Microsoft Windows Registry Guide, Second Edition

Searching for Data

You're going to spend a lot of time searching the registry. I promise. This is particularly true if you're an IT professional responsible for helping users, deploying Windows, and so on. This is even true if you're a power user trying to figure out why a program is doing something that you don't particularly like. For instance, you might want to figure out why a program runs every time you start Windows. If you don't already know about the registry's Run key, you'd have to search the registry for the program's file name. I spend a lot of time locating programs' settings in the registry and I do that by searching for their names and file names.

You can search key names, value names, and string data in the registry. You can also search for partial matches (searching for Windows matches both C:\Windows and Windows XP) or require full matches. The first hit can take a long time to show up, so be patient. It takes even longer if you're searching a remote computer's registry. After Regedit finds a hit, it selects the key or value it found. If Regedit searches to the end of the registry without a match, it displays a message that says, “Finished searching through the registry.” Here's how to search using Registry Editor:

  1. On the Edit menu, click Find.

  2. In the Find dialog box, shown in Figure 2-2, type the text you want to find in the Find What box.

  3. To find keys whose names contain the text, select the Keys check box. To find values whose names contain the text, select the Values check box. To find REG_SZ values whose data contains the text, select the Data check box.

  4. Click Find Next.

  5. Press F3 to repeat your search if necessary.

Figure 2-2 Use fewer characters and partial matches to get more hits. Use more characters or require full matches to get fewer hits.

You can significantly cut down the time it takes to search the registry by narrowing the focus to keys, values, or data. For example, if you know that you want to search only for values that contain certain characters in their names, limit your search to value names. If you know that you're searching for data, limit your search to value data. In the Find dialog box, shown in Figure 2-2, clear the Keys, Values, or Data check boxes to prevent Regedit from searching those areas. Selecting the Match Whole String Only check box won't improve turnaround time, but it will reduce the number of hits you receive and, because you don't have to look at as many hits, make searching quicker. Select this check box only if you're 100 percent certain about the name or data for which you're searching; otherwise, you won't find it.

Searching Incrementally

Incremental searching makes finding subkeys and values in long lists much faster. It's a timesaver when you're trying to find a subkey in HKCR, because searching takes too long and paging down the long list is boring. Here's how it works: select in either pane the first item in a long list, and then start typing the item you want to find. Regedit selects the first item that matches what you've typed so far. So if you click the first subkey under HKCR and then type wm, Regedit selects wmafile. Type d (without delaying too long or the incremental search will restart), and Regedit selects WMDFile. You get the idea. Keep in mind that it won't find keys or values that are collapsed. That is, incremental searching only finds keys that you can see by scrolling the key pane up or down.

Searching in Binary Values

Regedit can't search for REG_DWORD or binary values. It searches only for key names, value names, or string values. This means that you can't use Regedit to find numeric values in REG_DWORD or REG_BINARY values, and you certainly can't find text that Windows stores as REG_BINARY values, which is very common.

The solution is straightforward, though. Export the branch that you want to search to a REG file (i.e., Text.reg). (See “Exporting Settings to Files,” later in this chapter, to learn how to create a REG file.) Then open the REG file in Notepad, and search for the number or binary string you want to find. You have to know how Regedit formats values in REG files in order to find them, however. Chapter 11, “Scripting Registry Changes,” describes the format of REG files in detail. For now, you need to know what the different types of values look like in a REG file, which is what Table 2-3 describes. For example, if you want to find the word Jerry in a REG_BINARY value, you'd convert its letters to their Unicode values, a task that's easy if you know that a capital A has a hex value of 0x0041, a lowercase a has a hex value of 0x0061, and the number 0 has a hex value of 0x0030. Thus, Jerry as a binary string is 0x4A 0x00 0x65 0x00 0x72 0x00 0x72 0x00 0x79 0x00. (If you're not familiar with reverse byte notation and Unicode, see Chapter 1, “Learning the Basics.”) To find binary strings that contain the word Jerry in a REG file, search for 4a,00,65,00,72,00,72,00,79.

