How-to Guide Discover the Windows Registry

Discussion in 'Tutorials & Guides' started by TheAvatar, Dec 28, 2017.

  1. TheAvatar

    TheAvatar New Member

    Dec 27, 2017
    1
    21
    Dentist
    Australia
    Windows 10
    Avast
    [​IMG]
    Presents...
    Discover the Windows Registry
    Overview
    This guide will take you through some of the fundamentals of the Windows Registry.

    Topics to be discussed are:
    • What the registry is and it's function.
    • The structure of the registry.
    • How to backup the registry.
    • How to restore the registry.
    • How to modify the registry.
    Introduction
    I have a passion for helping people with my skills and knowledge, malware removal and tech support is just another way I can do this. Hopefully you take something from this thread, it may be completely irrelevant to most members but this is great for those wanting to learn more about the Windows OS.

    What is the Registry?
    The Windows Registry (or Registry) is a database sorted in a hierarchy that stores the settings and information related to software, user preferences, hardware, windows settings and much more. An example of this is when a new program is installed, a new set of registry entries are created (most of the time - some software use XML, some software are 'portable') which act as a set of instructions for the specific program and any other software or feature that interacts with it. We can liken the registry as DNA within a cell. It's the core that influences the overall function.

    Application settings used to be stored in text-based configuration files (and with some applications, still are), with a separate file for every application. The Windows Registry is meant to solve that problem by providing a single place for all settings across all applications.In addition to consolidating system settings, storing all of these settings in a single place and in a database format means that accessing values in the registry is much faster than parsing a text configuration file — so the registry can be used for more than just settings. In fact, most or all of the registry is read into memory each time the system boots, so accessing the registry is nearly instant.

    Welcome to the windows registry:
    [​IMG]

    ==============================================

    WARNING
    Given the purpose of the registry, modifications to it can have disastrous consequences. Tread lightly in the registry.
    Look but don't touch - unless you know what you're doing.

    ==============================================

    How do we Access the Registry?
    To view the registry do the following:
    • Click start.
    • Type regedit.
    • Click Yes when prompted by UAC.
    Alternatively:
    • On your keyboard hit the Windows Key and R at the same time.
    • Type regedit
    • Hit enter

    How is the Registry Structured?
    [The data in the registry is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values. Sometimes, the presence of a key is all the data that an application requires; other times, an application opens a key and uses the values associated with the key. A key can have any number of values, and the values can be in any form.

    [​IMG]

    Hives
    In the registry instead of drives, we have hives. Hives are the top of the hierarchy, the trunk of the tree, with each hive containing a certain information related to a certain category.[/align]

    These hives are:
    • HKEY_CLASSES_ROOT (HKCR)
      Describes file type, file extension, and OLE information.

    • HKEY_CURRENT_USER (HKCU)
      Contains user who is currently logged into Windows and their settings.

    • HKEY_LOCAL_MACHINE (HKLM)
      Contains computer-specific information about the hardware installed, software settings, and other information. The information is used for all users who log on to that computer and is one of the more commonly accessed areas in the registry.

    • HKEY_USERS (HKU)
      Contains information about all the users who log on to the computer, including both generic and user-specific information.

    • HKEY_CURRENT_CONFIG (HKCC)
      The details about the current configuration of hardware attached to the computer.

    • HKEY_DYN_DATA (HKDD) - Windows 95, 98, NT
    Keys
    Keys are the those first large branches emerging from the trunk, they act as a further organisational unit within the registry. Within these keys we can find either subkeys or values, depending on the entry. In-order for any software to make an addition to the registry, it must generate one of these keys (or subkeys). The key selected in the example above is 'SOFTWARE', but SECURITY, HARDWARE, SAM etc are also keys.

    SubKeys
    These are just keys, within keys. Like you would call a folder within a folder a 'subfolder', these are the smaller branches off those main large branches on a tree.

