Working with registry keys
This sample only applies to Windows platforms.
Because registry keys are items on PowerShell drives, working with them is very similar to working with files and folders. One critical difference is that every item on a registry-based PowerShell drive is a container, just like a folder on a file system drive. However, registry entries and their associated values are properties of the items, not distinct items.
Listing all subkeys of a registry key
You can show all items directly within a registry key using Get-ChildItem. Add the optional
Force parameter to display hidden or system items. For example, this command displays the items
directly within PowerShell drive HKCU:, which corresponds to the HKEY_CURRENT_USER registry
hive:
Get-ChildItem -Path HKCU:\ | Select-Object Name
Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER
Name
----
HKEY_CURRENT_USER\AppEvents
HKEY_CURRENT_USER\Console
HKEY_CURRENT_USER\Control Panel
HKEY_CURRENT_USER\DirectShow
HKEY_CURRENT_USER\dummy
HKEY_CURRENT_USER\Environment
HKEY_CURRENT_USER\EUDC
HKEY_CURRENT_USER\Keyboard Layout
HKEY_CURRENT_USER\MediaFoundation
HKEY_CURRENT_USER\Microsoft
HKEY_CURRENT_USER\Network
HKEY_CURRENT_USER\Printers
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\System
HKEY_CURRENT_USER\Uninstall
HKEY_CURRENT_USER\WXP
HKEY_CURRENT_USER\Volatile Environment
These are the top-level keys visible under HKEY_CURRENT_USER in the Registry Editor
(regedit.exe).
You can also specify this registry path by specifying the registry provider's name, followed by
::. The registry provider's full name is Microsoft.PowerShell.Core\Registry, but this can be
shortened to just Registry. Any of the following commands will list the contents directly under
HKCU:.
Get-ChildItem -Path Registry::HKEY_CURRENT_USER
Get-ChildItem -Path Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER
Get-ChildItem -Path Registry::HKCU
Get-ChildItem -Path Microsoft.PowerShell.Core\Registry::HKCU
Get-ChildItem HKCU:
These commands list only the directly contained items, much like using DIR in cmd.exe or ls
in a UNIX shell. To show contained items, you need to specify the Recurse parameter. To list all
registry keys in HKCU:, use the following command.
Get-ChildItem -Path HKCU:\ -Recurse
Get-ChildItem can perform complex filtering capabilities through its Path, Filter,
Include, and Exclude parameters, but those parameters are typically based only on name. You
can perform complex filtering based on other properties of items using the Where-Object cmdlet.
The following command finds all keys within HKCU:\Software that have no more than one subkey and
also have exactly four values:
Get-ChildItem -Path HKCU:\Software -Recurse |
Where-Object {($_.SubKeyCount -le 1) -and ($_.ValueCount -eq 4) }
Copying keys
Copying is done with Copy-Item. The following example copies the CurrentVersion subkey of
HKLM:\SOFTWARE\Microsoft\Windows\ and all of its properties to HKCU:\.
Copy-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion' -Destination HKCU:
If you examine this new key in the registry editor or using Get-ChildItem, you notice that you
don't have copies of the contained subkeys in the new location. In order to copy all of the contents
of a container, you need to specify the Recurse parameter. To make the preceding copy command
recursive, you would use this command:
Copy-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion' -Destination HKCU: -Recurse
You can still use other tools you already have available to perform filesystem copies. Any registry
editing tools—including reg.exe, regini.exe, regedit.exe, and COM objects that support
registry editing, such as WScript.Shell and WMI's StdRegProv class can be used from within
PowerShell.
Creating keys
Creating new keys in the registry is simpler than creating a new item in a file system. Because all registry keys are containers, you don't need to specify the item type. Just provide an explicit path, such as:
New-Item -Path HKCU:\Software_DeleteMe
You can also use a provider-based path to specify a key:
New-Item -Path Registry::HKCU\Software_DeleteMe
Deleting keys
Deleting items is essentially the same for all providers. The following commands silently remove items:
Remove-Item -Path HKCU:\Software_DeleteMe
Remove-Item -Path 'HKCU:\key with spaces in the name'
Removing all keys under a specific key
You can remove contained items using Remove-Item, but you will be prompted to confirm the removal
if the item contains anything else. For example, if we attempt to delete the HKCU:\CurrentVersion
subkey we created, we see this:
Remove-Item -Path HKCU:\CurrentVersion
Confirm
The item at HKCU:\CurrentVersion\AdminDebug has children and the -recurse
parameter was not specified. If you continue, all children will be removed with
the item. Are you sure you want to continue?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
To delete contained items without prompting, specify the Recurse parameter:
Remove-Item -Path HKCU:\CurrentVersion -Recurse
If you wanted to remove all items within HKCU:\CurrentVersion but not HKCU:\CurrentVersion
itself, you could instead use:
Remove-Item -Path HKCU:\CurrentVersion\* -Recurse
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for