Table 2-3 REG File Data Formats

Type

In Regedit

In REG files

REG_SZ

Microsoft Windows XP

"Microsoft Windows XP"

REG_DWORD

0x00000009

dword:00000009

REG_BINARY

0XC2 0X00 0X02 0X9E 0X00 0X00 0X3D

hex:c2,00,02,9e,00,00,3d

Table 2-3 contains only REG_SZ, REG_DWORD, and REG_BINARY examples. That's because Regedit uses a variation of REG_BINARY to represent all other value types. In a REG file, for instance, a REG_MULTI_SZ looks like hex(7):4a,00,65,00,72,00,72,00,79,00,00,00. Chapter 11 describes the format of every value type and what they look like in REG files.

Bookmarking Favorite Keys

Regedit adopts one of Microsoft Internet Explorer's most useful features: Favorites. This enables you to bookmark the subkeys that you edit most frequently and to return to them quickly. Clicking a subkey on the Favorites menu is certainly a better alternative to clicking your way through the key pane or, worse yet, trying to remember where Windows stores the Run key in the registry. Adding a key to Favorites is easy, and after you add it, you can click its name on the Favorites menu (as shown in Figure 2-3) and go straight to that key.

Figure 2-3 Bookmark your most-used keys to return to them quickly.

To add a key to Favorites, click it, and then click Favorites, Add To Favorites. In the Add To Favorites dialog box, type a descriptive name for your shortcut. I typically name shortcuts with the root key and last couple of subkeys, such as HKCU\…\Windows\CurrentVersion, so that I can quickly tell whether the shortcut is in HKCU or HKLM (as they have similar structures). Using the full name, such as HKCU\Software\Microsoft\Windows\CurrentVersion, isn't practical, because it makes the menu too wide.

You might like to have some help starting your Favorites list. Thus, the following list shows you what I typically put on mine:

Removing a key from Favorites is also easy. On the Favorites menu, click Remove Favorite, and then click the names of the keys you want to remove. If you want to rename keys in Favorites, you can edit the key HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites and rename shortcuts or change their targets.

TIP

Regedit displays keys in the order that you added them; it doesn't sort them alphabetically. If you want this list to be in alphabetical order, export HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites to a REG file. Edit the REG file to sort the keys in alphabetical order or any other order that you prefer, and then import the REG file back into the registry after removing the Favorites key. The Favorites menu is resorted. Save this REG file, too, so you can use your favorites elsewhere.

Using Better Techniques

After a while, you'll know enough about the registry in Windows to search much more quickly. You'll know where to begin and end your searches so that you don't waste your time searching parts of the registry where you're not going to find what you want. To limit your search, click a subkey near where you want to begin, and then search. As you repeat your search by pressing F3, keep an eye on the status bar and notice the key that contains the current hit. After you've gone past the branch that you think should contain the value, quit searching.

Here's an example of focusing a search. When you build a default user profile, which is covered in Chapter 12, “Deploying User Profiles,” you'll check it for references to the current user profile folder, which you don't want to deploy to desktops throughout the organization. To narrow your search to that profile, you'll select its first key in the registry and then search for the path, deciding along the way what to do with any references to your search that you find. After you're out of that profile, though, quit searching so that you don't waste your time and accidentally change values you don't intend to change.

Other examples of focusing searches to find data faster are:

Shareware Search Tools

A variety of shareware tools are available for searching the registry. They are far more advanced than Regedit and designed specifically to make digging around the registry easier and quicker. You can download evaluation versions of these tools at any shareware site. Try http://www.zdnet.com/downloads or http://www.tucows.com. Here are some of the most popular:

Registry Crawler is my personal favorite, but the other tools also get good results. Registry Crawler not only searches the registry faster than Regedit does but also has features that make the task easier. You can access the tool quickly from the system tray. It presents a list of matches that you see all at once, rather than bouncing around from hit to hit, and you can export the results to a REG file. It also enables you to search the registries of multiple computers at one time if you have access to them over a network. Its most powerful feature is its search-and-replace capability, however, which enables you to replace all instances of a value with another.

Категории