    Values
    Values are stored within keys, these could be compared to leaves on a tree. Within the registry, these values come in a variety of types with the most common being strings, binaries and DWORD values. These values are the data within the keys that are influencing whatever part of the system they are associated to. [/align]

    ComputerHope has summarised the values nicely in this table:
    [​IMG]
    Reference: What is the Windows Registry?

    Data
    Values contain data, this data comes in the form of the types in the table above. You can see in the screen shot of regedit that each value has a 'type' and their 'data' that varies according to their type. Microsoft have elaborated further on the type of data that is associated with values here: Registry Value Types (Windows) This data could range from simply either a 0 or a 1, or a hexidecimal code like 2c.

    Simplifying all of this...

    The layout of the registry can be compared to that of file explorer. Understanding file explorer can help you understand the structure of the registry. Let's take a look at the structure of file explorer:

    [​IMG]

    The file path is C:\Windows\System32\aswBoot.exe and the files properties contain it's relevant data. Let's go ahead and deconstruct this information.

    C:\Windows\System32\aswBoot.exe <-- Data associated with aswBoot.exe shown in properties window

    Here we have:
    • The drive. (C)
    • The folder (Windows)
    • The subfolder (System32)
    • The file (aswBoot.exe)
    • The data contained in the file. (data associated in properties window)
    Notice this is structured in a hierarchy, much like the registry is here:
    [​IMG]

    The data I get when I export the InstallPath value is as follows:
    [/align]

    This registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Bridge\CS6\Installer with

    HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Bridge\CS6\Installer
    InstallPath="C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)"

    We have:
    • The hive. (HKLM)
    • The key (SOFTWARE)
    • The subkey (Adobe)
    • The value (InstallPath)
    • The data (C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit))
    [size=large]Even MORE Simply...

    [​IMG]


    Backing up the Registry

    Prior to any modifications of the registry it is essential that you make some form of backup, whether it is manually, a new restore point or using software. This will be the only thing that helps you if an error is made while modifying the registry.

    MANUALLY - COMPLETE BACKUP
    Backup Your Registry Manually

    We need to backup your registry manually.

    WARNING: entering the registry is dangerous, only perform the following instructions precisely.

    • Click Start
    • Type regedit
    • Click yes on the UAC form.
    • Select Computer, so it is highlighted and the bar below 'File' reads 'Computer' ONLY (no \ HKEY)

      [​IMG]
    • Click File
    • Click Export
    • Name the file 'RegistryBackup'
    • Ensure the 'Save as Type' is 'Registration Files (*.reg)'
    • Click 'Save'
    • Allow registry editor to run and make the backup, it may take a minute or two.
    Code:
    [b][color=orange]Backup Your Registry Manually[/color][/b]
    We need to backup your registry manually.
    
    [b][color=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/color][/b]
    
    [list]
    [*]Click Start
    [*]Type regedit
    [*]Click yes on the UAC form.
    [*]Select Computer, so it is highlighted and the bar below 'File' reads 'Computer' ONLY (no \ HKEY)
    
    [img]https://i.imgur.com/ocHXprY.png[/img]
    
    [*]Click File
    [*]Click Export
    [*]Name the file 'RegistryBackup'
    [*]Ensure the 'Save as Type' is 'Registration Files (*.reg)'
    [*]Click 'Save'
    [*]Allow registry editor to run and make the backup, it may take a minute or two.
    [/list]

    MANUALLY - SELECT BACKUP
    Backup Your Registry Manually

    We need to backup your registry manually.

    WARNING: entering the registry is dangerous, only perform the following instructions precisely.

    • Click Start
    • Type regedit
    • Click yes on the UAC form.
    • Navigate to: INSERT HIVE/KEY/SUBKEY value here.
    • Ensure the 'key' (subfolder type thing) is highlighted like Computer is in this image below.
    • Ensure the bare below 'File', 'Edit' etc. reads: INSERT HIVE/KEY/SUBKEY value here.

