Windows 10 – Search the registry with REG Query . – free-tutorials.org with free tutorials and source code

This old command REG QUERY help us to search the windows registry and use the output to see the integrity and check malware infection.
This is the operation of the default REG command that performs operations on the registry.
The help command shows us:

reg query /?

REG QUERY KeyName [/v [ValueName] | /ve] [/s]
          [/f Data [/k] [/d] [/c] [/e]] [/t Type] [/z] [/se Separator]
          [/reg:32 | /reg:64]

  KeyName  [\\Machine\]FullKey
           Machine - Name of remote machine, omitting defaults to the
                     current machine. Only HKLM and HKU are available on
                     remote machines
           FullKey - in the form of ROOTKEY\SubKey name
                ROOTKEY - [ HKLM | HKCU | HKCR | HKU | HKCC ]
                SubKey  - The full name of a registry key under the
                          selected ROOTKEY

  /v       Queries for a specific registry key values.
           If omitted, all values for the key are queried.

           Argument to this switch can be optional only when specified
           along with /f switch. This specifies to search in valuenames only.

  /ve      Queries for the default value or empty value name (Default).

  /s       Queries all subkeys and values recursively (like dir /s).

  /se      Specifies the separator (length of 1 character only) in
           data string for REG_MULTI_SZ. Defaults to "\0" as the separator.

  /f       Specifies the data or pattern to search for.
           Use double quotes if a string contains spaces. Default is "*".

  /k       Specifies to search in key names only.

  /d       Specifies the search in data only.

  /c       Specifies that the search is case sensitive.
           The default search is case insensitive.

  /e       Specifies to return only exact matches.
           By default all the matches are returned.

  /t       Specifies registry value data type.
           Valid types are:
             REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ,
             REG_DWORD, REG_QWORD, REG_BINARY, REG_NONE
           Defaults to all types.

  /z       Verbose: Shows the numeric equivalent for the type of the valuename.

  /reg:32  Specifies the key should be accessed using the 32-bit registry view.

  /reg:64  Specifies the key should be accessed using the 64-bit registry view.

Examples:

  REG QUERY HKLM\Software\Microsoft\ResKit /v Version
    Displays the value of the registry value Version

  REG QUERY \\ABC\HKLM\Software\Microsoft\ResKit\Nt\Setup /s
    Displays all subkeys and values under the registry key Setup
    on remote machine ABC

  REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /se #
    Displays all the subkeys and values with "#" as the seperator
    for all valuenames whose type is REG_MULTI_SZ.

  REG QUERY HKLM /f SYSTEM /t REG_SZ /c /e
    Displays Key, Value and Data with case sensitive and exact
    occurrences of "SYSTEM" under HKLM root for the data type REG_SZ

  REG QUERY HKCU /f 0F /d /t REG_BINARY
    Displays Key, Value and Data for the occurrences of "0F" in data
    under HKCU root for the data type REG_BINARY

  REG QUERY HKLM\SOFTWARE /ve
    Displays Value and Data for the empty value (Default)
    under HKLM\SOFTWARE

reg query /?

REG QUERY KeyName [/v [ValueName] | /ve] [/s]

[/f Data [/k] [/d] [/c] [/e]] [/t Type] [/z] [/se Separator]

[/reg:32 | /reg:64]

KeyName [\\Machine\]FullKey

Machine - Name of remote machine, omitting defaults to the

current machine. Only HKLM and HKU are available on

remote machines

FullKey - in the form of ROOTKEY\SubKey name

ROOTKEY - [ HKLM | HKCU | HKCR | HKU | HKCC ]

SubKey - The full name of a registry key under the

selected ROOTKEY

/v Queries for a specific registry key values.

If omitted, all values for the key are queried.

Argument to this switch can be optional only when specified

along with /f switch. This specifies to search in valuenames only.

/ve Queries for the default value or empty value name (Default).

/s Queries all subkeys and values recursively (like dir /s).

/se Specifies the separator (length of 1 character only) in

data string for REG_MULTI_SZ. Defaults to "\0" as the separator.

/f Specifies the data or pattern to search for.

Use double quotes if a string contains spaces. Default is "*".

/k Specifies to search in key names only.

/d Specifies the search in data only.

/c Specifies that the search is case sensitive.

The default search is case insensitive.

/e Specifies to return only exact matches.

By default all the matches are returned.

/t Specifies registry value data type.

Valid types are:

REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ,

REG_DWORD, REG_QWORD, REG_BINARY, REG_NONE

Defaults to all types.

/z Verbose: Shows the numeric equivalent for the type of the valuename.

/reg:32 Specifies the key should be accessed using the 32-bit registry view.

/reg:64 Specifies the key should be accessed using the 64-bit registry view.

Examples:

REG QUERY HKLM\Software\Microsoft\ResKit /v Version

Displays the value of the registry value Version

REG QUERY \\ABC\HKLM\Software\Microsoft\ResKit\Nt\Setup /s

Displays all subkeys and values under the registry key Setup

on remote machine ABC

REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /se #

Displays all the subkeys and values with "#" as the seperator

for all valuenames whose type is REG_MULTI_SZ.

REG QUERY HKLM /f SYSTEM /t REG_SZ /c /e

Displays Key, Value and Data with case sensitive and exact

occurrences of "SYSTEM" under HKLM root for the data type REG_SZ

REG QUERY HKCU /f 0F /d /t REG_BINARY

Displays Key, Value and Data for the occurrences of "0F" in data

under HKCU root for the data type REG_BINARY

REG QUERY HKLM\SOFTWARE /ve

Displays Value and Data for the empty value (Default)

under HKLM\SOFTWARE

First, you need to know the registry values are into registry database:

ROOTKEY is abbreviated when using reg query as follows;
HKEY_CLASSES_ROOT is abbreviated to HKCR
HKEY_CURRENT_USER is abbreviated to HKCU
HKEY_LOCAL_MACHINE is abbreviated to HKLM
HKEY_USERS is abbreviated to HKU
HKEY_CURRENT_CONFIG is abbreviated to HKCC

ROOTKEY is abbreviated when using reg query as follows;

HKEY_CLASSES_ROOT is abbreviated to HKCR

HKEY_CURRENT_USER is abbreviated to HKCU

HKEY_LOCAL_MACHINE is abbreviated to HKLM

HKEY_USERS is abbreviated to HKU

HKEY_CURRENT_CONFIG is abbreviated to HKCC

When you make a query then use that with arguments like the examples from help.
How can use this command tool? Let’s try some example:
1. show the integrity of Windows when booting:

C:\Windows\system32> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
C:\Windows\system32> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
C:\Windows\system32> reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
C:\Windows\system32> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"

C:\Windows\system32> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

C:\Windows\system32> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

C:\Windows\system32> reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"

C:\Windows\system32> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"

2. test for malware ( the rundll32.exe javascript infection):
– see the all rundll32.exe values

REG Query HKLM\Software /F "Run" /S | findstr "rundll32.exe"

1	REG Query HKLM\Software /F "Run" /S \| findstr "rundll32.exe"

– if the next command has output then you can have an infected operating system with rundll32.exejavascript:… script:

REG Query HKLM\Software /F "Run" /S | findstr "rundll32.exe" | findstr "javascript"

1	REG Query HKLM\Software /F "Run" /S \| findstr "rundll32.exe" \| findstr "javascript"

Leave a Reply Cancel reply