Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Discover the Windows Registry
Message
<blockquote data-quote="TheAvatar" data-source="post: 700378" data-attributes="member: 68707"><p style="text-align: center"><span style="color: #949494"><strong><span style="color: #33ccff"><img src="https://i.imgur.com/SKffq1w.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </span></strong></span></p> <p style="text-align: center"><em>Presents...</em></p> <p style="text-align: center"><strong><span style="font-family: 'Verdana'"><span style="font-size: 26px"><span style="color: #a64dff">Discover the Windows Registry</span></span></span></strong></p><p><strong><span style="font-size: 26px"><span style="color: #00b359">Overview</span></span></strong></p><p>This guide will take you through some of the fundamentals of the Windows Registry.</p><p></p><p>Topics to be discussed are:</p><ul> <li data-xf-list-type="ul">What the registry is and it's function.</li> <li data-xf-list-type="ul">The structure of the registry.</li> <li data-xf-list-type="ul">How to backup the registry.</li> <li data-xf-list-type="ul">How to restore the registry.</li> <li data-xf-list-type="ul">How to modify the registry.</li> </ul><p><strong><span style="font-size: 26px"><span style="color: #00b359">Introduction</span></span></strong></p><p>I have a passion for helping people with my skills and knowledge, malware removal and tech support is just another way I can do this. Hopefully you take something from this thread, it may be completely irrelevant to most members but this is great for those wanting to learn more about the Windows OS.</p><p></p><p><strong><span style="font-size: 26px"><span style="color: #0000b3">What is the Registry?</span></span></strong></p><p>The Windows Registry (or Registry) is a database sorted in a hierarchy that stores the settings and information related to software, user preferences, hardware, windows settings and much more. An example of this is when a new program is installed, a new set of registry entries are created (most of the time - some software use XML, some software are 'portable') which act as a set of instructions for the specific program and any other software or feature that interacts with it. We can liken the registry as DNA within a cell. It's the core that influences the overall function.</p><p></p><p>Application settings used to be stored in text-based configuration files (and with some applications, still are), with a separate file for every application. The Windows Registry is meant to solve that problem by providing a single place for all settings across all applications.In addition to consolidating system settings, storing all of these settings in a single place and in a database format means that accessing values in the registry is much faster than parsing a text configuration file — so the registry can be used for more than just settings. In fact, most or all of the registry is read into memory each time the system boots, so accessing the registry is nearly instant.</p><p></p><p><strong><span style="color: #ff8000">Welcome to the windows registry:</span></strong></p><p><img src="https://i.imgur.com/FxMS86S.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p style="text-align: center"><strong><span style="font-size: 26px"><span style="color: #b30059">==============================================</span></span></strong></p> <p style="text-align: center"></p> <p style="text-align: center"><span style="color: #949494"><span style="color: #ff3366"><strong><span style="font-size: 26px">WARNING</span></strong></span></span></p> <p style="text-align: center"><span style="color: #949494"><span style="color: #ff3366"><strong>Given the purpose of the registry, modifications to it can have disastrous consequences. Tread lightly in the registry. </strong></span></span></p> <p style="text-align: center"><span style="color: #949494"><span style="color: #ff3366"><strong>Look but don't touch - unless you know what you're doing.</strong></span></span></p><p></p><p style="text-align: center"><strong><span style="color: #b30059"><span style="font-size: 26px">==============================================</span></span></strong></p><p></p><p><strong><span style="color: #ff8000">How do we Access the Registry?</span></strong></p><p>To view the registry do the following:</p><ul> <li data-xf-list-type="ul">Cl<span style="color: #000000">ick <strong>start</strong>.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Type <strong>regedit</strong>.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>Yes </strong>when prompted by UAC.</span></li> </ul><p><span style="color: #000000">Alternatively:</span></p><ul> <li data-xf-list-type="ul"><span style="color: #000000">On your keyboard hit the <strong>Windows Key</strong> and <strong>R </strong>at the same time.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Type <strong>regedit</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">Hit <strong>enter</strong></span></li> </ul><p></p><p><strong><span style="color: #ff8000">How is the Registry Structured?</span></strong></p><p>[The data in the registry is structured in a tree format. Each node in the tree is called a key. Each key can contain both <em>subkeys </em>and data entries called <em>values</em>. Sometimes, the presence of a key is all the data that an application requires; other times, an application opens a key and uses the values associated with the key. A key can have any number of values, and the values can be in any form.</p><p></p><p><img src="https://i.imgur.com/vq1r3Kg.png?1" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong><span style="color: #ff0080">Hives</span></strong></p><p>In the registry instead of drives, we have hives. Hives are the top of the hierarchy, the trunk of the tree, with each hive containing a certain information related to a certain category.[/align]</p><p></p><p>These hives are:</p><ul> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">HKEY_CLASSES_ROOT (HKCR)</span></strong><br /> Describes file type, file extension, and OLE information.<br /> <br /> </li> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">HKEY_CURRENT_USER (HKCU)</span></strong><br /> Contains user who is currently logged into Windows and their settings.<br /> <br /> </li> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">HKEY_LOCAL_MACHINE (HKLM)</span></strong><br /> Contains computer-specific information about the hardware installed, software settings, and other information. The information is used for all users who log on to that computer and is one of the more commonly accessed areas in the registry.<br /> <br /> </li> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">HKEY_USERS (HKU)</span></strong><br /> Contains information about all the users who log on to the computer, including both generic and user-specific information.<br /> <br /> </li> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">HKEY_CURRENT_CONFIG (HKCC)</span></strong><br /> The details about the current configuration of hardware attached to the computer.<br /> <br /> </li> <li data-xf-list-type="ul"><strong>HKEY_DYN_DATA (HKDD)</strong> - Windows 95, 98, NT</li> </ul><p><strong><span style="color: #ff9933">Keys</span></strong></p><p>Keys are the those first large branches emerging from the trunk, they act as a further organisational unit within the registry. Within these keys we can find either subkeys or values, depending on the entry. In-order for any software to make an addition to the registry, it must generate one of these keys (or subkeys). The key selected in the example above is 'SOFTWARE', but SECURITY, HARDWARE, SAM etc are also keys.</p><p></p><p><strong><span style="color: #33cc33">SubKeys</span></strong></p><p>These are just keys, within keys. Like you would call a folder within a folder a 'subfolder', these are the smaller branches off those main large branches on a tree.</p><p></p><p><strong><span style="color: #33ccff">Values</span></strong></p><p>Values are stored within keys, these could be compared to leaves on a tree. Within the registry, these values come in a variety of types with the most common being strings, binaries and DWORD values. These values are the data within the keys that are influencing whatever part of the system they are associated to. [/align]</p><p></p><p>ComputerHope has summarised the values nicely in this table:</p><p><img src="https://i.imgur.com/C7hcH4J.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p><strong>Reference:</strong> <a href="https://www.computerhope.com/jargon/r/registry.htm" target="_blank">What is the Windows Registry?</a></p><p></p><p><strong><span style="color: #9966ff">Data</span></strong></p><p>Values contain data, this data comes in the form of the types in the table above. You can see in the screen shot of regedit that each value has a 'type' and their 'data' that varies according to their type. Microsoft have elaborated further on the type of data that is associated with values here: <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx" target="_blank">Registry Value Types (Windows)</a> This data could range from simply either a 0 or a 1, or a hexidecimal code like 2c.</p><p><strong><span style="color: #000000"></span></strong></p><p><strong><span style="color: #000000"><em>Simplifying all of this...</em></span></strong></p><p>The layout of the registry can be compared to that of file explorer. Understanding file explorer can help you understand the structure of the registry. Let's take a look at the structure of file explorer:</p><p></p><p><span style="color: #ffcc33"><span style="color: #333333"><img src="https://image.prntscr.com/image/zrwaly55Rp2VeJno9K32XA.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></span></span></p><p></p><p>The file path is C:\Windows\System32\aswBoot.exe and the files properties contain it's relevant data. Let's go ahead and deconstruct this information.</p><p></p><p><strong><span style="color: #ff3366">C:</span></strong>\<strong><span style="color: #ff9933">Windows</span></strong>\<strong><span style="color: #33cc33">System32</span></strong>\<strong><span style="color: #33ccff">aswBoot.exe </span><-- <span style="color: #9966ff">Data associated with aswBoot.exe shown in properties window</span></strong></p><p></p><p>Here we have:</p><ul> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">The drive. (C)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #ff9933">The folder (Windows)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #33cc33">The subfolder (System32)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #33ccff">The file (aswBoot.exe)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #9966ff">The data contained in the file. (data associated in properties window)</span></strong></li> </ul><p>Notice this is structured in a hierarchy, much like the registry is here:</p><p><img src="https://i.imgur.com/vq1r3Kg.png?1" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>The data I get when I export the InstallPath value is as follows:</p><p></p><p>[/align]</p><p></p><p>This registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Bridge\CS6\Installer with</p><p></p><p><strong><span style="color: #ff3366">HKEY_LOCAL_MACHINE</span></strong>\<strong><span style="color: #ff9933">SOFTWARE</span></strong>\<strong><span style="color: #33cc33">Adobe</span></strong>\Adobe Bridge\CS6\Installer</p><p><strong><span style="color: #33ccff">InstallPath</span></strong>="<span style="color: #9966ff"><strong>C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)</strong></span>"</p><p></p><p>We have:</p><ul> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">The hive. (HKLM)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #ff9933">The key (SOFTWARE)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #33cc33">The subkey (Adobe)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #33ccff">The value (InstallPath)</span></strong></li> <li data-xf-list-type="ul"><strong><span style="color: #9966ff">The data (<strong><span style="color: #9966ff">C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit</span></strong>))</span></strong></li> </ul><p><span style="color: #ffffff"><strong><em>[size=large]Even MORE Simply...