      [​IMG]
    • Click File
    • Click Export
    • Name the file 'RegistryBackup'
    • Ensure the 'Save as Type' is 'Registration Files (*.reg)'
    • Click 'Save'
    • Allow registry editor to run and make the backup, it may take a minute or two.
    Code:
    [b][color=#33ffff]Backup Your Registry Manually
    [/color][/b]We need to backup your registry manually.
    
    [color=#33ccff][b][b][color=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/color][/b]
    [/b][/color]
    [list]
    [*]Click Start
    [*]Type regedit
    [*]Click yes on the UAC form.
    [*]Navigate to: INSERT HIVE/KEY/SUBKEY value here.
    [*]Ensure the 'key' (subfolder type thing) is highlighted like Computer is in this image below.
    [*]Ensure the bare below 'File', 'Edit' etc. reads: INSERT HIVE/KEY/SUBKEY value here.
    
    [img]https://i.imgur.com/ocHXprY.png[/img]
    
    [*]Click File
    [*]Click Export
    [*]Name the file 'RegistryBackup'
    [*]Ensure the 'Save as Type' is 'Registration Files (*.reg)'
    [*]Click 'Save'
    [*]Allow registry editor to run and make the backup, it may take a minute or two.
    [/list]
    
    MANUALLY - COMMAND PROMPT
    We need to backup a part of the registry using commands prompt:
    • Click Start
    • Type 'cmd'
    • Right click Command Prompt and select Run as Administrator
    • A black window should appear, type the following without the <SPACE> this indicates where there should be a space:

      REG EXPORT<SPACE>HIVE\KEY\SUBKEY<SPACE>C:\RegKeyBackup.reg
    • You should get a confirmation "The Operation Completed Successfully"
    Code:
    [color=#33ccff][b][color=#33ccff]MANUALLY - COMMAND PROMPT[/color][/b][/color]
    We need to backup a part of the registry using commands prompt:
    [list]
    [*]Click [b][color=#ffffff]Start[/color][/b]
    [*]Type '[b][color=#ffffff]cmd[/color][/b]'
    [*]Right click Command Prompt and select [b][color=#ffffff]Run as Administrator[/color][/b]
    [*]A black window should appear, type the following without the [b][color=#ffffff]<SPACE>[/color][/b] this indicates where there should be a space:
    
    [b][font=-apple-system, BlinkMacSystemFont,][color=#ff3399]REG EXPORT[/color][color=#ffffff]<SPACE>[/color][color=#ffcc33]HIVE\KEY\SUBKEY[/color][color=#ffffff]<SPACE>[/color][color=#66cc33]C:\RegKeyBackup.reg
    [/color][/font][/b]
    [*]You should get a confirmation "[b][color=#ffffff]The Operation Completed Successfully[/color][/b]"
    [/list]
    MANUALLY - SET SYSTEM RESTORE POINT
    System Restore Point

    We need a system restore point:
    1. From the Start menu, type create a restore point.
    2. Select Create a restore point from the search results.
    3. Choose Create, and then follow the steps to create a restore point.
    Code:
    [b][color=#33ffff]System Restore Point[/color][/b]
    We need a system restore point:
    
    [list=1]
    [*]From the [b][color=#ffffff]Start menu[/color][/b], type create a restore point.
    [*]Select [b][color=#ffffff]Create a restore point[/color][/b] from the search results.
    [*]Choose [b][color=#ffffff]Create[/color][/b], and then follow the steps to create a restore point.
    [/list]
    SOFTWARE - COMPLETE BACKUP
    Registry Backup
    Please download the Portable version of Registry Backup by Tweaking.com

    NOTE: ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]

