Prof. Powershell

Riding the Registry

Mini-series on PowerShell tricks for working with registry starts now.

• By Jeffery Hicks
• 09/01/2009

In past columns I've discussed PSDrives and PowerShell providers that abstract access to different storage systems, like the registry. These providers translate file system commands like DIR into something the underlying storage system understands. I want to talk specifically about the registry for the next few lessons.

PowerShell starts up with two default PSDrives:

PS C:\> get-psdrive -PSProvider registry

Name   Provider   Root
----   --------   ----
HKCU   Registry   HKEY_CURRENT_USER
HKLM   Registry   HKEY_LOCAL_MACHINE

You can change "directories" just as you would any other file system folder:

PS C:\> cd hklm:
PS HKLM:\>

Notice the prompt change? Run the DIR command:

PS HKLM:\> dir

  Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE

SKC  VC   Name           Property
---  --   ----           --------
  4   0   HARDWARE       {}
  1   0   SAM            {}
Get-ChildItem : Requested registry access is not allowed.
At line:1 char:3
+ dir <<<<
 58   2   SOFTWARE       {Exitkey, (default)}
  9   0   SYSTEM         {}

Access errors are to be expected as some parts of the registry are typically off-limits. But we can navigate just as we would any other file system:

PS HKLM:\> cd software\microsoft\windows\currentversion
PS HKLM:\software\microsoft\windows\currentversion>

You can recursively list registry items:

PS HKLM:\software\microsoft\windows\currentversion> dir -rec

However not all providers are equal. While this may be a legitimate expression in the file system, it fails in the registry:

PS HKLM:\software\microsoft\windows\currentversion> dir -rec -filter windows*
Get-ChildItem : Cannot call method. The provider does not support the use of filters.
At line:1 char:4
+ dir <<<< -rec -filter windows*

There are other ways to accomplish this task that will work:

PS HKLM:\software\microsoft\windows\currentversion> dir windows* -recurse

There's also no reason not to use other PowerShell cmdlets here. I'm going to build a text list with all of the registry key names under the Uninstall key:

PS HKLM:\software\microsoft\windows\currentversion> dir uninstall | select PSChildname | out-file c:\uninstallapps.txt

By the way, the registry provider only works for the local machine, although with PowerShell 2.0 you could establish a remote session and then navigate through the registry as I've done here. As you work through the registry you'll quickly realize that registry values aren't handled as leaf objects, like files are in a folder so it takes a little extra work to extract that information Next time I'll show you how.