</em></strong></span></p><p></p><p><img src="https://i.imgur.com/aLV5507.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong></strong></p><p><strong><span style="font-size: 26px"><span style="color: #0000b3">Backing up the Registry</span></span></strong></p><p>Prior to any modifications of the registry it is essential that you make some form of backup, whether it is manually, a new restore point or using software. This will be the only thing that helps you if an error is made while modifying the registry.</p><p></p><p><strong><span style="color: #33ccff">MANUALLY - COMPLETE BACKUP</span></strong></p><p><strong><span style="color: #ff8000">Backup Your Registry Manually</span></strong></p><p>We need to backup your registry manually.</p><p></p><p><strong><span style="color: #ff3366">WARNING: entering the registry is dangerous, only perform the following instructions precisely.</span></strong></p><p></p><ul> <li data-xf-list-type="ul">Click Start</li> <li data-xf-list-type="ul">Type regedit</li> <li data-xf-list-type="ul">Click yes on the UAC form.</li> <li data-xf-list-type="ul">Select Computer, so it is highlighted and the bar below 'File' reads 'Computer' ONLY (no \ HKEY)<br /> <br /> <img src="https://i.imgur.com/ocHXprY.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /><br /> </li> <li data-xf-list-type="ul">Click File</li> <li data-xf-list-type="ul">Click Export</li> <li data-xf-list-type="ul">Name the file 'RegistryBackup'</li> <li data-xf-list-type="ul">Ensure the 'Save as Type' is 'Registration Files (*.reg)'</li> <li data-xf-list-type="ul">Click 'Save'</li> <li data-xf-list-type="ul">Allow registry editor to run and make the backup, it may take a minute or two.</li> </ul><p>[CODE][b][color=orange]Backup Your Registry Manually[/color][/b]</p><p>We need to backup your registry manually.</p><p></p><p>[b][color=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/color][/b]</p><p></p><p>[list]</p><p>[*]Click Start</p><p>[*]Type regedit</p><p>[*]Click yes on the UAC form.</p><p>[*]Select Computer, so it is highlighted and the bar below 'File' reads 'Computer' ONLY (no \ HKEY)</p><p></p><p>[img]https://i.imgur.com/ocHXprY.png[/img]</p><p></p><p>[*]Click File</p><p>[*]Click Export</p><p>[*]Name the file 'RegistryBackup'</p><p>[*]Ensure the 'Save as Type' is 'Registration Files (*.reg)'</p><p>[*]Click 'Save'</p><p>[*]Allow registry editor to run and make the backup, it may take a minute or two.</p><p>[/list][/CODE]</p><p></p><p></p><p><strong><span style="color: #33ccff">MANUALLY - SELECT BACKUP</span></strong></p><p><strong><span style="color: #ff8000">Backup Your Registry Manually</span></strong></p><p>We need to backup your registry manually.</p><p></p><p><span style="color: #33ccff"><strong><span style="color: #ff3366">WARNING: entering the registry is dangerous, only perform the following instructions precisely.</span></strong></span></p><p></p><ul> <li data-xf-list-type="ul">Click Start</li> <li data-xf-list-type="ul">Type regedit</li> <li data-xf-list-type="ul">Click yes on the UAC form.</li> <li data-xf-list-type="ul">Navigate to: INSERT HIVE/KEY/SUBKEY value here.</li> <li data-xf-list-type="ul">Ensure the 'key' (subfolder type thing) is highlighted like Computer is in this image below.</li> <li data-xf-list-type="ul">Ensure the bare below 'File', 'Edit' etc. reads: INSERT HIVE/KEY/SUBKEY value here.<br /> <br /> <img src="https://i.imgur.com/ocHXprY.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /><br /> </li> <li data-xf-list-type="ul">Click File</li> <li data-xf-list-type="ul">Click Export</li> <li data-xf-list-type="ul">Name the file 'RegistryBackup'</li> <li data-xf-list-type="ul">Ensure the 'Save as Type' is 'Registration Files (*.reg)'</li> <li data-xf-list-type="ul">Click 'Save'</li> <li data-xf-list-type="ul">Allow registry editor to run and make the backup, it may take a minute or two.</li> </ul><p>[code][b][color=#33ffff]Backup Your Registry Manually</p><p>[/color][/b]We need to backup your registry manually.</p><p></p><p>[color=#33ccff][b][b][color=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/color][/b]</p><p>[/b][/color]</p><p>[list]</p><p>[*]Click Start</p><p>[*]Type regedit</p><p>[*]Click yes on the UAC form.</p><p>[*]Navigate to: INSERT HIVE/KEY/SUBKEY value here.</p><p>[*]Ensure the 'key' (subfolder type thing) is highlighted like Computer is in this image below.</p><p>[*]Ensure the bare below 'File', 'Edit' etc. reads: INSERT HIVE/KEY/SUBKEY value here.</p><p></p><p>[img]https://i.imgur.com/ocHXprY.png[/img]</p><p></p><p>[*]Click File</p><p>[*]Click Export</p><p>[*]Name the file 'RegistryBackup'</p><p>[*]Ensure the 'Save as Type' is 'Registration Files (*.reg)'</p><p>[*]Click 'Save'</p><p>[*]Allow registry editor to run and make the backup, it may take a minute or two.</p><p>[/list]</p><p>[/code]</p><p></p><p><span style="color: #33ccff"><strong><span style="color: #33ccff">MANUALLY - COMMAND PROMPT</span></strong></span></p><p>We need to backup a part of the registry using commands prompt:</p><ul> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>Start</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">Type '<strong>cmd</strong>'</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Right click Command Prompt and select <strong>Run as Administrator</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">A black window should appear, type the following without the <strong><SPACE></strong> this indicates where there should be a space:</span><br /> <br /> <strong><span style="color: #ff3399">REG EXPORT</span><span style="color: #000000"><SPACE></span><span style="color: #ffcc33">HIVE\KEY\SUBKEY</span><span style="color: #000000"><SPACE></span><span style="color: #66cc33">C:\RegKeyBackup.reg</span></strong></li> <li data-xf-list-type="ul">You should get a confirm<span style="color: #000000">ation "<strong>The Operation Completed Successfully</strong>"</span></li> </ul><p>[code][color=#33ccff][b][color=#33ccff]MANUALLY - COMMAND PROMPT[/color][/b][/color]</p><p>We need to backup a part of the registry using commands prompt:</p><p>[list]</p><p>[*]Click [b][color=#ffffff]Start[/color][/b]</p><p>[*]Type '[b][color=#ffffff]cmd[/color][/b]'</p><p>[*]Right click Command Prompt and select [b][color=#ffffff]Run as Administrator[/color][/b]</p><p>[*]A black window should appear, type the following without the [b][color=#ffffff]<SPACE>[/color][/b] this indicates where there should be a space:</p><p></p><p>[b][font=-apple-system, BlinkMacSystemFont,][color=#ff3399]REG EXPORT[/color][color=#ffffff]<SPACE>[/color][color=#ffcc33]HIVE\KEY\SUBKEY[/color][color=#ffffff]<SPACE>[/color][color=#66cc33]C:\RegKeyBackup.reg</p><p>[/color][/font][/b]</p><p>[*]You should get a confirmation "[b][color=#ffffff]The Operation Completed Successfully[/color][/b]"</p><p>[/list][/code]</p><p></p><p><strong><span style="color: #33ccff">MANUALLY - SET SYSTEM RESTORE POINT</span></strong></p><p><strong><span style="color: #ff8000">System Restore Point</span></strong></p><p>We need a system restore point:</p><ol> <li data-xf-list-type="ol"><span style="color: #000000">From the <strong>Start menu</strong>, type create a restore point.</span></li> <li data-xf-list-type="ol"><span style="color: #000000">Select <strong>Create a restore point</strong> from the search results.</span></li> <li data-xf-list-type="ol"><span style="color: #000000">Choose <strong>Create</strong>, and then foll</span>ow the steps to create a restore point.</li> </ol><p>[code][b][color=#33ffff]System Restore Point[/color][/b]</p><p>We need a system restore point:</p><p></p><p>[list=1]</p><p>[*]From the [b][color=#ffffff]Start menu[/color][/b], type create a restore point.</p><p>[*]Select [b][color=#ffffff]Create a restore point[/color][/b] from the search results.</p><p>[*]Choose [b][color=#ffffff]Create[/color][/b], and then follow the steps to create a restore point.</p><p>[/list][/code]</p><p></p><p><span style="color: #33ccff"><strong>SOFTWARE - COMPLETE BACKUP</strong></span></p><p><strong><span style="color: #ff8000">Registry Backup</span></strong></p><p>Please download the Portable version of <a href="https://www.bleepingcomputer.com/download/registry-backup/" target="_blank"><strong><span style="color: #ffcc33">Registry Backup</span></strong></a> by Tweaking.com</p><p></p><p><strong><span style="color: #ff3366">NOTE: </span></strong>ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]</p><p></p><ul> <li data-xf-list-type="ul">Right click the zipped file and select Extract All.</li> <li data-xf-list-type="ul">Open the folder and double click TweakingRegistryBackup.</li> <li data-xf-list-type="ul">Select yes on the UAC window.</li> <li data-xf-list-type="ul">Click Backup Now.</li> <li data-xf-list-type="ul">Allow the program to run.</li> <li data-xf-list-type="ul">Click View Logs.</li> <li data-xf-list-type="ul">Open Log_backup.txt</li> <li data-xf-list-type="ul">Copy/paste the contents into your next reply.</li> </ul><p>[code]</p><p>[color=#33ffff][b]Registry Backup[/b]</p><p>[/color]Please download the Portable version of [url=https://www.bleepingcomputer.com/download/registry-backup/][b][color=#ffcc33]Registry Backup[/color][/b][/url] by Tweaking.com</p><p></p><p>[b][color=#ff3366]NOTE: [/color][/b]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]</p><p>[list]</p><p>[*]Right click the zipped file and select Extract All.</p><p>[*]Open the folder and double click TweakingRegistryBackup.</p><p>[*]Select yes on the UAC window.</p><p>[*]Click Backup Now.</p><p>[*]Allow the program to run.</p><p>[*]Click View Logs.</p><p>[*]Open Log_backup.txt</p><p>[*]Copy/paste the contents into your next reply.</p><p>[/list][/code]</p><p></p><p><span style="color: #33ccff"><strong>OTHER SOFTWARE</strong></span></p><p>Trained helpers can use other tools to backup/modify/restore the registry:</p><ul> <li data-xf-list-type="ul">OTL.</li> <li data-xf-list-type="ul">Farbar Recovery Scan Tool.</li> <li data-xf-list-type="ul">Combofix</li> <li data-xf-list-type="ul">ERUNT in older versions of windows</li> </ul><p><strong><span style="color: red">NOTE: DO NOT USE THESE TOOLS UNSUPERVISED</span></strong></p><p></p><p><span style="font-size: 26px"><span style="color: #0000b3"><strong>Restoring the Registry</strong></span></span></p><p><img src="https://i.imgur.com/89S7lr1.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Backing up the registry is oh-so-worth-it the moment you need to restore from a backup. Restoring is <em>usually</em> quite simple.</p><p></p><p><strong><span style="color: #ffcc33"><span style="color: #33ccff">MANUALLY - FROM SELECT BACKUP</span></span></strong>]</p><p>If you manually exported a .reg file, you just need to find that .reg</p><p></p><p><strong><span style="color: #ff8000">Restoring Registry from Backup</span></strong></p><p>We need to restore some registry entries from our backup.</p><ul> <li data-xf-list-type="ul">Navigate to the location where you save your backup .reg file and double click on it.<br /> <br /> A .reg file looks like this:<br /> <img src="https://i.imgur.com/WbQHAr0.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> <br /> <br /> </li> <li data-xf-list-type="ul">Click yes when prompted by the UAC window.</li> <li data-xf-list-type="ul">Click yes when prompted by Windows.</li> <li data-xf-list-type="ul">Allow it to run.</li> </ul><p>Let me know how it goes, it's important that you DO NOT DELETE the .reg file until we are sure we have fixed the issue.</p><p></p><p>[code][b][color=#33ffff]Restoring Registry from Backup[/color][/b]</p><p>We need to restore some registry entries from our backup.</p><p>[list]</p><p>[*]Navigate to the location where you save your backup .reg file and double click on it.</p><p></p><p>A .reg file looks like this:</p><p>[img=64x72]https://i.imgur.com/WbQHAr0.png[/img]</p><p></p><p>[*]Click [b][color=#ffffff]yes [/color][/b]when prompted by the UAC window.