    • Right click the zipped file and select Extract All.
    • Open the folder and double click TweakingRegistryBackup.
    • Select yes on the UAC window.
    • Click Backup Now.
    • Allow the program to run.
    • Click View Logs.
    • Open Log_backup.txt
    • Copy/paste the contents into your next reply.
    Code:
    [color=#33ffff][b]Registry Backup[/b]
    [/color]Please download the Portable version of [url=https://www.bleepingcomputer.com/download/registry-backup/][b][color=#ffcc33]Registry Backup[/color][/b][/url] by Tweaking.com
    
    [b][color=#ff3366]NOTE: [/color][/b]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]
    [list]
    [*]Right click the zipped file and select Extract All.
    [*]Open the folder and double click TweakingRegistryBackup.
    [*]Select yes on the UAC window.
    [*]Click Backup Now.
    [*]Allow the program to run.
    [*]Click View Logs.
    [*]Open Log_backup.txt
    [*]Copy/paste the contents into your next reply.
    [/list]
    OTHER SOFTWARE
    Trained helpers can use other tools to backup/modify/restore the registry:
    • OTL.
    • Farbar Recovery Scan Tool.
    • Combofix
    • ERUNT in older versions of windows
    NOTE: DO NOT USE THESE TOOLS UNSUPERVISED

    Restoring the Registry
    [​IMG]
    Backing up the registry is oh-so-worth-it the moment you need to restore from a backup. Restoring is usually quite simple.

    MANUALLY - FROM SELECT BACKUP]
    If you manually exported a .reg file, you just need to find that .reg

    Restoring Registry from Backup
    We need to restore some registry entries from our backup.
    • Navigate to the location where you save your backup .reg file and double click on it.

      A .reg file looks like this:
      [​IMG]

    • Click yes when prompted by the UAC window.
    • Click yes when prompted by Windows.
    • Allow it to run.
    Let me know how it goes, it's important that you DO NOT DELETE the .reg file until we are sure we have fixed the issue.

    Code:
    [b][color=#33ffff]Restoring Registry from Backup[/color][/b]
    We need to restore some registry entries from our backup.
    [list]
    [*]Navigate to the location where you save your backup .reg file and double click on it.
    
    A .reg file looks like this:
    [img=64x72]https://i.imgur.com/WbQHAr0.png[/img]
    
    [*]Click [b][color=#ffffff]yes [/color][/b]when prompted by the UAC window.
    [*]Click [b][color=#ffffff]yes [/color][/b]when prompted by Windows.
    [*]Allow it to run.
    [/list]Let me know how it goes, it's important that you [b][color=#ff3366]DO NOT DELETE[/color][/b] the .reg file until we are sure we have fixed the issue.
    MANUALLY - USING COMMAND PROMPT
    We need to restore from the backup we made:
    • Click Start
    • Type 'cmd'
    • Right click Command Prompt and select Run as Administrator
    • A black window should appear, type the following without the <SPACE> this indicates where there should be a space:

      REG IMPORT<SPACE>C:\RegKeyBackup.reg
    • You should get a confirmation "The Operation Completed Successfully"
    Code:
    We need to restore from the backup we made:
    [list]
    [*]Click [color=white]Start[/color]
    [*]Type '[color=white]cmd[/color]'
    [*]Right click Command Prompt and select [color=white]Run as Administrator[/color]
    [*]A black window should appear, type the following without the [color=white]<SPACE>[/color] this indicates where there should be a space:
    
    [color=#ff3399][b]REG IMPORT[/b][/color][b][color=#ffffff]<SPACE>[/color][color=#66cc33]C:\RegKeyBackup.reg[/color]
    [/b]
    [*]You should get a confirmation "[color=white]The Operation Completed Successfully[/color]"
    [/list]
    COMPLETE RESTORE - WINDOWS FUNCTIONALITY
    Roll Back with System Restore

