ValueName	Deletes a value
/ve	Deletes a key's default value
/va	Deletes all values from a key
/f	Forces deletion with prompting

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: January 17, 2010