Wednesday, January 17, 2007

Using The Registry with PowerShell

Providers, in PowerShell, are a way of exposing data to PowerShell's native cmdlets, such as Get-ChildItem, GetItemProperty, etc in a consistent and predictable way. PowerShell ships with 7 providers.

The provider obtains data  from some underlying data store such as the registry, DNS, the file system, etc, and exposes this information in a consistent way. PowerShell native cmdlets act on the provider interface to enable you to access data from any provider in a consistent manner.

One provider shipped with PowerShell is a Windows Registry provider that allows you to read and write to Window's registry. The registry provider is installed by default, along with two Registry "drives", HKCU: (the current user) and HKLM: (local machine). You can see these two drives by typing:

PS C:\> Get-PSDrive | where {$_.name -match "hk"}

This command  displays the two default drives, which you can use like other drives in PowerShell. You can also go to the root of the registry by specifying "Registry::".

To see all the service entries in your registry, you could do the following:

PS C:\> cd hklm:
PS HKLM:\> cd HKLM:\SYSTEM\CurrentControlSet\Services
PS HKLM:\SYSTEM\CurrentControlSet\Services> ls

Hive: Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

SKC VC Name Property
--- -- ---- --------
2 0 .NET CLR Data {}
2 0 .NET CLR Networking {}
2 0 .NET Data Provider for SqlS... {}
1 0 .NETFramework {}
0 5 Abiosdsk {ErrorControl, Group, Start, Tag...}
1 7 abp480n5 {ErrorControl, Group, Start, Tag...}
2 7 ACPI {ErrorControl, Group, Start, Tag...}
... {snipped for brevity}

As you can see, you can quickly get to the service definitions inside the registry.

With the Registry provider, each registry key maps to a child item (which can in turn have additional child items). The registry provider enables you to Get-ChildItem (i.e. ls, dir) to retrieve children, aka, individual registry keys. You can also Set-Location (cd) to point to a specific hive or registry key. This means you can use the  cd command command to move up and down the registry and type dir or ls  - in much the same way you would navigate the filestore using CMD.exe (or PowerShell).

Each registry key in the Windows registry can have registry value entries - where each entry has a name and an associated value. The registry provider exposes a registry value entry as an item property which you can manipulate using the Get-ItemProperty and Set-ItemProperty cmdlets.

To get the service startup type for, say, the TCP/IP service, you could do the following:

PS C:\> cd hklm:
PS HKLM:\SYSTEM\CurrentControlSet\Services\tcpip> cd HKLM:\SYSTEM\CurrentControlSet\Services\tcpip
PS HKLM:\SYSTEM\CurrentControlSet\Services\tcpip> (Get-ItemProperty . ).start
1

The Set-ItemProperty cmdlet allows you to select a value entry and set a value. If, for example, you wanted to set the the service startup type for for the TCP/IP service to 999, you could do the following:

PS C:\> Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\tcpip" -name "Start" -value 999
PS C:\>
(Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\tcpip").start
999

If you try this at home, be very careful and ensure you reset the startup type carefully!!!

Finally, to print out the services that are set to start at startup (for those services that have a startup value set):

PS C:\> $shive= "HKLM:\SYSTEM\currentcontrolset\Services\"
PS C:\> $Services=ls -path $shive
PS C:\> foreach ($s in $services) {
>> $sername=($s.name.split("\"))[($s.name.split("\").count-1)]
>> $ss= get-ItemProperty -path registry::$s -erroraction silentlycontinue
>> if ($ss) {"Service: $sername, Start= $($ss.start)"}
>> }
>>
Service: Abiosdsk, Start= 4
Service: abp480n5, Start= 4
... {snipped for brevity}


 

Enjoy playing with the registry!

 

3 comments:

PReetamZ said...

Everything sounds great except for the fact, similiar properties and methods can't used remotely, you will have to do lot of work with your code.

Anonymous said...

I need to know if I have access to powershell, wmi, and other script applications when I start a 'Repair Console'? Thanks in advance . . Tom J

Thomas Lee said...

Tom: I have not tried it, but I would very much doubt the repair console (RC) supports PowerShell/WMI, etc. The RC is the bare minimum you need to repair your system and nothing more.