    We need to do a roll back with System Restore.
    • Click Start
    • Type 'System Restore'
    • Click 'Create a System Restore Point' in the start menu.
    • The System Properties box should open.
    • Under the System Protection tab click System Restore...
    • The System Restore tool will open.
    • Select 'Choose a Different Restore Point'
    • Click Next.
    • Select a date where things were running fine (or at least better than now) or your machine.
    • Click Next.
    • Allow System Restore to run, following any prompts.
    Code:
    [b][color=#33ffff]Roll Back with System Restore[/color][/b]
    We need to do a roll back with System Restore.
    [list]
    [*]Click [b][color=#ffffff]Start[/color][/b]
    [*]Type '[b][color=#ffffff]System Restore[/color][/b]'
    [*]Click '[b][color=#ffffff]Create a System Restore Point[/color][/b]' in the start menu.
    [*]The System Properties box should open.
    [*]Under the System Protection tab click [b][color=#ffffff]System Restore...[/color][/b]
    [*]The System Restore tool will open.
    [*]Select '[b][color=#ffffff]Choose a Different Restore Point[/color][/b]'
    [*]Click [b][color=#ffffff]Next[/color][/b].
    [*]Select a date where things were running fine (or at least better than now) or your machine.
    [*]Click [b][color=#ffffff]Next[/color][/b].
    [*]Allow System Restore to run, following any prompts.
    [/list]
    COMPLETE RESTORE - THIRD PARTY SOFTWARE
    Roll Back with Tweaking Registry Backup
    Launch TweakingRegistryBackup by Tweaking.com

    NOTE: ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]

    • Click the Restore Registry tab.
    • Click the down arrow next to 'Select Backup To Restore' and select the backup we made previously.
    • Place a check next to 'Restart/Shutdown System When Finished'
    • Click Restore Now
    • Allow the computer to reboot.

    Code:
    [b][color=#33ffff]Roll Back with Tweaking Registry Backup[/color][/b]
    Launch TweakingRegistryBackup by Tweaking.com
    
    [b][color=#ff3366]NOTE: [/color][/b]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]
    
    [list]
    [*]Click the [b][color=#ffffff]Restore Registry[/color][/b] tab.
    [*]Click the down arrow next to '[b][color=#ffffff]Select Backup To Restore[/color][/b]' and select the backup we made previously.
    [*]Place a check next to '[b][color=#ffffff]Restart/Shutdown System When Finished[/color][/b]'
    [*]Click [b][color=#ffffff]Restore Now[/color][/b]
    [*]Allow the computer to reboot.
    [/list]
    
    Modifying the Registry
    There are several methods we can modify the registry, modifying the registry brings together all our previous knowledge.

    ==============================================

    WARNING
    Given the purpose of the registry, modifications to it can have disastrous consequences. Tread lightly in the registry.
    Look but don't touch - unless you know what you're doing.

    ==============================================
    From Microsoft themselves:
    MANUALLY IN REGEDIT
    I do not encourage this.
    Of course, you can go into the registry itself and make modifications. Modify values, delete things, add things, you name it and this is probably the most simple (yet most dangerous) way to do this.
    • Click start
    • Type regedit
    • Click yes on the UAC window
    • Go through the registry and make modifications like you would to any file.
    SCRIPTS: .reg FILES
    Creating a .reg File

    Creating .reg files is simple.
    • Open Notepad
    • Type the desired script.
    • Click File
    • Save
    • Name the file; RegistryFix.reg
    • Under file type, select all types.
    • Click save.
    Executing a .reg File
    • Navigate to the .reg file.
    • Double click it.
    • Click yes in the UAC window.
    • Click yes when prompted by regedit.
    • Allow the file to run.
    Syntax of .Reg Files
    A .reg file has the following syntax:

    where:

    RegistryEditorVersion is either "Windows Registry Editor Version 5.00" for Windows 2000, Windows XP, and Windows Server 2003, or "REGEDIT4" for Windows 98 and Windows NT 4.0. The "REGEDIT4" header also works on Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers.

    Blank line is a blank line. This identifies the start of a new registry path. Each key or subkey is a new registry path. If you have several keys in your .reg file, blank lines can help you to examine and to troubleshoot the contents.

