How Do I Search the Registry for a Value in PowerShell?

The question came up recently in an internal discussion list, “How do I search the Registry for a value in PowerShell?

In the FileSystem, we have the select-string cmdlet to do the hard work for you.  We don’t have the equivalent yet for other stores, so unfortunately the answer is to write ‘grep’ from scratch.  It’s manageable, though.

The key here is to think of registry key values like you would think of content in a file:

Directories have items, items have content.
Registry keys have properties, properties have values.

The way to get property values in PowerShell is the Get-ItemProperty cmdlet.

So:

cd HKCU:
Get-ChildItem . –rec –ea SilentlyContinue

Gets you all of the subkeys in the registry, just like you might get all of the files on your hard drive.  We then pass that into the “Get-ItemPropery” cmdlet, to get the content of the properties:

| foreach { Get-ItemProperty –Path $_.PsPath }

To check for matches, we use the –match operator:

... (Get-ItemProperty -Path $_.PsPath) -match "evr.dll"

But that just outputs a bunch of “Yes” and “No” answers.  We in fact want to output the key name if this matches, so we wrap that in an If statement and output the path:

... if( (Get-ItemProperty -Path $_.PsPath) -match "evr.dll") { $_.PsPath }

That gives us a script-like representation of:

######################################################################
##
## Search-RegistryKeyValues.ps1
## Search the registry keys from the current location and down for a
## given key value.
##
######################################################################

param([string] $searchText = $(throw "Please specify text to search for."))

gci . -rec -ea SilentlyContinue | 
   % { 
      if((get-itemproperty -Path $_.PsPath) -match $searchText)
      { 
         $_.PsPath
      } 
   } 

 

Or a “one-liner of”: 

gci . -rec -ea SilentlyContinue | % { if((get-itemproperty -Path $_.PsPath) -match "<SomeText>") { $_.PsPath} }

7 Responses to “How Do I Search the Registry for a Value in PowerShell?”

  1. hector writes:

    How can i search a remote machine using a “one Liner” ?
    How can i search a remote machine for more that one registry value in a “one liner”

  2. Richard writes:

    how do I search the entire registry and delete all the files that has “whateverword”? I”m asking because
    above command only searches HKCU. I want to search the entire registry. Is there a way?

  3. Marlon writes:

    How would I get the path to a key that contains a match for 2 values. This path is dynamic so I would need to find out the path to them before I try to manupulate them.

    The key is:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{c2065683-18a4-4dd8-a2a4-0ea43fcdafe6}\Properties

    It has Value name {b3f8fa53-0004-438e-9003-51a46e139bfc},6 With Value data “Realtek High Definition Audio”
    as well as Value name {a45c254e-df1c-4efd-8020-67d146a850e0},2 With Value data “Microphone”

  4. Kevin writes:

    Hi, first excuse me for my bad english i am french 😀

    I want to thank you for this tips but i have one problem, i will appreciate if you can help me to resolve this..

    The problem is: i have a key registry (PEACY) that contain subkeys (0, 1 , 101, 100…..) like this for example:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY]
    “Name”=”Adobe Reader (0)”
    “Status”=”success”
    “Prev_Timestamp”=”2012/09/05 05:05:10”
    “Prev_UpdateVer”=”63”
    “Prev_SubfunctionPkey”=”{68DE7BC5-CCE7-40A9-A222-AB5B98A57895}”
    “LastInstallDate”=”2013-08-21 09:30:30”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY\1006]
    “Name”=”Microsoft Hotfix Rollout Status (1006)”
    “Status”=”success”
    “UpdateVer”=”3”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY\1008]
    “Name”=”PEACY Performance Monitor (1015)”
    “Status”=”unavailable”
    “install_never”=”1”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PEACY\1009]
    “Name”=”PEACY Performance Monitor (1009)”
    “status”=”unavailable”
    “install_never”=”1”
    “hidden”=dword:00000001
    .
    .
    .
    .
    .

    ————————————————

    I want to retrieve on every subkeys keys from (SOFTWARE\Wow6432Node\PEACY\) the content of the “Name” keys, but only if the other keys “Status” contain the value “Success” like my example..and finally store the result on text file to get a list of software name :
    ————————–
    Adobe Reader (0)
    Microsoft Hotfix Rollout Status (1006)

    ————-

    i need you’r help because i am beginner on powershell, thanks for advance 🙂

    Best Regards
    Kevin

  5. Searching windows registry (specifically) HKLM with powershell very slow – segmentfault writes:

    […] I’m using some powershell code from here […]

  6. Håkon Rødfjell writes:

    I used the information from this page to write a script that can search for key values in the registry.
    I had good help from Jan Egil Ring also 🙂


    $Server = “servername”

    Invoke-Command -Computername $Server -ScriptBlock {
    $SearchText = “filname.dll” #I’m using it to find DLL’s

    New-PSDrive -Name HCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
    $HCRLib = Get-ChildItem -Path “HCR:\\TypeLib” -Recurse -ea SilentlyContinue

    ForEach($HCRItem in $HCRLib) {
    $HCRItem = Get-ItemProperty $HCRItem.PSPath | Select “(Default)”
    If ($HCRItem -imatch $SearchText){Write-Host “Found $HCRItem”}
    }
    Remove-PSDrive -Name HCR
    }

    I hope you can make this one work to suite your needs.

    Best regards
    Håkon

  7. js2010 writes:

    I made my own version of get-itemproperty that outputs path,name,value,type properties, that I can pipe to where-object.

    function get-itemproperty2 {
    param([parameter(ValueFromPipeline)]$key)
    process {
    $key.getvaluenames() | foreach-object {
    $value = $_
    [pscustomobject] @{
    Path = $Key -replace ‘HKEY_CURRENT_USER’,
    ‘HKCU:’ -replace ‘HKEY_LOCAL_MACHINE’,’HKLM:’
    Name = $Value
    Value = $Key.GetValue($Value)
    Type = $Key.GetValueKind($Value)
    }
    }
    }
    }

Leave a Reply