Regdmp
Regdmp is a Resource Kit utility that works hand-in-hand with Regini. As its name implies, it is used to dump the contents of the Registry. It works similarly to the Regedit export feature and creates output that is compatible with Regini scripts. Regdmp uses the same subtree names as Regini to specify which Registry path you want to dump. Using Regdmp, you can create Regini input scripts based on actual Registry values. You can then modify the contents of Regdmp output to make any modifications you need to the Registry. Figure 10 shows an example of using Regdmp to export the contents of the
HKEY_CURRENT_USER\Control Panel\Desktop key.
The command to generate this output and redirect it to a file is as follows:
Tip: Because there are spaces within the Registry path, I surround the whole key in quotes.
Notice that in Figure 10, the BorderWidth value is indented from WindowsMetrics. As you may remember from the discussion of Regini, this indicates that WindowsMetrics is actually a subkey of the main Desktop key, and that the values that follow are underneath WindowsMetrics rather than Desktop. The format of this output file is such that you could make changes directly to it and use Regini to re-import those changes into the Registry. Also note that while you can use the keyname User: within regini to register changes to HKEY_CURRENT_USER, regdmp does not support this format (although the documentation says it does!). Use HKEY_CURRENT_USER instead.
Reg
Reg is another Resource Kit utility for manipulating the Registry. However, unlike Regedit and Regini, which let you feed multiple changes to the Registry with a single input file, Reg is a multifunction command-line tool that manipulates the Registry one command at a time. Reg can add, delete, copy, query, save, restore, load, unload, export, import, and compare keys or values in the Registry — all within the single executable. The version of Reg that ships in the Win2K Resource Kit attempts to consolidate many of the functions previously found in the many tools described previously. Reg can also perform the above actions against a remote machine, simply by entering the designation on the command-line (e.g., Reg query \\machinename HKLM\Software). Reg can be used in scripts that check Registry values prior to performing some action. For example, the batch script in Figure 11 shows the use of the query option to test for the existence of a value. An action is then based on that test.
In this simple example, I use Reg to query for the existence of the ProgID called Word.Document.6 within HKEY_CLASSES_ROOT. The ProgID should exist if Word 6 has been installed. If Reg fails to find the key successfully, it returns an errorlevel of 1. The statement "if errorlevel 1 goto install" is only triggered if the key (or value) I query for is not found. In that case, I drop to the line that runs Word setup. Reg also supports recursion for use with queries. For example, the command Reg query HKLM\Software\ /s returns all of the keys and values under the Software key.
Reg supports using abbreviations to represent each subtree as follows:
Tip: If you don’t specify one of the abbreviated subtrees listed above, Reg assumes that you are performing the operation on HKEY_LOCAL_MACHINE.
In addition to simple queries, Reg performs a number of other operations (Table 4). All of the options listed can be performed on the machine running the command or a remote machine. Note, however, that you can only access HKLM and HKU on a remote machine, due to the aliased nature of the other subtrees.
Warning:Table 4 notes a number of Reg quirks you should be aware of. For example, the restore option requires that you pre-create the key that you want to restore before performing the actual operation. Suppose you have a key under HKLM\Software called SoftwareCo, which contains a number of subkeys and values you wish to save. You issue the Reg save command on the SoftwareCo key and save it to a binary file called SaveSoftCo. Then, the SoftwareCo key gets deleted at some point and you need to restore it. If you issue the command
reg restore savesoftco HKLM\Software
Reg assumes that you want to restore your saved key over the top of HKLM\Software, rather than as a subkey to it. This would, of course, be disastrous. You need to first recreate the key called SoftwareCo underneath HKLM\Software (you can use "reg add" to do this), then issue the command as
reg restore savesoftco HKLM\Software\Softwareco
With respect to data types within a value, Reg supports all of the typical types (REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ REG_BINARY, and REG_DWORD) as well as some atypical types we’ve discussed, such as REG_DWORD_BIG_ENDIAN and REG_DWORD_LITTLE_ENDIAN. In addition, REG_MULTI_SZ types must follow a particular syntax. For example, if you have a value that is REG_MULTI_SZ and contains three strings — string1, string2, and string3 — each of these would be entered into the value as follows:
The \0 is used to delimit each string within the REG_MULTI_SZ array. It is basically a carriage return. You can actually use any delimiter — not just \0 — using the /s parameter. For example, if I want a semicolon to delimit an array, I could have entered the above command as
Regfind
Regfind.exe is a command-line Registry search-and-replace utility that comes in the Resource Kit. It supports searches of keys and values on local, remote, and even Win95/98 Registries. Microsoft improved significantly on the quality of the Regfind utility compared to its NT 4.0 predecessor. There are better tools for doing registry search and replace but now that regfind functions as advertised, it’s much more usable. The section on third-party tools later in this chapter lists some commercial alternatives to Regfind that are easier to use and much more functional.