    RegistryPathx is the path of the subkey that holds the first value you are importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash. For example: [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    A .reg file can contain several registry paths. If the bottom of the hierarchy in the path statement does not exist in the registry, a new subkey is created. The contents of the registry files are sent to the registry in the order you enter them. Therefore, if you want to create a new subkey with another subkey below it, you must enter the lines in the correct order.

    DataItemNamex is the name of the data item that you want to import. If a data item in your file does not exist in the registry, the .reg file adds it (with the value of the data item). If a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.

    DataTypex is the data type for the registry value and immediately follows the equal sign. For all the data types other than REG_SZ (a string value), a colon immediately follows the data type. If the data type is REG_SZ , do not include the data type value or colon. In this case, Regedit.exe assumes REG_SZ for the data type. The following table lists the typical registry data types:
    [​IMG]
    More info about registry data types: https://support.microsoft.com/en-us/help/256986

    DataValuex immediately follows the colon (or the equal sign with REG_SZ) and must be in the appropriate format (for example, string or hexadecimal). Use hexadecimal format for binary data items.

    NOTE: You can enter several data item lines for the same registry path. The registry file should contain a blank line at the bottom of the file.

    Creating a .reg File
    Lets take a step back to the basics, we'll worry about the correct syntax, spacing, punctuation etc later. Let's just look at how to make a .reg file.

    1. Open Notepad.
    2. Click File > Save
    3. Save the file to the Desktop.
    4. In the File Name field enter FILENAME.reg
    5. In the Save as Type option select 'All Files'.
    6. Hit save.
    Done! There should be a .reg file named FILENAME with the .reg icon.

    Formatting a .reg File
    When it comes to writing .reg files, there are a couple of rules we must follow.

    • RULE 1: the file should always start with the following line:

      Windows Registry Editor Version 5.00
    • RULE 2: we must separate 'commands' relating to different keys/subkeys by a single line. This means:

      [​IMG]
    • Explaining my point further:

      [​IMG]
    • RULE 3: NEVER modify a registry that hasn't been backed up!
    When it comes to the general format of a .reg file, it follows a registry backup as I described earlier.
    [REGISTRYHIVE\KEY\SUBKEY\SUBSUBKEY]
    "VALUE"="Some Data Here"

    Depending what we want to do, will determine how we structure the above lines. The specific syntax will be determined whether we want to do any of the following:
    1. Delete a Key/Subkey
    2. Delete a Value
    3. Add a value with specific data.
    4. Add a key/subkey
    5. Modify the DATA of a Value.
    Lets work through each one. I'm going to use a single example through each of these exported from my own registry.

    Lets work with this:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"


    Delete a Key/Subkey
    Hopefully by now you can identify the key/subkey (and hive, value and data for that matter!) in this line. If not give it a go. I'll put the answer in a spoiler below.

    HIVE: HKEY_LOCAL_MACHINE
    KEY: SOFTWARE
    SUBKEY: Google
    VALUE: ExampleString
    DATA: C:\\ProgramFiles\\Google\\Chrome\\Example.exe

    The syntax for deleting a key/subkey is pretty simple, just add a minus ( - ) symbol before the path you want to delete.

    Let's delete the Chrome subkey:
    Code:
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    Now, lets delete the Google subkey:
    Code:
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Google]
    NOTE: removing the google subkey will remove all subkeys below it! (I don't know if I have to say this, but I will). Just like if you deleted the Program Files folder all the folders below would get deleted!
    Simple, right?

    So, if we wanted to make a .reg file to remove the Google subkey, the whole file would read:

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Google]
    We would then:
    • Click File > Save
    • Rename the file to FILENAME.reg
    • Change the 'Save as Type' to 'All Files'
    • Ensure you save the file on your Desktop.
    • Click Save.
    We can then go to the saved file, double click it to execute it (clicking yes to the prompts). Lets move on.