</p><p>[*]Click [b][color=#ffffff]yes [/color][/b]when prompted by Windows.</p><p>[*]Allow it to run.</p><p>[/list]Let me know how it goes, it's important that you [b][color=#ff3366]DO NOT DELETE[/color][/b] the .reg file until we are sure we have fixed the issue.[/code]</p><p></p><p><strong><span style="color: #ffcc33"><span style="color: #33ccff"><span style="color: #ffcc33"><span style="color: #33ccff">MANUALLY - USING COMMAND PROMPT</span></span></span></span></strong></p><p>We ne<span style="color: #000000">ed to restore from the backup we made:</span></p><ul> <li data-xf-list-type="ul"><span style="color: #000000">Click Start</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Type 'cmd'</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Right click Command Prompt and select Run as Administrator</span></li> <li data-xf-list-type="ul"><span style="color: #000000">A black window should appear, type the following without the <SPACE> this indicates where there should be a space:</span><br /> <br /> <span style="color: #ff3399"><strong>REG IMPORT</strong></span><strong><span style="color: #000000"><SPACE></span><span style="color: #66cc33">C:\RegKeyBackup.reg</span></strong></li> <li data-xf-list-type="ul">You should get a confirmation "<span style="color: #000000">The Operation Completed Successfully"</span></li> </ul><p>[code]We need to restore from the backup we made:</p><p>[list]</p><p>[*]Click [color=white]Start[/color]</p><p>[*]Type '[color=white]cmd[/color]'</p><p>[*]Right click Command Prompt and select [color=white]Run as Administrator[/color]</p><p>[*]A black window should appear, type the following without the [color=white]<SPACE>[/color] this indicates where there should be a space:</p><p></p><p>[color=#ff3399][b]REG IMPORT[/b][/color][b][color=#ffffff]<SPACE>[/color][color=#66cc33]C:\RegKeyBackup.reg[/color]</p><p>[/b]</p><p>[*]You should get a confirmation "[color=white]The Operation Completed Successfully[/color]"</p><p>[/list][/code]</p><p></p><p><strong><span style="color: #ffcc33"><span style="color: #33ccff">COMPLETE RESTORE - WINDOWS FUNCTIONALITY</span></span></strong></p><p><strong><span style="color: #ff8000">Roll Back with System Restore</span></strong></p><p>We need to do a roll back with System Restore.</p><ul> <li data-xf-list-type="ul">Clic<span style="color: #000000">k <strong>Start</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">Type '<strong>System Restore</strong>'</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click '<strong>Create a System Restore Point</strong>' in the start menu.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">The System Properties box should open.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Under the System Protection tab click <strong>System Restore...</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">The System Restore tool will open.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Select '<strong>Choose a Different Restore Point</strong>'</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>Next</strong>.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Select a date where things were running fine (or at least better than now) or your machine.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>Next</strong>.</span></li> <li data-xf-list-type="ul">Allow System Restore to run, following any prompts.</li> </ul><p>[code][b][color=#33ffff]Roll Back with System Restore[/color][/b]</p><p>We need to do a roll back with System Restore.</p><p>[list]</p><p>[*]Click [b][color=#ffffff]Start[/color][/b]</p><p>[*]Type '[b][color=#ffffff]System Restore[/color][/b]'</p><p>[*]Click '[b][color=#ffffff]Create a System Restore Point[/color][/b]' in the start menu.</p><p>[*]The System Properties box should open.</p><p>[*]Under the System Protection tab click [b][color=#ffffff]System Restore...[/color][/b]</p><p>[*]The System Restore tool will open.</p><p>[*]Select '[b][color=#ffffff]Choose a Different Restore Point[/color][/b]'</p><p>[*]Click [b][color=#ffffff]Next[/color][/b].</p><p>[*]Select a date where things were running fine (or at least better than now) or your machine.</p><p>[*]Click [b][color=#ffffff]Next[/color][/b].</p><p>[*]Allow System Restore to run, following any prompts.</p><p>[/list][/code]</p><p></p><p><span style="color: #33ffff"><strong><span style="color: #ffcc33"><span style="color: #33ccff">COMPLETE RESTORE - THIRD PARTY SOFTWARE</span></span></strong></span></p><p><strong><span style="color: #ff8000">Roll Back with Tweaking Registry Backup</span></strong></p><p>Launch TweakingRegistryBackup by Tweaking.com</p><p></p><p><strong><span style="color: #ff3366">NOTE: </span></strong>ensure yo<span style="color: #000000">u're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]</span></p><p><span style="color: #000000"></span></p><ul> <li data-xf-list-type="ul"><span style="color: #000000">Click the <strong>Restore Registry</strong> tab.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click the down arrow next to '<strong>Select Backup To Restore</strong>' and select the backup we made previously.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Place a check next to '<strong>Restart/Shutdown System When Finished</strong>'</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>Restore Now</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">Allow the computer to reboot. </span></li> </ul><p></p><p>[code][b][color=#33ffff]Roll Back with Tweaking Registry Backup[/color][/b]</p><p>Launch TweakingRegistryBackup by Tweaking.com</p><p></p><p>[b][color=#ff3366]NOTE: [/color][/b]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up]</p><p></p><p>[list]</p><p>[*]Click the [b][color=#ffffff]Restore Registry[/color][/b] tab.</p><p>[*]Click the down arrow next to '[b][color=#ffffff]Select Backup To Restore[/color][/b]' and select the backup we made previously.</p><p>[*]Place a check next to '[b][color=#ffffff]Restart/Shutdown System When Finished[/color][/b]'</p><p>[*]Click [b][color=#ffffff]Restore Now[/color][/b]</p><p>[*]Allow the computer to reboot.</p><p>[/list]</p><p>[/code]</p><p></p><p><strong><span style="font-size: 26px"><span style="color: #0000b3">Modifying the Registry</span></span></strong></p><p>There are several methods we can modify the registry, modifying the registry brings together all our previous knowledge.</p><p></p><p style="text-align: center"><strong><span style="font-size: 26px"><span style="color: rgb(179, 0, 89)">==============================================</span></span></strong></p> <p style="text-align: center"></p> <p style="text-align: center"><span style="color: rgb(148, 148, 148)"><span style="color: rgb(255, 51, 102)"><strong><span style="font-size: 26px">WARNING</span></strong></span></span></p> <p style="text-align: center"><span style="color: rgb(148, 148, 148)"><span style="color: rgb(255, 51, 102)"><strong>Given the purpose of the registry, modifications to it can have disastrous consequences. Tread lightly in the registry. </strong></span></span></p> <p style="text-align: center"><span style="color: rgb(148, 148, 148)"><span style="color: rgb(255, 51, 102)"><strong>Look but don't touch - unless you know what you're doing.</strong></span></span></p><p></p><p style="text-align: center"><strong><span style="color: rgb(179, 0, 89)"><span style="font-size: 26px">==============================================</span></span></strong></p><p><strong><span style="color: #ffffff">From Microsoft themselves:</span></strong></p><p></p><p></p><p><strong><span style="color: #33ccff">MANUALLY IN REGEDIT</span></strong></p><p>I do not encourage this.</p><p>Of course, you can go into the registry itself and make modifications. Modify values, delete things, add things, you name it and this is probably the most simple (yet most dangerous) way to do this.</p><ul> <li data-xf-list-type="ul">Click start</li> <li data-xf-list-type="ul">Type regedit</li> <li data-xf-list-type="ul">Click yes on the UAC window</li> <li data-xf-list-type="ul">Go through the registry and make modifications like you would to any file.</li> </ul><p><strong><span style="color: #33ccff">SCRIPTS: .reg FILES</span></strong></p><p><strong><span style="color: #ff8000">Creating a .reg File</span></strong></p><p>Creating .reg files is simple.</p><ul> <li data-xf-list-type="ul">O<span style="color: #000000">pen <strong>Notepad</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">Type the desired script.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>File</strong></span></li> <li data-xf-list-type="ul"><strong><span style="color: #000000">Save</span></strong></li> <li data-xf-list-type="ul"><span style="color: #000000">Name the file; <strong>RegistryFix.reg</strong></span></li> <li data-xf-list-type="ul"><span style="color: #000000">Under file type, select <strong>all types</strong>.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>save</strong>.</span></li> </ul><p><strong><span style="color: #ff8000">Executing a .reg File</span></strong></p><ul> <li data-xf-list-type="ul">N<span style="color: #000000">avigate to the .reg file.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Double click it.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>yes </strong>in the UAC window.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Click <strong>yes </strong>when prompted by regedit.</span></li> <li data-xf-list-type="ul"><span style="color: #000000">Allow the file to run.</span></li> </ul><p><strong><span style="color: #ff8000">Syntax of .Reg Files</span></strong></p><p>A .reg file has the following syntax:</p><p></p><p></p><p></p><p>where:</p><p></p><p><strong><span style="color: #ff3366">RegistryEditorVersion</span></strong> is either "Windows Registry Editor Version 5.00" for Windows 2000, Windows XP, and Windows Server 2003, or "REGEDIT4" for Windows 98 and Windows NT 4.0. The "REGEDIT4" header also works on Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers.</p><p></p><p><strong><span style="color: #ff9933">Blank line</span></strong> is a blank line. This identifies the start of a new registry path. Each key or subkey is a new registry path. If you have several keys in your .reg file, blank lines can help you to examine and to troubleshoot the contents.</p><p></p><p><strong><span style="color: #ffcc33">RegistryPathx</span></strong> is the path of the subkey that holds the first value you are importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash. For example: <strong><span style="color: #ffffff">[HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]</span></strong></p><p>A .reg file can contain several registry paths. If the bottom of the hierarchy in the path statement does not exist in the registry, a new subkey is created. The contents of the registry files are sent to the registry in the order you enter them. Therefore, if you want to create a new subkey with another subkey below it, you must enter the lines in the correct order.</p><p></p><p><strong><span style="color: #33cc33">DataItemNamex</span></strong> is the name of the data item that you want to import. If a data item in your file does not exist in the registry, the .reg file adds it (with the value of the data item). If a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.</p><p></p><p><strong><span style="color: #33ccff">DataTypex</span></strong> is the data type for the registry value and immediately follows the equal sign. For all the data types other than REG_SZ (a string value), a colon immediately follows the data type. If the data type is REG_SZ , do not include the data type value or colon. In this case, Regedit.exe assumes REG_SZ for the data type. The following table lists the typical registry data types:</p><p><img src="https://image.prntscr.com/image/sl3TonquTXmFtTYDfQoDkg.