How Do I Search the Registry for a Value in PowerShell?
Wednesday, 12 July 2006
The question came up recently in an internal discussion list, “How do I search the Registry for a value in PowerShell?”
In the FileSystem, we have the select-string cmdlet to do the hard work for you. We don’t have the equivalent yet for other stores, so unfortunately the answer is to write ‘grep’ from scratch. It’s manageable, though.
The key here is to think of registry key values like you would think of content in a file:
Directories have items, items have content.
Registry keys have properties, properties have values.
The way to get property values in PowerShell is the Get-ItemProperty cmdlet.
So:
cd HKCU:
Get-ChildItem . –rec –ea SilentlyContinue
Gets you all of the subkeys in the registry, just like you might get all of the files on your hard drive. We then pass that into the “Get-ItemPropery” cmdlet, to get the content of the properties:
| foreach { Get-ItemProperty –Path $_.PsPath }
To check for matches, we use the –match operator:
... (Get-ItemProperty -Path $_.PsPath) -match "evr.dll"
But that just outputs a bunch of “Yes” and “No” answers. We in fact want to output the key name if this matches, so we wrap that in an If statement and output the path:
... if( (Get-ItemProperty -Path $_.PsPath) -match "evr.dll") { $_.PsPath }
That gives us a script-like representation of:
######################################################################
##
## Search-RegistryKeyValues.ps1
## Search the registry keys from the current location and down for a
## given key value.
##
######################################################################param([string] $searchText = $(throw "Please specify text to search for."))
gci . -rec -ea SilentlyContinue |
% {
if((get-itemproperty -Path $_.PsPath) -match $searchText)
{
$_.PsPath
}
}
Or a “one-liner of”:
gci . -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match "<SomeText>") { $_.PsPath} }
No. 1 — September 12th, 2011 at 6:32 am
How can i search a remote machine using a “one Liner” ?
How can i search a remote machine for more that one registry value in a “one liner”
No. 2 — April 11th, 2013 at 2:16 pm
how do I search the entire registry and delete all the files that has “whateverword”? I”m asking because
above command only searches HKCU. I want to search the entire registry. Is there a way?
No. 3 — October 17th, 2013 at 4:21 pm
How would I get the path to a key that contains a match for 2 values. This path is dynamic so I would need to find out the path to them before I try to manupulate them.
The key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{c2065683-18a4-4dd8-a2a4-0ea43fcdafe6}\Properties
It has Value name {b3f8fa53-0004-438e-9003-51a46e139bfc},6 With Value data “Realtek High Definition Audio”
as well as Value name {a45c254e-df1c-4efd-8020-67d146a850e0},2 With Value data “Microphone”
No. 4 — January 14th, 2014 at 7:32 am
Hi, first excuse me for my bad english i am french 😀
I want to thank you for this tips but i have one problem, i will appreciate if you can help me to resolve this..
The problem is: i have a key registry (PEACY) that contain subkeys (0, 1 , 101, 100…..) like this for example:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY]
“Name”=”Adobe Reader (0)”
“Status”=”success”
“Prev_Timestamp”=”2012/09/05 05:05:10”
“Prev_UpdateVer”=”63”
“Prev_SubfunctionPkey”=”{68DE7BC5-CCE7-40A9-A222-AB5B98A57895}”
“LastInstallDate”=”2013-08-21 09:30:30”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY\1006]
“Name”=”Microsoft Hotfix Rollout Status (1006)”
“Status”=”success”
“UpdateVer”=”3”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY\1008]
“Name”=”PEACY Performance Monitor (1015)”
“Status”=”unavailable”
“install_never”=”1”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY\1009]
“Name”=”PEACY Performance Monitor (1009)”
“status”=”unavailable”
“install_never”=”1”
“hidden”=dword:00000001
.
.
.
.
.
————————————————
I want to retrieve on every subkeys keys from (SOFTWARE\Wow6432Node\PEACY\) the content of the “Name” keys, but only if the other keys “Status” contain the value “Success” like my example..and finally store the result on text file to get a list of software name :
————————–
Adobe Reader (0)
Microsoft Hotfix Rollout Status (1006)
————-
i need you’r help because i am beginner on powershell, thanks for advance 🙂
Best Regards
Kevin
No. 5 — November 12th, 2015 at 1:21 am
[…] I’m using some powershell code from here […]
No. 6 — January 19th, 2018 at 11:58 am
I used the information from this page to write a script that can search for key values in the registry.
I had good help from Jan Egil Ring also 🙂
—
—
$Server = “servername”
Invoke-Command -Computername $Server -ScriptBlock {
$SearchText = “filname.dll” #I’m using it to find DLL’s
New-PSDrive -Name HCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
$HCRLib = Get-ChildItem -Path “HCR:\\TypeLib” -Recurse -ea SilentlyContinue
ForEach($HCRItem in $HCRLib) {
$HCRItem = Get-ItemProperty $HCRItem.PSPath | Select “(Default)”
If ($HCRItem -imatch $SearchText){Write-Host “Found $HCRItem”}
}
Remove-PSDrive -Name HCR
}
—
—
I hope you can make this one work to suite your needs.
Best regards
Håkon
No. 7 — February 13th, 2019 at 3:08 pm
I made my own version of get-itemproperty that outputs path,name,value,type properties, that I can pipe to where-object.
function get-itemproperty2 {
param([parameter(ValueFromPipeline)]$key)
process {
$key.getvaluenames() | foreach-object {
$value = $_
[pscustomobject] @{
Path = $Key -replace ‘HKEY_CURRENT_USER’,
‘HKCU:’ -replace ‘HKEY_LOCAL_MACHINE’,’HKLM:’
Name = $Value
Value = $Key.GetValue($Value)
Type = $Key.GetValueKind($Value)
}
}
}
}