    Delete a Value
    Remember the structure of our export and where the values are in it? Let me remind you:
    [REGISTRYHIVE\KEY\SUBKEY\SUBSUBKEY]
    "VALUE"="Some Data Here"


    This means our format in our .reg file has to be a little different (yet still simple). To delete a value we add a minus
    ( - ) after the = sign that immediately follows the " from the value ("VALUE"=).

    Here's our example:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"


    Lets remove the value "ExampleString" from the Chrome subkey.

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    "ExampleString"=-
    So, if we wanted to make a .reg file to remove the ExampleString value, the whole file would read:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    "ExampleString"=-
    Add a value with specific data.
    This one may be a bit trickier, but I can't see a reason why you might do this. When you restore from a backup, this is what you are inadvertently doing. To do this, you must know the correct data that is assigned to that value. To create this script, we just mirror our export from the registry. When we have specific values listed, the .reg file will create the key/subkey if it does not exist already.

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"
    So, if we wanted to make a .reg file to add the ExampleString value, the whole file would read:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]
    "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"
    Add a Key/Subkey
    I can't see why you would do this alone for any good reason, if you are creating keys/subkeys you more than likely should have values within them.

    Regardless, this would be the script:
    [​IMG]

    Modify the DATA of a Value

    This is the more fun/thinking part, I'm going to show you to modify the data of a value. This method is often what malware will use to disable certain features (particularly security features) on a users system. How we modify the data particularly relates to the type of data that is stored in the value.

    • Is it a string?
    • Is it a binary value?
    • Is it a DWORD value? etc
    Regardless, the structure of your script is essentially the same. Let's take our example again...

    [​IMG]

    Lets change the strong associated with ExampleString to the directory C:\Windows\Example.exe - the trick to this function is to be sure to remember the "" and a double \ (\\) where usually you would put 1.

    [​IMG]

    Another example, this time of a DWORD (Hexidecimal Base). I just quickly exported this from a random part of my registry:

    [​IMG]

    In a DWORD you get a string of numbers: 00000000 or 00000001 or 00040000 etc. Each number represents a different state for the value. Simply (and what most commonly I'm involved in) 1 = enabled, 0 = disabled.

    So in this entry:


    The value authenticodeenabled is disabled (I know this by dword:00000000)
    If authenticodeenabled was enabled it would be dword:00000001

    This is applicable particularly when malware has disabled the ability to access regedit. In this example below, disable registry tools is enabled.



    We, however, are able to construct a .reg file to disable "DisableRegistryTools". It is as follows:

    [​IMG]

    You can also find entries like this for:
    • Task manager
    • Command Prompt
    • Config
    • System Restore
    • The list continues...
    This will cover most modifications you might ever want to do in the registry using a .reg file.


    COMMAND PROMPT (CMD) [.bat (BATCH) Files]
    For those new to the game, batch files are just scripted command prompt commands that you can double click and execute (like .reg files kinda - but more versatile). I'm going to go over the commands you will type into command prompt, I will then show you how to adapt these to a simple .bat file.

    Reference: How to edit the Registry using Command Prompt on Windows 10

    How to Open Command Prompt
    To open command prompt:
    • Click Start
    • Search Command Prompt
    • Right Click and click Run as Administrator
    Commands
    In command prompt (CMD) you can you can type reg /? to bring up a list of available commands.
    These include:
    • REG Query
    • REG Add
    • REG Delete
    • REG Copy
    • REG Save
    • REG Load
    • REG Unload
    • REG Restore
    • REG Compare
    • REG Export
    • REG Import
    • REG Flags
    [​IMG]

