Edit

Share via

!dreg

  • Article

The !dreg extension displays registry information.

!dreg [-d|-w] KeyPath[!Value] 
!dreg

Parameters

-d
Causes binary values to be displayed as DWORDs.

-w
Causes binary values to be displayed as WORDs.

KeyPath
Specifies the registry key path. It can begin with any of the following abbreviations:

hklm
HKEY_LOCAL_MACHINE

hkcu
HKEY_CURRENT_USER

hkcr
HKEY_CLASSES_ROOT

hku
HKEY_USERS

If no abbreviation is used, HKEY_LOCAL_MACHINE is assumed.

Value
Specifies the name of the registry value to be displayed. If an asterisk (*) is used, all values are displayed. If Value is omitted, all subkeys are displayed.

DLL

Ntsdexts.dll

Additional Information

For information about the registry, see the Windows Driver Kit (WDK) documentation and Microsoft Windows Internals by Mark Russinovich and David Solomon.

Remarks

The !dreg extension can be used to display the registry during user-mode debugging.

It is most useful during remote debugging, as it allows you to browse the registry of the remote machine. It is also useful when controlling the user-mode debugger from the kernel debugger, because you cannot run a standard registry editor on the target machine when it is frozen. (You can use the .sleep command for this purpose as well. See Controlling the User-Mode Debugger from the Kernel Debugger for details.)

It is also useful when debugging locally, as the information is presented in an easily readable format.

If !dreg is used during kernel-mode debugging, the results shown will be for the host computer, and not the target computer. To display raw registry information for the target computer, use the !reg extension instead.

Here are some examples. The following will display all subkeys of the specified registry key:

!dreg hkcu\Software\Microsoft

The following will display all values in the specified registry key:

!dreg System\CurrentControlSet\Services\Tcpip!*

The following will display the value Start in the specified registry key:

!dreg System\CurrentControlSet\Services\Tcpip!Start

Typing !dreg without any arguments will display some brief Help text for this extension in the Debugger Command window.