Regfind supports searching all data types, but if you search REG_BINARY values, it does not — despite what the documentation says — support searching for the ANSI equivalent of binary data within REG_BINARY values. That is, if you look for the binary equivalent of the string "mydata" within a REG_BINARY file, Regfind doesn’t work. If you do need to perform a search for a REG_BINARY value, the syntax can be somewhat confusing. You must first specify the length of the data you’re searching for, in hexadecimal. Then you must specify the data itself, preceded by the hexadecimal designator (0x) and broken up into 4-byte DWORDs. For example, the command
searches for the 8-byte value 0x80154D38 0xFF16BE01 within a subkey of HKEY_CURRENT_USER.
Regfind uses the same syntax as Regini (in fact, it is based on the same set of conventions as Regini and Regdmp) to specify the subtree you want to manipulate. For example, HKEY_LOCAL _MACHINE searches can use HKEY_LOCAL_MACHINE or \registry\machine to specify the search path. However, just as with Regini, you cannot specify HKEY_CLASSES_ROOT directly, but must use KEY_LOCAL_MACHINE\Software\Classes.
OLEView
OLEView is not so much a general Registry manipulation tool as it is a tool to view and manipulate a single part of the Registry. Specifically, OLEView is designed to examine the contents of HKEY_CLASSES_ROOT, and even more specifically, the COM- and OLE-related registrations in HKEY_CLASSES_ROOT. Although OLEView is geared toward COM developers, letting them verify that various components are properly registered, it can also be useful to administrators who understand how COM components use the Registry. OLEView is organized by the four main COM/OLE properties represented within HKEY_CLASSES_ROOT — Object Classes (CLSIDs), Application IDs (AppIDs), Type Libraries (TypeLib), and Interfaces (Interface). For example, Figure 12 shows how OLEView presents information about a COM component — in this case, the DiskManagement Control — its associated Registry information, as well as supported interfaces.
In the left-hand pane, you see enumerated all of the interfaces this component supports (prefixed by I). In the right-hand pane, you see all of the registrations related to this component, as well as tabs for modifying its details. For example, you use the Activation, Launch Permission, and Access Permission tabs to define the DCOM security parameters for this component within the HKCR\AppID subkey. You can also use OLEView to examine the methods, properties, and constants associated with a particular interface.
Although this tool is most useful for developers, you can learn a lot about how OLE/COM components use the Registry by working with OLEView. The information it provides can come in handy when you need to troubleshoot an application that is failing due to a missing COM-related registration. It can also come in handy if you’re using Windows Script Host (WSH) to create administrative scripts, since WSH supports COM object creation and manipulation. OLEView can tell you the methods and properties associated with a particular installed COM object, which can help you take advantage of the object as you’re writing your WSH scripts.
THIRD-PARTY TOOLS
Many third-party tools can help you manipulate and maintain the Registry. I highlight a few of those that I have found especially useful in previous versions of NT for performing basic Registry troubleshooting tasks.