    CMD Syntax
    • ADD: REG ADD KeyName [{/v ValueName | /ve}] [/t Type] [/f]
    • Delete: REG DELETE KeyName [{/v ValueName | /ve | /va}] [/f]
    Command Description
    • KeyName: Defines the path to the subkey or entry. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to edit the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
    • /v ValueName: Specifies the name for the registry key to be added or deleted.
    • /ve: Defines if you're adding or deleting an entry that has a null value.
    • /t Type: Specifies the type of registry entries. Here's the list of valid types:
      • REG_SZ
      • REG_MULTI_SZ
      • REG_DWORD_BIG_ENDIAN
      • REG_DWORD
      • REG_BINARY
      • REG_DWORD_LITTLE_ENDIAN
      • REG_LINK
      • REG_FULL_RESOURCE_DESCRIPTOR
      • REG_EXPAND_SZ
    • /f: Adds or deletes registry content without prompting for confirmation.
    • /s Separator: Defines the character you use to separate multiple instances of data when the REG_MULTI_SZ data type is specified and you need to add more than one entry. The default separator is \0 if it is not specified.
    • /d Data: Specifies the data for the new entry in the registry.
    REG ADD
    To add a subkey named MySubkey under HKEY_LOCAL_MACHINE\Software, use the following example:

    REG ADD HKLM\Software\MySubkey

    To add a new DWORD (32-bit) value entry named AppInfo with the value of 1, use the following example:

    To add a new Binary Value entry named Data with data of fe340ead, use the following example:

    To add a registry entry with multiple values to MySubkey with a value name of MRU of type REG_MULTI_SZ and data of fax\0mail\2\1, use the following example:

    REG DELETE
    To delete the subkey named MySubkey, use the following example:

    To delete the registry entry named AppInfo within the MySubkey subkey, use the following example:

    To delete all the registry entries from the MySubkey subkey, use the following example:

    REG COPY
    Syntax:
    REG COPY KeyName1 KeyName2 [/s] [/f]

    • KeyName1: Defines the path to the subkey you want to copy. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
    • KeyName2: Defines the path to the subkey destination. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.
    • /s: Copies all subkeys and entries of a particular subkey.
    • /f: Executes the copy command without prompting for confirmation.
    To copy all subkeys and values under the key MySubkey1 to the key MySubkey2, use the following example:

    Create .bat (batch) File
    We need to create a batch file to run some commands.
    • Open Notepad.
    • Copy/Paste the following code into Notepad:

      @echo offCODE
    • Click Save
    • Name the file Fix.bat
    • Under Save as Type select All Files
    • Save the batch file to your desktop, it will look like this:

      [img=64x53]https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img]
    • Navigate to the file and Rick Click then Run as Administrator
    • Allow it to run.
    Code:
    [b][color=#33ffff]Create .bat (batch) File[/color][/b]
    We need to create a batch file to run some commands.
    [list]
    [*]Open Notepad.
    [*]Copy/Paste the following code into Notepad:
    
    [quote]@echo off
    
    CODE[/quote]
    
    
    [*]Click Save
    [*]Name the file Fix[b][color=#ff3366].bat[/color][/b]
    [*]Under Save as Type select All Files
    [*]Save the batch file to your desktop, it will look like this:
    
    [img=64x53]https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img]
    
    
    [*]Navigate to the file and Rick Click then Run as Administrator
    [*]Allow it to run.
    [/list]
    Conclusion
    Hopefully you found this guide somewhat helpful. I've linked a bunch of websites that were the inspiration for this thread. Please leave all comments, suggestions and possible improvements as a reply rather than PMing me so the community can benefit! And please tell me:
    • Was this thread helpful?
    • Was it easy to follow?
    • What would you like to hear from me next?
    All the best.

    References
    Registry Value Types: https://msdn.microsoft.com/en-us/library...s.85).aspx
    Computer Hope Registry Talk: What is the Windows Registry?
    Inspiration for this thread: https://www.bleepingcomputer.com/tutoria...-registry/
    Starting Point: Windows Registry - Wikipedia
    Microsoft Library on the Registry: https://msdn.microsoft.com/en-us/library...s.85).aspx
    CMD: How to edit the Registry using Command Prompt on Windows 10
     
Loading...