Searching the Registry

I have been searching the internet most of the morning for this and I find multiple hits, with very similar code, though they miss the mark for me.

I have been tasked to find specific values (specifically an email address) and do a find and replace.

the basics. Yes I have used get-childitem to riffle through the keys, then for each hive key (foreach) I use get-itemproperty based on $_.PsPath and match a specific string (the email address).

This finds the keys that have a subkey with this value, but it returns them all, not just the one subkey. I ma having issues singling out the subkey with the value. Because of this, I am being very cautious. I would like to output the path (got that $.name), but I cannot get it to single out the subkey with the search value. $.Property lists all the subkeys. As a last test I would like to output the value of that subkey (as a double check before I implement this sucker)

Thanks.

Please show your code. We are much faster when we can tweak existing code. :wink:

ok, this is kind of where I am at. I was using a known value and subkey (HKCU:\Console - FaceName : DefaultTTFont) to do my search (that way it was found quick and I could test the subkey and values against something known)

$searchString = “DefaultTTFont

cd HKCU:
Get-ChildItem . -rec -ea SilentlyContinue | foreach {
if ((Get-ItemProperty -path $.PsPath) -match $searchString)
{
write-host “--------------------------------” -ForegroundColor Yellow
$subList = Get-ItemProperty -Path $
.PsPath

Write-Host $_.name -NoNewline

Write-Host “” -NoNewline

Write-Host $_.Property -ForegroundColor Cyan -NoNewline

Write-Host " : " -NoNewline

Get-ItemProperty -Path $_.PSPath -Name “Default”

Write-Host -ForegroundColor Green

write-host “--------------------------------” -ForegroundColor Yellow

}
}

Does this help?

# get-itemproperty2.ps1

# get-childitem skips top level key properties, use get-item for that

# example pipe to set-itemproperty:
# ls -r hkcu:\key1 | get-itemproperty2 | where value -match value | 
#   set-itemproperty -value myvalue -whatif
 
param([parameter(ValueFromPipeline)]$key)

process { 
  $valuenames = $key.getvaluenames() 

  if ($valuenames) { 
    $valuenames | foreach {
      $value = $_
      [pscustomobject] @{
        Path = $key -replace 'HKEY_CURRENT_USER',
    	  'HKCU:' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
        Name = $Value
        Value = $Key.GetValue($Value)
        Type = $Key.GetValueKind($Value)
      }
    }
  } else {
    [pscustomobject] @{
      Path = $key -replace 'HKEY_CURRENT_USER',
        'HKCU:' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
        Name = ''
        Value = ''
        Type = ''
    }
  }
}
get-childitem -recurse hkcu: | .\get-itemproperty2 | select -first 5

Path                      Name                     Value Type
----                      ----                     ----- ----
HKCU:\AppEvents
HKCU:\ApplicationDefaults
HKCU:\Console             CtrlKeyShortcutsDisabled 0     DWord
HKCU:\Console             CursorSize               25    DWord
HKCU:\Console             EnableColorSelection     0     DWord

sorry for the late reply. I found something that worked and the team threw me heavy into the project to get those pieces working. here is what I found to work:

####################################
# Collect the Registry data
####################################
Write-Host "**************************************************"-ForegroundColor Yellow
Write-Host "Scanning Registry for " -NoNewline
Write-host $jEmail -ForegroundColor Cyan
#grab the registry based on the Hive you need.
$keys =@(Get-Item HKU:\$RegSID\software -ErrorAction SilentlyContinue) + @(Get-ChildItem -Recurse HKU:\$RegSID\software -ErrorAction SilentlyContinue);

###################################
# Search (and replace)
###################################
$results = @()
foreach ($key in $keys){
    foreach ($vname in $key.GetValueNames()){
        $val = $key.GetValue($vname)
        if ($val -like $jEmail){
            $r = @{}
            $r.Key = $key.ToString() -replace "HKEY_USERS", "HKU:"
            $r.SubName = $vname.ToString()
            $r.Val = $val.ToString()
            $results += $r
            }
        }
    }

This is a specific use of the search and find, but hopefully others who are looking for this can get what they need from it. Basically it was the “$keys =@(Get-Item HKU:$RegSID\software -ErrorAction SilentlyContinue) + @(Get-ChildItem -Recurse HKU:$RegSID\software -ErrorAction SilentlyContinue);” piece that I needed.

thanks for the response.