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>More info about registry data types: <a href="https://support.microsoft.com/en-us/help/256986" target="_blank">https://support.microsoft.com/en-us/help/256986</a></p><p></p><p><strong><span style="color: #9966ff">DataValuex</span></strong> immediately follows the colon (or the equal sign with REG_SZ) and must be in the appropriate format (for example, string or hexadecimal). Use hexadecimal format for binary data items.</p><p></p><p><strong><span style="color: #ff3366">NOTE:</span></strong> You can enter several data item lines for the same registry path. The registry file should contain a blank line at the bottom of the file.</p><p></p><p><strong><span style="color: #ff8000">Creating a .reg File</span></strong></p><p>Lets take a step back to the basics, we'll worry about the correct syntax, spacing, punctuation etc later. Let's just look at how to make a .reg file.</p><p></p><ol> <li data-xf-list-type="ol">Open Notepad.</li> <li data-xf-list-type="ol">Click File > Save</li> <li data-xf-list-type="ol">Save the file to the Desktop.</li> <li data-xf-list-type="ol">In the File Name field enter FILENAME<strong><span style="color: #ff3366">.reg</span></strong></li> <li data-xf-list-type="ol">In the Save as Type option select 'All Files'.</li> <li data-xf-list-type="ol">Hit save.</li> </ol><p>Done! There should be a .reg file named FILENAME with the .reg icon.</p><p></p><p><strong><span style="color: #ff8000">Formatting a .reg File</span></strong></p><p>When it comes to writing .reg files, there are a couple of rules we must follow.</p><p></p><ul> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">RULE 1:</span></strong> the file should always start with the following line:<br /> <br /> <strong><span style="color: #ffffff">Windows Registry Editor Version 5.00</span></strong></li> <li data-xf-list-type="ul"><span style="color: #ff3366"><strong>RULE 2:</strong> </span>we must separate 'commands' relating to different keys/subkeys by a single line. This means:<br /> <br /> <img src="https://image.prntscr.com/image/P1GforohRlid-P66Kz0zVg.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ul">Explaining my point further:<br /> <br /> <img src="https://image.prntscr.com/image/6tiA9KlaSjel0lOjHAhs7Q.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /><br /> </li> <li data-xf-list-type="ul"><strong><span style="color: #ff3366">RULE 3: <u>NEVER</u></span></strong> modify a registry that hasn't been backed up!</li> </ul><p>When it comes to the general format of a .reg file, it follows a registry backup as I described earlier.</p><p><span style="color: #cc66ff"><strong>[REGISTRYHIVE\KEY\SUBKEY\SUBSUBKEY]</strong></span></p><p><strong><span style="color: #cc66ff">"VALUE"="Some Data Here"</span></strong></p><p></p><p>Depending what we want to do, will determine how we structure the above lines. The specific <em>syntax </em>will be determined whether we want to do any of the following:</p><ol> <li data-xf-list-type="ol">Delete a Key/Subkey</li> <li data-xf-list-type="ol">Delete a Value</li> <li data-xf-list-type="ol">Add a value with specific data.</li> <li data-xf-list-type="ol">Add a key/subkey</li> <li data-xf-list-type="ol">Modify the DATA of a Value.</li> </ol><p>Lets work through each one. I'm going to use a single example through each of these exported from my own registry.</p><p></p><p>Lets work with this:</p><p><strong><span style="color: #cc66ff">[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]</span></strong></p><p><strong><span style="color: #cc66ff">"ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"</span></strong></p><p></p><p><strong><span style="color: #ff8000">Delete a Key/Subkey</span></strong></p><p>Hopefully by now you can identify the key/subkey (and hive, value and data for that matter!) in this line. If not give it a go. I'll put the answer in a spoiler below.</p><p></p><p>[spoiler=ANSWER]</p><p><strong>HIVE:</strong> HKEY_LOCAL_MACHINE</p><p><strong>KEY:</strong> SOFTWARE</p><p><strong>SUBKEY:</strong> Google</p><p><strong>VALUE:</strong> ExampleString</p><p><strong>DATA:</strong> C:\\ProgramFiles\\Google\\Chrome\\Example.exe[/spoiler]</p><p></p><p>The syntax for deleting a key/subkey is pretty simple, just a<span style="color: #000000">dd a minus ( <strong><span style="font-size: 26px">- </span></strong>) sy</span>mbol before the path you want to delete.</p><p></p><p>Let's delete the Chrome subkey:</p><p>[code][-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome][/code]</p><p></p><p>Now, lets delete the Google subkey:</p><p>[code][-HKEY_LOCAL_MACHINE\SOFTWARE\Google][/code]</p><p></p><p><strong><span style="color: #ff3366">NOTE:</span></strong> removing the google subkey will remove all subkeys below it! (I don't know if I have to say this, but I will). Just like if you deleted the Program Files folder all the folders below would get deleted!</p><p>Simple, right?</p><p></p><p>So, if we wanted to make a .reg file to remove the Google subkey, the whole file would read:</p><p></p><p>[code]Windows Registry Editor Version 5.00</p><p></p><p>[-HKEY_LOCAL_MACHINE\SOFTWARE\Google][/code]</p><p></p><p>We would then:</p><ul> <li data-xf-list-type="ul">Click File > Save</li> <li data-xf-list-type="ul">Rename the file to FILENAME<strong><span style="color: #ff3366">.reg</span></strong></li> <li data-xf-list-type="ul">Change the 'Save as Type' to 'All Files'</li> <li data-xf-list-type="ul">Ensure you save the file on your Desktop.</li> <li data-xf-list-type="ul">Click Save.</li> </ul><p>We can then go to the saved file, double click it to execute it (clicking yes to the prompts). Lets move on.</p><p></p><p><strong><span style="color: #ff8000">Delete a Value</span></strong></p><p>Remember the structure of our export and where the values are in it? Let me remind you:</p><p><strong><span style="color: #000000">[REGISTRYHIVE\KEY\SUBKEY\SUBSUBKEY]</span></strong></p><p><strong><span style="color: #000000">"VALUE"="Some Data Here"</span></strong></p><p><span style="color: #000000"></span></p><p><span style="color: #000000">This means our format in our .reg file has to be a little different (yet still simple). To delete a value we add a minus </span>( <strong><span style="font-size: 26px">-</span></strong> )<span style="color: #000000"> after the = sign</span> that immediately follows the " from the value ("VALUE"<strong><span style="color: #ffffff">=</span></strong>).</p><p></p><p>Here's our example:</p><p><strong><span style="color: #cc66ff">[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]</span></strong></p><p><strong><span style="color: #cc66ff">"ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"</span></strong></p><p></p><p>Lets remove the value "ExampleString" from the Chrome subkey.</p><p></p><p>[code][HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]</p><p>"ExampleString"=-[/code]</p><p></p><p>So, if we wanted to make a .reg file to remove the ExampleString value, the whole file would read:</p><p></p><p>[code]Windows Registry Editor Version 5.00</p><p></p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]</p><p>"ExampleString"=-[/code]</p><p></p><p><strong><span style="color: #ff8000">Add a value with specific data.</span></strong></p><p>This one may be a bit trickier, but I can't see a reason why you might do this. When you restore from a backup, this is what you are inadvertently doing. To do this, you must know the correct data that is assigned to that value. To create this script, we just mirror our export from the registry. When we have specific values listed, the .reg file will create the key/subkey if it does not exist already.</p><p></p><p>[code][HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]</p><p>"ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"[/code]</p><p></p><p>So, if we wanted to make a .reg file to add the ExampleString value, the whole file would read:</p><p></p><p>[code]Windows Registry Editor Version 5.00</p><p></p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome]</p><p>"ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"[/code]</p><p></p><p><strong><span style="color: #ff8000">Add a Key/Subkey</span></strong></p><p>I can't see why you would do this alone for any good reason, if you are creating keys/subkeys you more than likely should have values within them.</p><p> </p><p>Regardless, this would be the script:</p><p><img src="https://image.prntscr.com/image/ltoGZvXBTGywx29G9nVMyQ.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p><strong><span style="color: #ff8000"></span></strong></p><p><strong><span style="color: #ff8000">Modify the DATA of a Value</span></strong></p><p>This is the more fun/thinking part, I'm going to show you to modify the data of a value. This method is often what malware will use to disable certain features (particularly security features) on a users system. How we modify the data particularly relates to the type of data that is stored in the value.</p><p> </p><ul> <li data-xf-list-type="ul">Is it a string?</li> <li data-xf-list-type="ul">Is it a binary value?</li> <li data-xf-list-type="ul">Is it a DWORD value? etc</li> </ul><p>Regardless, the structure of your script is essentially the same. Let's take our example again...</p><p></p><p><img src="https://i.imgur.com/rZWBUlm.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p> </p><p>Lets change the strong associated with ExampleString to the directory C:\Windows\Example.exe - the trick to this function is to be sure to remember the "" and a double \ (\\) where usually you would put 1.</p><p> </p><p><img src="https://image.prntscr.com/image/ekHep6GxQJCcWX-u7vIM0A.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Another example, this time of a DWORD (Hexidecimal Base). I just quickly exported this from a random part of my registry:</p><p> </p><p><img src="https://image.prntscr.com/image/yaFT6r7KQxuwoJmDMCpS8g.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>In a DWORD you get a string of numbers: 00000000 or 00000001 or 00040000 etc. Each number represents a different state for the value. Simply (and what most commonly I'm involved in) 1 = enabled, 0 = disabled.</p><p> </p><p>So in this entry:</p><p></p><p></p><p></p><p> </p><p>The value authenticodeenabled is disabled (I know this by dword:0000000<strong><span style="color: #ff99ff">0</span></strong>)</p><p>If authenticodeenabled was enabled it would be dword:0000000<strong><span style="color: #ff99ff">1</span></strong></p><p> </p><p>This is applicable particularly when malware has disabled the ability to access regedit. In this example below, disable registry tools is enabled.</p><p> </p><p></p><p></p><p></p><p> </p><p>We, however, are able to construct a .reg file to disable "DisableRegistryTools". It is as follows:</p><p> </p><p><img src="https://i.imgur.com/ytz1ejp.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>You can also find entries like this for:</p><ul> <li data-xf-list-type="ul">Task manager</li> <li data-xf-list-type="ul">Command Prompt</li> <li data-xf-list-type="ul">Config</li> <li data-xf-list-type="ul">System Restore</li> <li data-xf-list-type="ul">The list continues...</li> </ul><p>This will cover most modifications you might ever want to do in the registry using a .reg file.</p><p></p><p></p><p><span style="color: #949494"><strong><span style="color: #33ccff">COMMAND PROMPT (CMD) [.bat (BATCH) Files]</span></strong></span></p><p>For those new to the game, batch files are just scripted command prompt commands that you can double click and execute (like .reg files kinda - but more versatile). I'm going to go over the commands you will type into command prompt, I will then show you how to adapt these to a simple .bat file.</p><p></p><p>Reference: <a href="https://www.windowscentral.com/how-edit-registry-using-command-prompt-windows-10" target="_blank">How to edit the Registry using Command Prompt on Windows 10</a></p><p></p><p><strong><span style="color: #ff8000">How to Open Command Prompt</span></strong></p><p>To open command prompt:</p><ul> <li data-xf-list-type="ul">Click Start</li> <li data-xf-list-type="ul">Search Command Prompt</li> <li data-xf-list-type="ul">Right Click and click Run as Administrator</li> </ul><p><strong><span style="color: #ff8000">Commands</span></strong></p><p>In command prompt (CMD) you can you can type <strong>reg /? </strong>to bring up a list of available commands.