Obtaining registry data
You can obtain or modify registry data by using the WMI StdRegProv class and its methods. While using the Regedit utility to view and change registry values on the local computer, StdRegProv allows you to use a script or application to automate such activities on the local computer and remote computers.
StdRegProv contains methods to do the following:
- Verify the access permissions for a user
- Create, enumerate, and delete registry keys
- Create, enumerate, and delete subkeys or named values
- Read, write, and delete data values
Registry data is organized by subtrees, keys, and subkeys nested under a top level key. The actual data values are called entries or named values.
The subtrees include the following:
- HKEY_CLASSES_ROOT (abbreviated as HKCR)
- HKEY_CURRENT_USER (HKCU)
- HKEY_LOCAL_MACHINE (HKLM)
- HKEY_USERS
- HKEY_CURRENT_CONFIG
For example, in the registry entry HKEY\SOFTWARE\Microsoft\DirectX\InstalledVersion, the HKEY subtree is SOFTWARE; the subkeys are Microsoft and DirectX; and the named value entry is InstalledVersion.
A RegistryKeyChangeEvent occurs when a change to a specific key occurs, but the entry does not identify how the values change nor will this event be triggered by changes below the specified key. To identify changes anywhere in a hierarchical key structure, use the RegistryTreeChangeEvent, which does not return specific values or key changes that occur. To obtain a specific entry value change, use the RegistryValueChangeEvent, and then read the entry to obtain a baseline value.
StdRegProv only has methods that can be called from C++ or script, which is different from the Win32 class structure.
The following code example shows how to use the StdRegProv.EnumKey method to list all of the Microsoft software subkeys under the registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft"
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
Wscript.Echo subkey
Next
Note
VBScript is deprecated. For details, see the blog post VBScript deprecation: Timelines and next steps.
# The signature for EnumKey method of StdRegProv class:
#
# uint32 EnumKey(
# [in] uint32 hDefKey = HKEY_LOCAL_MACHINE,
# [in] string sSubKeyName,
# [out] string sNames[]
# );
$arguments = @{
hDefKey = [uint32]2147483650 # HKEY_LOCAL_MACHINE
sSubKeyName = 'SOFTWARE\Microsoft'
}
$subkeys = Invoke-CimMethod -ClassName StdRegProv -MethodName EnumKey -Arguments $arguments
subkeys.sNames
StdRegProv has different methods for reading the various registry entry value data types. If the entry has unknown values, then you can call StdRegProv.EnumValues to list them. The following table lists the correspondence between StdRegProv methods and the data types.
| Method | Data Type |
|---|---|
| GetBinaryValue | REG_BINARY |
| GetDWORDValue | REG_DWORD |
| GetExpandedStringValue | REG_EXPAND_SZ |
| GetMultiStringValue | REG_MULTI_SZ |
| GetStringValue | REG_SZ |
The following table lists the corresponding methods for creating new keys or values, or changing existing ones.
| Method | Data Type |
|---|---|
| SetBinaryValue | REG_BINARY |
| SetDWORDValue | REG_DWORD |
| SetExpandedStringValue | REG_EXPAND_SZ |
| SetMultiStringValue | REG_MULTI_SZ |
| SetStringValue | REG_SZ |
The following example shows how to read the list of sources for the system event log from the registry key.
HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\Eventlog\System
Note that the items in the multistring value are treated as a collection or array.
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\CurrentControlSet\Services\Eventlog\System"
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
Wscript.Echo subkey
Next
Note
VBScript is deprecated. For details, see the blog post VBScript deprecation: Timelines and next steps.
# The signature for EnumKey method of StdRegProv class:
#
# uint32 EnumKey(
# [in] uint32 hDefKey = HKEY_LOCAL_MACHINE,
# [in] string sSubKeyName,
# [out] string sNames[]
# );
$arguments = @{
hDefKey = [uint32]2147483650 # HKEY_LOCAL_MACHINE
sSubKeyName = 'SYSTEM\CurrentControlSet\Services\Eventlog\System'
}
$subkeys = Invoke-CimMethod -ClassName StdRegProv -MethodName EnumKey -Arguments $arguments
subkeys.sNames
The registry provider is hosted in LocalService—not the LocalSystem. Therefore, obtaining information remotely from the subtree HKEY_CURRENT_USER is not possible. However, scripts run on the local computer can still access HKEY_CURRENT_USER. You can set the hosting model to LocalSystem on a remote machine, but that is a security risk because the registry on the remote machine is vulnerable to hostile access. For more information, see Provider Hosting and Security.
Related topics