</p><p>These include:</p><ul> <li data-xf-list-type="ul">REG Query</li> <li data-xf-list-type="ul">REG Add</li> <li data-xf-list-type="ul">REG Delete</li> <li data-xf-list-type="ul">REG Copy</li> <li data-xf-list-type="ul">REG Save</li> <li data-xf-list-type="ul">REG Load</li> <li data-xf-list-type="ul">REG Unload</li> <li data-xf-list-type="ul">REG Restore</li> <li data-xf-list-type="ul">REG Compare</li> <li data-xf-list-type="ul">REG Export</li> <li data-xf-list-type="ul">REG Import</li> <li data-xf-list-type="ul">REG Flags</li> </ul><p><img src="https://i.imgur.com/tOaA7QG.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><p>CMD Syntax</p><ul> <li data-xf-list-type="ul">ADD: REG ADD KeyName [{/v ValueName | /ve}] [/t Type] [/f]</li> <li data-xf-list-type="ul">Delete: REG DELETE KeyName [{/v ValueName | /ve | /va}] [/f]</li> </ul><p>Command Description</p><ul> <li data-xf-list-type="ul">KeyName: Defines the path to the subkey or entry. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to edit the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.</li> <li data-xf-list-type="ul">/v ValueName: Specifies the name for the registry key to be added or deleted.</li> <li data-xf-list-type="ul">/ve: Defines if you're adding or deleting an entry that has a null value.</li> <li data-xf-list-type="ul">/t Type: Specifies the type of registry entries. Here's the list of valid types:<ul> <li data-xf-list-type="ul">REG_SZ</li> <li data-xf-list-type="ul">REG_MULTI_SZ</li> <li data-xf-list-type="ul">REG_DWORD_BIG_ENDIAN</li> <li data-xf-list-type="ul">REG_DWORD</li> <li data-xf-list-type="ul">REG_BINARY</li> <li data-xf-list-type="ul">REG_DWORD_LITTLE_ENDIAN</li> <li data-xf-list-type="ul">REG_LINK</li> <li data-xf-list-type="ul">REG_FULL_RESOURCE_DESCRIPTOR</li> <li data-xf-list-type="ul">REG_EXPAND_SZ</li> </ul></li> <li data-xf-list-type="ul">/f: Adds or deletes registry content without prompting for confirmation.</li> <li data-xf-list-type="ul">/s Separator: Defines the character you use to separate multiple instances of data when the REG_MULTI_SZ data type is specified and you need to add more than one entry. The default separator is \0 if it is not specified.</li> <li data-xf-list-type="ul">/d Data: Specifies the data for the new entry in the registry.</li> </ul><p>REG ADD</p><p>To add a subkey named MySubkey under HKEY_LOCAL_MACHINE\Software, use the following example:</p><p></p><p>REG ADD HKLM\Software\MySubkey</p><p></p><p>To add a new DWORD (32-bit) value entry named AppInfo with the value of 1, use the following example:</p><p></p><p></p><p></p><p>To add a new Binary Value entry named Data with data of fe340ead, use the following example:</p><p></p><p></p><p></p><p>To add a registry entry with multiple values to MySubkey with a value name of MRU of type REG_MULTI_SZ and data of fax\0mail\2\1, use the following example:</p><p></p><p></p><p></p><p>REG DELETE</p><p>To delete the subkey named MySubkey, use the following example:</p><p></p><p></p><p></p><p>To delete the registry entry named AppInfo within the MySubkey subkey, use the following example:</p><p></p><p></p><p></p><p>To delete all the registry entries from the MySubkey subkey, use the following example:</p><p></p><p></p><p></p><p>REG COPY</p><p>Syntax:</p><p>REG COPY KeyName1 KeyName2 [/s] [/f]</p><p></p><ul> <li data-xf-list-type="ul">KeyName1: Defines the path to the subkey you want to copy. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.</li> <li data-xf-list-type="ul">KeyName2: Defines the path to the subkey destination. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU.</li> <li data-xf-list-type="ul">/s: Copies all subkeys and entries of a particular subkey.</li> <li data-xf-list-type="ul">/f: Executes the copy command without prompting for confirmation.</li> </ul><p>To copy all subkeys and values under the key MySubkey1 to the key MySubkey2, use the following example:</p><p></p><p></p><p></p><p>Create .bat (batch) File</p><p>We need to create a batch file to run some commands.</p><ul> <li data-xf-list-type="ul">Open Notepad.</li> <li data-xf-list-type="ul">Copy/Paste the following code into Notepad:<br /> <br /> @echo offCODE</li> <li data-xf-list-type="ul">Click Save</li> <li data-xf-list-type="ul">Name the file Fix.bat</li> <li data-xf-list-type="ul">Under Save as Type select All Files</li> <li data-xf-list-type="ul">Save the batch file to your desktop, it will look like this:<br /> <br /> [img=64x53]<a href="https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img]" target="_blank">https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img]</a></li> <li data-xf-list-type="ul">Navigate to the file and Rick Click then Run as Administrator</li> <li data-xf-list-type="ul">Allow it to run.</li> </ul><p>[code][b][color=#33ffff]Create .bat (batch) File[/color][/b]</p><p>We need to create a batch file to run some commands.</p><p>[list]</p><p>[*]Open Notepad.</p><p>[*]Copy/Paste the following code into Notepad:</p><p></p><p>[quote]@echo off</p><p></p><p>CODE[/quote]</p><p></p><p></p><p>[*]Click Save</p><p>[*]Name the file Fix[b][color=#ff3366].bat[/color][/b]</p><p>[*]Under Save as Type select All Files</p><p>[*]Save the batch file to your desktop, it will look like this:</p><p></p><p>[img=64x53]https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img]</p><p></p><p></p><p>[*]Navigate to the file and Rick Click then Run as Administrator</p><p>[*]Allow it to run.</p><p>[/list][/code]</p><p></p><p><strong><span style="font-size: 26px"><span style="color: #0000b3">Conclusion</span></span></strong></p><p>Hopefully you found this guide somewhat helpful. I've linked a bunch of websites that were the inspiration for this thread. Please leave all comments, suggestions and possible improvements as a reply rather than PMing me so the community can benefit! And please tell me:</p><ul> <li data-xf-list-type="ul">Was this thread helpful?</li> <li data-xf-list-type="ul">Was it easy to follow?</li> <li data-xf-list-type="ul">What would you like to hear from me next?<br /> </li> </ul><p>All the best.</p><p></p><p><strong><span style="color: #ff8000">References</span></strong></p><p>Registry Value Types: <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx" target="_blank">https://msdn.microsoft.com/en-us/library...s.85).aspx</a></p><p>Computer Hope Registry Talk: <a href="https://www.computerhope.com/jargon/r/registry.htm" target="_blank">What is the Windows Registry?</a></p><p>Inspiration for this thread: <a href="https://www.bleepingcomputer.com/tutorials/demystifying-the-windows-registry/" target="_blank">https://www.bleepingcomputer.com/tutoria...-registry/</a></p><p>Starting Point: <a href="https://en.wikipedia.org/wiki/Windows_Registry" target="_blank">Windows Registry - Wikipedia</a></p><p>Microsoft Library on the Registry: <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx" target="_blank">https://msdn.microsoft.com/en-us/library...s.85).aspx</a></p><p>CMD: <a href="https://www.windowscentral.com/how-edit-registry-using-command-prompt-windows-10" target="_blank">How to edit the Registry using Command Prompt on Windows 10</a></p></blockquote><p></p>
[QUOTE="TheAvatar, post: 700378, member: 68707"] [CENTER][COLOR=#949494][B][COLOR=#33ccff][IMG]https://i.imgur.com/SKffq1w.png[/IMG] [/COLOR][/B][/COLOR] [I]Presents...[/I] [B][FONT=Verdana][SIZE=7][COLOR=#a64dff]Discover the Windows Registry[/COLOR][/SIZE][/FONT][/B][/CENTER] [B][SIZE=7][COLOR=#00b359]Overview[/COLOR][/SIZE][/B] This guide will take you through some of the fundamentals of the Windows Registry. Topics to be discussed are: [LIST] [*]What the registry is and it's function. [*]The structure of the registry. [*]How to backup the registry. [*]How to restore the registry. [*]How to modify the registry. [/LIST] [B][SIZE=7][COLOR=#00b359]Introduction[/COLOR][/SIZE][/B] I have a passion for helping people with my skills and knowledge, malware removal and tech support is just another way I can do this. Hopefully you take something from this thread, it may be completely irrelevant to most members but this is great for those wanting to learn more about the Windows OS. [B][SIZE=7][COLOR=#0000b3]What is the Registry?[/COLOR][/SIZE][/B] The Windows Registry (or Registry) is a database sorted in a hierarchy that stores the settings and information related to software, user preferences, hardware, windows settings and much more. An example of this is when a new program is installed, a new set of registry entries are created (most of the time - some software use XML, some software are 'portable') which act as a set of instructions for the specific program and any other software or feature that interacts with it. We can liken the registry as DNA within a cell. It's the core that influences the overall function. Application settings used to be stored in text-based configuration files (and with some applications, still are), with a separate file for every application. The Windows Registry is meant to solve that problem by providing a single place for all settings across all applications.In addition to consolidating system settings, storing all of these settings in a single place and in a database format means that accessing values in the registry is much faster than parsing a text configuration file — so the registry can be used for more than just settings. In fact, most or all of the registry is read into memory each time the system boots, so accessing the registry is nearly instant. [B][COLOR=#ff8000]Welcome to the windows registry:[/COLOR][/B] [IMG]https://i.imgur.com/FxMS86S.png[/IMG] [CENTER][B][SIZE=7][COLOR=#b30059]==============================================[/COLOR][/SIZE][/B] [COLOR=#949494][COLOR=#ff3366][B][SIZE=7]WARNING[/SIZE][/B][/COLOR][/COLOR] [COLOR=#949494][COLOR=#ff3366][B]Given the purpose of the registry, modifications to it can have disastrous consequences. Tread lightly in the registry. [/B][/COLOR][/COLOR] [COLOR=#949494][COLOR=#ff3366][B]Look but don't touch - unless you know what you're doing.[/B][/COLOR][/COLOR][/CENTER] [CENTER][B][COLOR=#b30059][SIZE=7]==============================================[/SIZE][/COLOR][/B][/CENTER] [B][COLOR=#ff8000]How do we Access the Registry?[/COLOR][/B] To view the registry do the following: [LIST] [*]Cl[COLOR=#000000]ick [B]start[/B].[/COLOR] [*][COLOR=#000000]Type [B]regedit[/B].[/COLOR] [*][COLOR=#000000]Click [B]Yes [/B]when prompted by UAC.[/COLOR] [/LIST] [COLOR=#000000]Alternatively:[/COLOR] [LIST] [*][COLOR=#000000]On your keyboard hit the [B]Windows Key[/B] and [B]R [/B]at the same time.[/COLOR] [*][COLOR=#000000]Type [B]regedit[/B][/COLOR] [*][COLOR=#000000]Hit [B]enter[/B][/COLOR] [/LIST] [B][COLOR=#ff8000]How is the Registry Structured?[/COLOR][/B] [The data in the registry is structured in a tree format. Each node in the tree is called a key. Each key can contain both [I]subkeys [/I]and data entries called [I]values[/I]. Sometimes, the presence of a key is all the data that an application requires; other times, an application opens a key and uses the values associated with the key. A key can have any number of values, and the values can be in any form. [IMG]https://i.imgur.com/vq1r3Kg.png?1[/IMG] [B][COLOR=#ff0080]Hives[/COLOR][/B] In the registry instead of drives, we have hives. Hives are the top of the hierarchy, the trunk of the tree, with each hive containing a certain information related to a certain category.[/align] These hives are: [LIST] [*][B][COLOR=#ff3366]HKEY_CLASSES_ROOT (HKCR)[/COLOR][/B] Describes file type, file extension, and OLE information. [*][B][COLOR=#ff3366]HKEY_CURRENT_USER (HKCU)[/COLOR][/B] Contains user who is currently logged into Windows and their settings. [*][B][COLOR=#ff3366]HKEY_LOCAL_MACHINE (HKLM)[/COLOR][/B] Contains computer-specific information about the hardware installed, software settings, and other information. The information is used for all users who log on to that computer and is one of the more commonly accessed areas in the registry. [*][B][COLOR=#ff3366]HKEY_USERS (HKU)[/COLOR][/B] Contains information about all the users who log on to the computer, including both generic and user-specific information. [*][B][COLOR=#ff3366]HKEY_CURRENT_CONFIG (HKCC)[/COLOR][/B] The details about the current configuration of hardware attached to the computer. [*][B]HKEY_DYN_DATA (HKDD)[/B] - Windows 95, 98, NT [/LIST] [B][COLOR=#ff9933]Keys[/COLOR][/B] Keys are the those first large branches emerging from the trunk, they act as a further organisational unit within the registry. Within these keys we can find either subkeys or values, depending on the entry. In-order for any software to make an addition to the registry, it must generate one of these keys (or subkeys). The key selected in the example above is 'SOFTWARE', but SECURITY, HARDWARE, SAM etc are also keys. [B][COLOR=#33cc33]SubKeys[/COLOR][/B] These are just keys, within keys. Like you would call a folder within a folder a 'subfolder', these are the smaller branches off those main large branches on a tree. [B][COLOR=#33ccff]Values[/COLOR][/B] Values are stored within keys, these could be compared to leaves on a tree. Within the registry, these values come in a variety of types with the most common being strings, binaries and DWORD values. These values are the data within the keys that are influencing whatever part of the system they are associated to. [/align] ComputerHope has summarised the values nicely in this table: [IMG]https://i.imgur.com/C7hcH4J.png[/IMG] [B]Reference:[/B] [URL="https://www.computerhope.com/jargon/r/registry.htm"]What is the Windows Registry?[/URL] [B][COLOR=#9966ff]Data[/COLOR][/B] Values contain data, this data comes in the form of the types in the table above. You can see in the screen shot of regedit that each value has a 'type' and their 'data' that varies according to their type. Microsoft have elaborated further on the type of data that is associated with values here: [URL="https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx"]Registry Value Types (Windows)[/URL] This data could range from simply either a 0 or a 1, or a hexidecimal code like 2c. [B][COLOR=#000000] [I]Simplifying all of this...[/I][/COLOR][/B] The layout of the registry can be compared to that of file explorer. Understanding file explorer can help you understand the structure of the registry. Let's take a look at the structure of file explorer: [COLOR=#ffcc33][COLOR=#333333][IMG]https://image.prntscr.com/image/zrwaly55Rp2VeJno9K32XA.png[/IMG][/COLOR][/COLOR] The file path is C:\Windows\System32\aswBoot.exe and the files properties contain it's relevant data. Let's go ahead and deconstruct this information. [B][COLOR=#ff3366]C:[/COLOR][/B]\[B][COLOR=#ff9933]Windows[/COLOR][/B]\[B][COLOR=#33cc33]System32[/COLOR][/B]\[B][COLOR=#33ccff]aswBoot.exe [/COLOR]<-- [COLOR=#9966ff]Data associated with aswBoot.exe shown in properties window[/COLOR][/B] Here we have: [LIST] [*][B][COLOR=#ff3366]The drive. (C)[/COLOR][/B] [*][B][COLOR=#ff9933]The folder (Windows)[/COLOR][/B] [*][B][COLOR=#33cc33]The subfolder (System32)[/COLOR][/B] [*][B][COLOR=#33ccff]The file (aswBoot.exe)[/COLOR][/B] [*][B][COLOR=#9966ff]The data contained in the file. (data associated in properties window)[/COLOR][/B] [/LIST] Notice this is structured in a hierarchy, much like the registry is here: [IMG]https://i.imgur.com/vq1r3Kg.png?1[/IMG] The data I get when I export the InstallPath value is as follows: [/align] This registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Bridge\CS6\Installer with [B][COLOR=#ff3366]HKEY_LOCAL_MACHINE[/COLOR][/B]\[B][COLOR=#ff9933]SOFTWARE[/COLOR][/B]\[B][COLOR=#33cc33]Adobe[/COLOR][/B]\Adobe Bridge\CS6\Installer [B][COLOR=#33ccff]InstallPath[/COLOR][/B]="[COLOR=#9966ff][B]C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)[/B][/COLOR]" We have: [LIST] [*][B][COLOR=#ff3366]The hive. (HKLM)[/COLOR][/B] [*][B][COLOR=#ff9933]The key (SOFTWARE)[/COLOR][/B] [*][B][COLOR=#33cc33]The subkey (Adobe)[/COLOR][/B] [*][B][COLOR=#33ccff]The value (InstallPath)[/COLOR][/B] [*][B][COLOR=#9966ff]The data ([B][COLOR=#9966ff]C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit[/COLOR][/B]))[/COLOR][/B] [/LIST] [COLOR=#ffffff][B][I][size=large]Even MORE Simply...[/I][/B][/COLOR] [IMG]https://i.imgur.com/aLV5507.jpg[/IMG] [B] [SIZE=7][COLOR=#0000b3]Backing up the Registry[/COLOR][/SIZE][/B] Prior to any modifications of the registry it is essential that you make some form of backup, whether it is manually, a new restore point or using software. This will be the only thing that helps you if an error is made while modifying the registry. [B][COLOR=#33ccff]MANUALLY - COMPLETE BACKUP[/COLOR] [COLOR=#ff8000]Backup Your Registry Manually[/COLOR][/B] We need to backup your registry manually. [B][COLOR=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/COLOR][/B] [LIST] [*]Click Start [*]Type regedit [*]Click yes on the UAC form. [*]Select Computer, so it is highlighted and the bar below 'File' reads 'Computer' ONLY (no \ HKEY) [IMG]https://i.imgur.com/ocHXprY.png[/IMG] [*]Click File [*]Click Export [*]Name the file 'RegistryBackup' [*]Ensure the 'Save as Type' is 'Registration Files (*.reg)' [*]Click 'Save' [*]Allow registry editor to run and make the backup, it may take a minute or two. [/LIST] [CODE][b][color=orange]Backup Your Registry Manually[/color][/b] We need to backup your registry manually. [b][color=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/color][/b] [list] [*]Click Start [*]Type regedit [*]Click yes on the UAC form. [*]Select Computer, so it is highlighted and the bar below 'File' reads 'Computer' ONLY (no \ HKEY) [img]https://i.imgur.com/ocHXprY.png[/img] [*]Click File [*]Click Export [*]Name the file 'RegistryBackup' [*]Ensure the 'Save as Type' is 'Registration Files (*.reg)' [*]Click 'Save' [*]Allow registry editor to run and make the backup, it may take a minute or two. [/list][/CODE] [B][COLOR=#33ccff]MANUALLY - SELECT BACKUP[/COLOR] [COLOR=#ff8000]Backup Your Registry Manually[/COLOR][/B] We need to backup your registry manually. [COLOR=#33ccff][B][COLOR=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/COLOR][/B][/COLOR] [LIST] [*]Click Start [*]Type regedit [*]Click yes on the UAC form. [*]Navigate to: INSERT HIVE/KEY/SUBKEY value here. [*]Ensure the 'key' (subfolder type thing) is highlighted like Computer is in this image below. [*]Ensure the bare below 'File', 'Edit' etc. reads: INSERT HIVE/KEY/SUBKEY value here. [IMG]https://i.imgur.com/ocHXprY.png[/IMG] [*]Click File [*]Click Export [*]Name the file 'RegistryBackup' [*]Ensure the 'Save as Type' is 'Registration Files (*.reg)' [*]Click 'Save' [*]Allow registry editor to run and make the backup, it may take a minute or two. [/LIST] [code][b][color=#33ffff]Backup Your Registry Manually [/color][/b]We need to backup your registry manually. [color=#33ccff][b][b][color=#ff3366]WARNING: entering the registry is dangerous, only perform the following instructions precisely.[/color][/b] [/b][/color] [list] [*]Click Start [*]Type regedit [*]Click yes on the UAC form. [*]Navigate to: INSERT HIVE/KEY/SUBKEY value here. [*]Ensure the 'key' (subfolder type thing) is highlighted like Computer is in this image below. [*]Ensure the bare below 'File', 'Edit' etc. reads: INSERT HIVE/KEY/SUBKEY value here. [img]https://i.imgur.com/ocHXprY.png[/img] [*]Click File [*]Click Export [*]Name the file 'RegistryBackup' [*]Ensure the 'Save as Type' is 'Registration Files (*.reg)' [*]Click 'Save' [*]Allow registry editor to run and make the backup, it may take a minute or two. [/list] [/code] [COLOR=#33ccff][B][COLOR=#33ccff]MANUALLY - COMMAND PROMPT[/COLOR][/B][/COLOR] We need to backup a part of the registry using commands prompt: [LIST] [*][COLOR=#000000]Click [B]Start[/B][/COLOR] [*][COLOR=#000000]Type '[B]cmd[/B]'[/COLOR] [*][COLOR=#000000]Right click Command Prompt and select [B]Run as Administrator[/B][/COLOR] [*][COLOR=#000000]A black window should appear, type the following without the [B]<SPACE>[/B] this indicates where there should be a space:[/COLOR] [B][COLOR=#ff3399]REG EXPORT[/COLOR][COLOR=#000000]<SPACE>[/COLOR][COLOR=#ffcc33]HIVE\KEY\SUBKEY[/COLOR][COLOR=#000000]<SPACE>[/COLOR][COLOR=#66cc33]C:\RegKeyBackup.reg[/COLOR][/B] [*]You should get a confirm[COLOR=#000000]ation "[B]The Operation Completed Successfully[/B]"[/COLOR] [/LIST] [code][color=#33ccff][b][color=#33ccff]MANUALLY - COMMAND PROMPT[/color][/b][/color] We need to backup a part of the registry using commands prompt: [list] [*]Click [b][color=#ffffff]Start[/color][/b] [*]Type '[b][color=#ffffff]cmd[/color][/b]' [*]Right click Command Prompt and select [b][color=#ffffff]Run as Administrator[/color][/b] [*]A black window should appear, type the following without the [b][color=#ffffff]<SPACE>[/color][/b] this indicates where there should be a space: [b][font=-apple-system, BlinkMacSystemFont,][color=#ff3399]REG EXPORT[/color][color=#ffffff]<SPACE>[/color][color=#ffcc33]HIVE\KEY\SUBKEY[/color][color=#ffffff]<SPACE>[/color][color=#66cc33]C:\RegKeyBackup.reg [/color][/font][/b] [*]You should get a confirmation "[b][color=#ffffff]The Operation Completed Successfully[/color][/b]" [/list][/code] [B][COLOR=#33ccff]MANUALLY - SET SYSTEM RESTORE POINT[/COLOR] [COLOR=#ff8000]System Restore Point[/COLOR][/B] We need a system restore point: [LIST=1] [*][COLOR=#000000]From the [B]Start menu[/B], type create a restore point.[/COLOR] [*][COLOR=#000000]Select [B]Create a restore point[/B] from the search results.[/COLOR] [*][COLOR=#000000]Choose [B]Create[/B], and then foll[/COLOR]ow the steps to create a restore point. [/LIST] [code][b][color=#33ffff]System Restore Point[/color][/b] We need a system restore point: [list=1] [*]From the [b][color=#ffffff]Start menu[/color][/b], type create a restore point. [*]Select [b][color=#ffffff]Create a restore point[/color][/b] from the search results. [*]Choose [b][color=#ffffff]Create[/color][/b], and then follow the steps to create a restore point. [/list][/code] [COLOR=#33ccff][B]SOFTWARE - COMPLETE BACKUP[/B][/COLOR] [B][COLOR=#ff8000]Registry Backup[/COLOR][/B] Please download the Portable version of [URL='https://www.bleepingcomputer.com/download/registry-backup/'][B][COLOR=#ffcc33]Registry Backup[/COLOR][/B][/URL] by Tweaking.com [B][COLOR=#ff3366]NOTE: [/COLOR][/B]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up] [LIST] [*]Right click the zipped file and select Extract All. [*]Open the folder and double click TweakingRegistryBackup. [*]Select yes on the UAC window. [*]Click Backup Now. [*]Allow the program to run. [*]Click View Logs. [*]Open Log_backup.txt [*]Copy/paste the contents into your next reply. [/LIST] [code] [color=#33ffff][b]Registry Backup[/b] [/color]Please download the Portable version of [url=https://www.bleepingcomputer.com/download/registry-backup/][b][color=#ffcc33]Registry Backup[/color][/b][/url] by Tweaking.com [b][color=#ff3366]NOTE: [/color][/b]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up] [list] [*]Right click the zipped file and select Extract All. [*]Open the folder and double click TweakingRegistryBackup. [*]Select yes on the UAC window. [*]Click Backup Now. [*]Allow the program to run. [*]Click View Logs. [*]Open Log_backup.txt [*]Copy/paste the contents into your next reply. [/list][/code] [COLOR=#33ccff][B]OTHER SOFTWARE[/B][/COLOR] Trained helpers can use other tools to backup/modify/restore the registry: [LIST] [*]OTL. [*]Farbar Recovery Scan Tool. [*]Combofix [*]ERUNT in older versions of windows [/LIST] [B][COLOR=red]NOTE: DO NOT USE THESE TOOLS UNSUPERVISED[/COLOR][/B] [SIZE=7][COLOR=#0000b3][B]Restoring the Registry[/B][/COLOR][/SIZE] [IMG]https://i.imgur.com/89S7lr1.jpg[/IMG] Backing up the registry is oh-so-worth-it the moment you need to restore from a backup. Restoring is [I]usually[/I] quite simple. [B][COLOR=#ffcc33][COLOR=#33ccff]MANUALLY - FROM SELECT BACKUP[/COLOR][/COLOR][/B]] If you manually exported a .reg file, you just need to find that .reg [B][COLOR=#ff8000]Restoring Registry from Backup[/COLOR][/B] We need to restore some registry entries from our backup. [LIST] [*]Navigate to the location where you save your backup .reg file and double click on it. A .reg file looks like this: [IMG]https://i.imgur.com/WbQHAr0.png[/IMG] [*]Click yes when prompted by the UAC window. [*]Click yes when prompted by Windows. [*]Allow it to run. [/LIST] Let me know how it goes, it's important that you DO NOT DELETE the .reg file until we are sure we have fixed the issue. [code][b][color=#33ffff]Restoring Registry from Backup[/color][/b] We need to restore some registry entries from our backup. [list] [*]Navigate to the location where you save your backup .reg file and double click on it. A .reg file looks like this: [img=64x72]https://i.imgur.com/WbQHAr0.png[/img] [*]Click [b][color=#ffffff]yes [/color][/b]when prompted by the UAC window. [*]Click [b][color=#ffffff]yes [/color][/b]when prompted by Windows. [*]Allow it to run. [/list]Let me know how it goes, it's important that you [b][color=#ff3366]DO NOT DELETE[/color][/b] the .reg file until we are sure we have fixed the issue.[/code] [B][COLOR=#ffcc33][COLOR=#33ccff][COLOR=#ffcc33][COLOR=#33ccff]MANUALLY - USING COMMAND PROMPT[/COLOR][/COLOR][/COLOR][/COLOR][/B] We ne[COLOR=#000000]ed to restore from the backup we made:[/COLOR] [LIST] [*][COLOR=#000000]Click Start[/COLOR] [*][COLOR=#000000]Type 'cmd'[/COLOR] [*][COLOR=#000000]Right click Command Prompt and select Run as Administrator[/COLOR] [*][COLOR=#000000]A black window should appear, type the following without the <SPACE> this indicates where there should be a space:[/COLOR] [COLOR=#ff3399][B]REG IMPORT[/B][/COLOR][B][COLOR=#000000]<SPACE>[/COLOR][COLOR=#66cc33]C:\RegKeyBackup.reg[/COLOR][/B] [*]You should get a confirmation "[COLOR=#000000]The Operation Completed Successfully"[/COLOR] [/LIST] [code]We need to restore from the backup we made: [list] [*]Click [color=white]Start[/color] [*]Type '[color=white]cmd[/color]' [*]Right click Command Prompt and select [color=white]Run as Administrator[/color] [*]A black window should appear, type the following without the [color=white]<SPACE>[/color] this indicates where there should be a space: [color=#ff3399][b]REG IMPORT[/b][/color][b][color=#ffffff]<SPACE>[/color][color=#66cc33]C:\RegKeyBackup.reg[/color] [/b] [*]You should get a confirmation "[color=white]The Operation Completed Successfully[/color]" [/list][/code] [B][COLOR=#ffcc33][COLOR=#33ccff]COMPLETE RESTORE - WINDOWS FUNCTIONALITY[/COLOR][/COLOR] [COLOR=#ff8000]Roll Back with System Restore[/COLOR][/B] We need to do a roll back with System Restore. [LIST] [*]Clic[COLOR=#000000]k [B]Start[/B][/COLOR] [*][COLOR=#000000]Type '[B]System Restore[/B]'[/COLOR] [*][COLOR=#000000]Click '[B]Create a System Restore Point[/B]' in the start menu.[/COLOR] [*][COLOR=#000000]The System Properties box should open.[/COLOR] [*][COLOR=#000000]Under the System Protection tab click [B]System Restore...[/B][/COLOR] [*][COLOR=#000000]The System Restore tool will open.[/COLOR] [*][COLOR=#000000]Select '[B]Choose a Different Restore Point[/B]'[/COLOR] [*][COLOR=#000000]Click [B]Next[/B].[/COLOR] [*][COLOR=#000000]Select a date where things were running fine (or at least better than now) or your machine.[/COLOR] [*][COLOR=#000000]Click [B]Next[/B].[/COLOR] [*]Allow System Restore to run, following any prompts. [/LIST] [code][b][color=#33ffff]Roll Back with System Restore[/color][/b] We need to do a roll back with System Restore. [list] [*]Click [b][color=#ffffff]Start[/color][/b] [*]Type '[b][color=#ffffff]System Restore[/color][/b]' [*]Click '[b][color=#ffffff]Create a System Restore Point[/color][/b]' in the start menu. [*]The System Properties box should open. [*]Under the System Protection tab click [b][color=#ffffff]System Restore...[/color][/b] [*]The System Restore tool will open. [*]Select '[b][color=#ffffff]Choose a Different Restore Point[/color][/b]' [*]Click [b][color=#ffffff]Next[/color][/b]. [*]Select a date where things were running fine (or at least better than now) or your machine. [*]Click [b][color=#ffffff]Next[/color][/b]. [*]Allow System Restore to run, following any prompts. [/list][/code] [COLOR=#33ffff][B][COLOR=#ffcc33][COLOR=#33ccff]COMPLETE RESTORE - THIRD PARTY SOFTWARE[/COLOR][/COLOR][/B][/COLOR] [B][COLOR=#ff8000]Roll Back with Tweaking Registry Backup[/COLOR][/B] Launch TweakingRegistryBackup by Tweaking.com [B][COLOR=#ff3366]NOTE: [/COLOR][/B]ensure yo[COLOR=#000000]u're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up] [/COLOR] [LIST] [*][COLOR=#000000]Click the [B]Restore Registry[/B] tab.[/COLOR] [*][COLOR=#000000]Click the down arrow next to '[B]Select Backup To Restore[/B]' and select the backup we made previously.[/COLOR] [*][COLOR=#000000]Place a check next to '[B]Restart/Shutdown System When Finished[/B]'[/COLOR] [*][COLOR=#000000]Click [B]Restore Now[/B][/COLOR] [*][COLOR=#000000]Allow the computer to reboot. [/COLOR] [/LIST] [code][b][color=#33ffff]Roll Back with Tweaking Registry Backup[/color][/b] Launch TweakingRegistryBackup by Tweaking.com [b][color=#ff3366]NOTE: [/color][/b]ensure you're using an administrator account, if you aren't or are unsure STOP NOW and notify me. [If you aren't the whole registry won't be backed up] [list] [*]Click the [b][color=#ffffff]Restore Registry[/color][/b] tab. [*]Click the down arrow next to '[b][color=#ffffff]Select Backup To Restore[/color][/b]' and select the backup we made previously. [*]Place a check next to '[b][color=#ffffff]Restart/Shutdown System When Finished[/color][/b]' [*]Click [b][color=#ffffff]Restore Now[/color][/b] [*]Allow the computer to reboot. [/list] [/code] [B][SIZE=7][COLOR=#0000b3]Modifying the Registry[/COLOR][/SIZE][/B] There are several methods we can modify the registry, modifying the registry brings together all our previous knowledge. [CENTER][B][SIZE=7][COLOR=rgb(179, 0, 89)]==============================================[/COLOR][/SIZE][/B] [COLOR=rgb(148, 148, 148)][COLOR=rgb(255, 51, 102)][B][SIZE=7]WARNING[/SIZE][/B][/COLOR][/COLOR] [COLOR=rgb(148, 148, 148)][COLOR=rgb(255, 51, 102)][B]Given the purpose of the registry, modifications to it can have disastrous consequences. Tread lightly in the registry. [/B][/COLOR][/COLOR] [COLOR=rgb(148, 148, 148)][COLOR=rgb(255, 51, 102)][B]Look but don't touch - unless you know what you're doing.[/B][/COLOR][/COLOR][/CENTER] [CENTER][B][COLOR=rgb(179, 0, 89)][SIZE=7]==============================================[/SIZE][/COLOR][/B][/CENTER] [B][COLOR=#ffffff]From Microsoft themselves:[/COLOR][/B] [B][COLOR=#33ccff]MANUALLY IN REGEDIT[/COLOR][/B] I do not encourage this. Of course, you can go into the registry itself and make modifications. Modify values, delete things, add things, you name it and this is probably the most simple (yet most dangerous) way to do this. [LIST] [*]Click start [*]Type regedit [*]Click yes on the UAC window [*]Go through the registry and make modifications like you would to any file. [/LIST] [B][COLOR=#33ccff]SCRIPTS: .reg FILES[/COLOR] [COLOR=#ff8000]Creating a .reg File[/COLOR][/B] Creating .reg files is simple. [LIST] [*]O[COLOR=#000000]pen [B]Notepad[/B][/COLOR] [*][COLOR=#000000]Type the desired script.[/COLOR] [*][COLOR=#000000]Click [B]File[/B][/COLOR] [*][B][COLOR=#000000]Save[/COLOR][/B] [*][COLOR=#000000]Name the file; [B]RegistryFix.reg[/B][/COLOR] [*][COLOR=#000000]Under file type, select [B]all types[/B].[/COLOR] [*][COLOR=#000000]Click [B]save[/B].[/COLOR] [/LIST] [B][COLOR=#ff8000]Executing a .reg File[/COLOR][/B] [LIST] [*]N[COLOR=#000000]avigate to the .reg file.[/COLOR] [*][COLOR=#000000]Double click it.[/COLOR] [*][COLOR=#000000]Click [B]yes [/B]in the UAC window.[/COLOR] [*][COLOR=#000000]Click [B]yes [/B]when prompted by regedit.[/COLOR] [*][COLOR=#000000]Allow the file to run.[/COLOR] [/LIST] [B][COLOR=#ff8000]Syntax of .Reg Files[/COLOR][/B] A .reg file has the following syntax: where: [B][COLOR=#ff3366]RegistryEditorVersion[/COLOR][/B] is either "Windows Registry Editor Version 5.00" for Windows 2000, Windows XP, and Windows Server 2003, or "REGEDIT4" for Windows 98 and Windows NT 4.0. The "REGEDIT4" header also works on Windows 2000-based, Windows XP-based, and Windows Server 2003-based computers. [B][COLOR=#ff9933]Blank line[/COLOR][/B] is a blank line. This identifies the start of a new registry path. Each key or subkey is a new registry path. If you have several keys in your .reg file, blank lines can help you to examine and to troubleshoot the contents. [B][COLOR=#ffcc33]RegistryPathx[/COLOR][/B] is the path of the subkey that holds the first value you are importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash. For example: [B][COLOR=#ffffff][HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\Windows\System][/COLOR][/B] A .reg file can contain several registry paths. If the bottom of the hierarchy in the path statement does not exist in the registry, a new subkey is created. The contents of the registry files are sent to the registry in the order you enter them. Therefore, if you want to create a new subkey with another subkey below it, you must enter the lines in the correct order. [B][COLOR=#33cc33]DataItemNamex[/COLOR][/B] is the name of the data item that you want to import. If a data item in your file does not exist in the registry, the .reg file adds it (with the value of the data item). If a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item. [B][COLOR=#33ccff]DataTypex[/COLOR][/B] is the data type for the registry value and immediately follows the equal sign. For all the data types other than REG_SZ (a string value), a colon immediately follows the data type. If the data type is REG_SZ , do not include the data type value or colon. In this case, Regedit.exe assumes REG_SZ for the data type. The following table lists the typical registry data types: [IMG]https://image.prntscr.com/image/sl3TonquTXmFtTYDfQoDkg.png[/IMG] More info about registry data types: [URL]https://support.microsoft.com/en-us/help/256986[/URL] [B][COLOR=#9966ff]DataValuex[/COLOR][/B] immediately follows the colon (or the equal sign with REG_SZ) and must be in the appropriate format (for example, string or hexadecimal). Use hexadecimal format for binary data items. [B][COLOR=#ff3366]NOTE:[/COLOR][/B] You can enter several data item lines for the same registry path. The registry file should contain a blank line at the bottom of the file. [B][COLOR=#ff8000]Creating a .reg File[/COLOR][/B] Lets take a step back to the basics, we'll worry about the correct syntax, spacing, punctuation etc later. Let's just look at how to make a .reg file. [LIST=1] [*]Open Notepad. [*]Click File > Save [*]Save the file to the Desktop. [*]In the File Name field enter FILENAME[B][COLOR=#ff3366].reg[/COLOR][/B] [*]In the Save as Type option select 'All Files'. [*]Hit save. [/LIST] Done! There should be a .reg file named FILENAME with the .reg icon. [B][COLOR=#ff8000]Formatting a .reg File[/COLOR][/B] When it comes to writing .reg files, there are a couple of rules we must follow. [LIST] [*][B][COLOR=#ff3366]RULE 1:[/COLOR][/B] the file should always start with the following line: [B][COLOR=#ffffff]Windows Registry Editor Version 5.00[/COLOR][/B] [*][COLOR=#ff3366][B]RULE 2:[/B] [/COLOR]we must separate 'commands' relating to different keys/subkeys by a single line. This means: [IMG]https://image.prntscr.com/image/P1GforohRlid-P66Kz0zVg.png[/IMG] [*]Explaining my point further: [IMG]https://image.prntscr.com/image/6tiA9KlaSjel0lOjHAhs7Q.png[/IMG] [*][B][COLOR=#ff3366]RULE 3: [U]NEVER[/U][/COLOR][/B] modify a registry that hasn't been backed up! [/LIST] When it comes to the general format of a .reg file, it follows a registry backup as I described earlier. [COLOR=#cc66ff][B][REGISTRYHIVE\KEY\SUBKEY\SUBSUBKEY][/B][/COLOR] [B][COLOR=#cc66ff]"VALUE"="Some Data Here"[/COLOR][/B] Depending what we want to do, will determine how we structure the above lines. The specific [I]syntax [/I]will be determined whether we want to do any of the following: [LIST=1] [*]Delete a Key/Subkey [*]Delete a Value [*]Add a value with specific data. [*]Add a key/subkey [*]Modify the DATA of a Value. [/LIST] Lets work through each one. I'm going to use a single example through each of these exported from my own registry. Lets work with this: [B][COLOR=#cc66ff][HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"[/COLOR][/B] [B][COLOR=#ff8000]Delete a Key/Subkey[/COLOR][/B] Hopefully by now you can identify the key/subkey (and hive, value and data for that matter!) in this line. If not give it a go. I'll put the answer in a spoiler below. [spoiler=ANSWER] [B]HIVE:[/B] HKEY_LOCAL_MACHINE [B]KEY:[/B] SOFTWARE [B]SUBKEY:[/B] Google [B]VALUE:[/B] ExampleString [B]DATA:[/B] C:\\ProgramFiles\\Google\\Chrome\\Example.exe[/spoiler] The syntax for deleting a key/subkey is pretty simple, just a[COLOR=#000000]dd a minus ( [B][SIZE=7]- [/SIZE][/B]) sy[/COLOR]mbol before the path you want to delete. Let's delete the Chrome subkey: [code][-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome][/code] Now, lets delete the Google subkey: [code][-HKEY_LOCAL_MACHINE\SOFTWARE\Google][/code] [B][COLOR=#ff3366]NOTE:[/COLOR][/B] removing the google subkey will remove all subkeys below it! (I don't know if I have to say this, but I will). Just like if you deleted the Program Files folder all the folders below would get deleted! Simple, right? So, if we wanted to make a .reg file to remove the Google subkey, the whole file would read: [code]Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Google][/code] We would then: [LIST] [*]Click File > Save [*]Rename the file to FILENAME[B][COLOR=#ff3366].reg[/COLOR][/B] [*]Change the 'Save as Type' to 'All Files' [*]Ensure you save the file on your Desktop. [*]Click Save. [/LIST] We can then go to the saved file, double click it to execute it (clicking yes to the prompts). Lets move on. [B][COLOR=#ff8000]Delete a Value[/COLOR][/B] Remember the structure of our export and where the values are in it? Let me remind you: [B][COLOR=#000000][REGISTRYHIVE\KEY\SUBKEY\SUBSUBKEY] "VALUE"="Some Data Here"[/COLOR][/B] [COLOR=#000000] This means our format in our .reg file has to be a little different (yet still simple). To delete a value we add a minus [/COLOR]( [B][SIZE=7]-[/SIZE][/B] )[COLOR=#000000] after the = sign[/COLOR] that immediately follows the " from the value ("VALUE"[B][COLOR=#ffffff]=[/COLOR][/B]). Here's our example: [B][COLOR=#cc66ff][HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"[/COLOR][/B] Lets remove the value "ExampleString" from the Chrome subkey. [code][HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "ExampleString"=-[/code] So, if we wanted to make a .reg file to remove the ExampleString value, the whole file would read: [code]Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "ExampleString"=-[/code] [B][COLOR=#ff8000]Add a value with specific data.[/COLOR][/B] This one may be a bit trickier, but I can't see a reason why you might do this. When you restore from a backup, this is what you are inadvertently doing. To do this, you must know the correct data that is assigned to that value. To create this script, we just mirror our export from the registry. When we have specific values listed, the .reg file will create the key/subkey if it does not exist already. [code][HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"[/code] So, if we wanted to make a .reg file to add the ExampleString value, the whole file would read: [code]Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome] "ExampleString"="C:\\ProgramFiles\\Google\\Chrome\\Example.exe"[/code] [B][COLOR=#ff8000]Add a Key/Subkey[/COLOR][/B] I can't see why you would do this alone for any good reason, if you are creating keys/subkeys you more than likely should have values within them. Regardless, this would be the script: [IMG]https://image.prntscr.com/image/ltoGZvXBTGywx29G9nVMyQ.png[/IMG] [B][COLOR=#ff8000] Modify the DATA of a Value[/COLOR][/B] This is the more fun/thinking part, I'm going to show you to modify the data of a value. This method is often what malware will use to disable certain features (particularly security features) on a users system. How we modify the data particularly relates to the type of data that is stored in the value. [LIST] [*]Is it a string? [*]Is it a binary value? [*]Is it a DWORD value? etc [/LIST] Regardless, the structure of your script is essentially the same. Let's take our example again... [IMG]https://i.imgur.com/rZWBUlm.png[/IMG] Lets change the strong associated with ExampleString to the directory C:\Windows\Example.exe - the trick to this function is to be sure to remember the "" and a double \ (\\) where usually you would put 1. [IMG]https://image.prntscr.com/image/ekHep6GxQJCcWX-u7vIM0A.png[/IMG] Another example, this time of a DWORD (Hexidecimal Base). I just quickly exported this from a random part of my registry: [IMG]https://image.prntscr.com/image/yaFT6r7KQxuwoJmDMCpS8g.png[/IMG] In a DWORD you get a string of numbers: 00000000 or 00000001 or 00040000 etc. Each number represents a different state for the value. Simply (and what most commonly I'm involved in) 1 = enabled, 0 = disabled. So in this entry: The value authenticodeenabled is disabled (I know this by dword:0000000[B][COLOR=#ff99ff]0[/COLOR][/B]) If authenticodeenabled was enabled it would be dword:0000000[B][COLOR=#ff99ff]1[/COLOR][/B] This is applicable particularly when malware has disabled the ability to access regedit. In this example below, disable registry tools is enabled. We, however, are able to construct a .reg file to disable "DisableRegistryTools". It is as follows: [IMG]https://i.imgur.com/ytz1ejp.png[/IMG] You can also find entries like this for: [LIST] [*]Task manager [*]Command Prompt [*]Config [*]System Restore [*]The list continues... [/LIST] This will cover most modifications you might ever want to do in the registry using a .reg file. [COLOR=#949494][B][COLOR=#33ccff]COMMAND PROMPT (CMD) [.bat (BATCH) Files][/COLOR][/B][/COLOR] For those new to the game, batch files are just scripted command prompt commands that you can double click and execute (like .reg files kinda - but more versatile). I'm going to go over the commands you will type into command prompt, I will then show you how to adapt these to a simple .bat file. Reference: [URL="https://www.windowscentral.com/how-edit-registry-using-command-prompt-windows-10"]How to edit the Registry using Command Prompt on Windows 10[/URL] [B][COLOR=#ff8000]How to Open Command Prompt[/COLOR][/B] To open command prompt: [LIST] [*]Click Start [*]Search Command Prompt [*]Right Click and click Run as Administrator [/LIST] [B][COLOR=#ff8000]Commands[/COLOR][/B] In command prompt (CMD) you can you can type [B]reg /? [/B]to bring up a list of available commands. These include: [LIST] [*]REG Query [*]REG Add [*]REG Delete [*]REG Copy [*]REG Save [*]REG Load [*]REG Unload [*]REG Restore [*]REG Compare [*]REG Export [*]REG Import [*]REG Flags [/LIST] [IMG]https://i.imgur.com/tOaA7QG.jpg[/IMG] CMD Syntax [LIST] [*]ADD: REG ADD KeyName [{/v ValueName | /ve}] [/t Type] [/f] [*]Delete: REG DELETE KeyName [{/v ValueName | /ve | /va}] [/f] [/LIST] Command Description [LIST] [*]KeyName: Defines the path to the subkey or entry. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to edit the registry on a remote computer, you can only use these shortcuts: HKLM and HKU. [*]/v ValueName: Specifies the name for the registry key to be added or deleted. [*]/ve: Defines if you're adding or deleting an entry that has a null value. [*]/t Type: Specifies the type of registry entries. Here's the list of valid types: [LIST] [*]REG_SZ [*]REG_MULTI_SZ [*]REG_DWORD_BIG_ENDIAN [*]REG_DWORD [*]REG_BINARY [*]REG_DWORD_LITTLE_ENDIAN [*]REG_LINK [*]REG_FULL_RESOURCE_DESCRIPTOR [*]REG_EXPAND_SZ [/LIST] [*]/f: Adds or deletes registry content without prompting for confirmation. [*]/s Separator: Defines the character you use to separate multiple instances of data when the REG_MULTI_SZ data type is specified and you need to add more than one entry. The default separator is \0 if it is not specified. [*]/d Data: Specifies the data for the new entry in the registry. [/LIST] REG ADD To add a subkey named MySubkey under HKEY_LOCAL_MACHINE\Software, use the following example: REG ADD HKLM\Software\MySubkey To add a new DWORD (32-bit) value entry named AppInfo with the value of 1, use the following example: To add a new Binary Value entry named Data with data of fe340ead, use the following example: To add a registry entry with multiple values to MySubkey with a value name of MRU of type REG_MULTI_SZ and data of fax\0mail\2\1, use the following example: REG DELETE To delete the subkey named MySubkey, use the following example: To delete the registry entry named AppInfo within the MySubkey subkey, use the following example: To delete all the registry entries from the MySubkey subkey, use the following example: REG COPY Syntax: REG COPY KeyName1 KeyName2 [/s] [/f] [LIST] [*]KeyName1: Defines the path to the subkey you want to copy. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU. [*]KeyName2: Defines the path to the subkey destination. Valid registry key shortcuts include HKLM, HKCU, HKCR, HKU, and HKCC. If you're trying to copy the registry on a remote computer, you can only use these shortcuts: HKLM and HKU. [*]/s: Copies all subkeys and entries of a particular subkey. [*]/f: Executes the copy command without prompting for confirmation. [/LIST] To copy all subkeys and values under the key MySubkey1 to the key MySubkey2, use the following example: Create .bat (batch) File We need to create a batch file to run some commands. [LIST] [*]Open Notepad. [*]Copy/Paste the following code into Notepad: @echo offCODE [*]Click Save [*]Name the file Fix.bat [*]Under Save as Type select All Files [*]Save the batch file to your desktop, it will look like this: [img=64x53][URL]https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img][/URL] [*]Navigate to the file and Rick Click then Run as Administrator [*]Allow it to run. [/LIST] [code][b][color=#33ffff]Create .bat (batch) File[/color][/b] We need to create a batch file to run some commands. [list] [*]Open Notepad. [*]Copy/Paste the following code into Notepad: [quote]@echo off CODE[/quote] [*]Click Save [*]Name the file Fix[b][color=#ff3366].bat[/color][/b] [*]Under Save as Type select All Files [*]Save the batch file to your desktop, it will look like this: [img=64x53]https://image.prntscr.com/image/2s1dEc1NSZ_Xq8EUAvjyDg.png[/img] [*]Navigate to the file and Rick Click then Run as Administrator [*]Allow it to run. [/list][/code] [B][SIZE=7][COLOR=#0000b3]Conclusion[/COLOR][/SIZE][/B] Hopefully you found this guide somewhat helpful. I've linked a bunch of websites that were the inspiration for this thread. Please leave all comments, suggestions and possible improvements as a reply rather than PMing me so the community can benefit! And please tell me: [LIST] [*]Was this thread helpful? [*]Was it easy to follow? [*]What would you like to hear from me next? [/LIST] All the best. [B][COLOR=#ff8000]References[/COLOR][/B] Registry Value Types: [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx']https://msdn.microsoft.com/en-us/library...s.85).aspx[/URL] Computer Hope Registry Talk: [URL="https://www.computerhope.com/jargon/r/registry.htm"]What is the Windows Registry?[/URL] Inspiration for this thread: [URL='https://www.bleepingcomputer.com/tutorials/demystifying-the-windows-registry/']https://www.bleepingcomputer.com/tutoria...-registry/[/URL] Starting Point: [URL="https://en.wikipedia.org/wiki/Windows_Registry"]Windows Registry - Wikipedia[/URL] Microsoft Library on the Registry: [URL='https://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx']https://msdn.microsoft.com/en-us/library...s.85).aspx[/URL] CMD: [URL="https://www.windowscentral.com/how-edit-registry-using-command-prompt-windows-10"]How to edit the Registry using Command Prompt on Windows 10[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