Regclean
Regclean is a Microsoft utility that cleans up registrations within HKEY_CLASSES_ROOT that no longer represent actual installed components. It is available for free from Microsoft’s Web site. You also can find it in the current version of the Visual Basic product. For example, suppose you install several applications that copy a number of files and make a number of Registry changes on your system. At some later date, you decide you want to uninstall the applications, but the uninstall process does not clean up carefully after itself, leaving a bunch of Registry entries in HKCR even though the associated components (.dlls or .exes) were deleted. RegClean is just the tool to clean up your Registry. Why is it important to keep the Registry clean? The size limit of the Registry is not infinite. It is a function of the amount of physical RAM installed on your system. Over time, unused entries can enlarge the Registry. Tools like Regclean help keep the Registry size under control by cleaning up HKEY_CLASSES_ROOT after you uninstall an application.
Before you run Regclean or any other utility that makes mass changes to the Registry, you should either make a backup of the affected hive file or save off the keys to be manipulated. In the case of Regclean, you can use the Save Key function in Regedt32 or Reg to save a copy of the HKEY_CLASSES_ROOT subtree in case you need to restore it from scratch.
You can run Regclean using several options. If you just type Regclean on a command line, the program starts up and proceeds to examine HKCR on your system. When it finishes, it gives you the option to "Fix Errors" or Cancel. If you let Regclean fix the errors it found, it removes or modifies registrations that don’t have corresponding .dlls or .exes. When Regclean fixes a set of errors, it also generates an undo .reg file that represents all of the changes it made. The name of the undo file includes the name of the machine on which it was run and the current date and time (e.g., "undo servera 101098 100135.reg"). Figure 13 shows a sample portion of a Regclean undo file.
You have several other options for using Regclean. If you type regclean /s, Regclean runs in a totally silent mode, checking for errors and correcting them without prompting you. The Regclean undo file is still created, however, giving you the opportunity to back out any changes. You can use the regclean /l <filename> parameter to tell Regclean to log all of its activities to a file of <filename>. Note that the log file gets to be fairly big if you have a lot of entries in HKCR, because the log captures every key, subkey, and value that Regclean scans as it does its work. If you run Regclean with the /d option, it first performs a scan of HKCR, then brings up an interactive GUI that you can use to view HKCR. To view HKCR, toggle the desktop button (Figure 14).
Once you are ready to commit the fixes that Regclean has found, click on Save Corrections. This feature, the same as "Fix Errors" in the normal view of Regclean, makes the changes and generates an undo file.
If you want Regclean to be as effective as possible at cleaning up unused registrations, keep one thing in mind: If you have .dlls or .exes registered in HKCR and those files are referenced to and physically reside on network or removable drives, make sure those remote drives are mapped while Regclean is running. In earlier versions of Regclean, if the files referred to weren’t available, Regclean would simply remove registrations — even if they were on mapped drives. In the current versions (4.1 and higher), Regclean doesn’t delete the entries. If it finds the files are referenced on drives that don’t exist, it simply ignores them, leaving a potential area for cleanup unresolved.
ConfigSafe and RegSafe
ConfigSafe (www.imagine-lan.com) is a shareware utility that lets you store snapshots of your system configuration, including Registry keys and values. Whenever you install new or updated applications, you can re-snapshot your system using ConfigSafe. Then, if you need to rollback specific changes, you can use ConfigSafe to undo a set of changes to the previous snapshot. Figure 15 shows an example of how ConfigSafe tracks Registry changes.
In this case, I added a key under HKLM\Software called Myapp, which also contained a value called "Default." ConfigSafe finds the change that occurred since the last snapshot and lets me undo it or restore my system to a previous snapshot.
You can also create different snapshot "profiles" with ConfigSafe if you wish to capture only Registry information rather than Registry, file system, and .ini file changes. The company also has a new tool called RegSafe. This tool, geared specifically toward managing the Registry, lets you view, edit, back up, and restore the Registry through its own UI.
DumpReg and DumpSec
Both DumpReg and DumpSec are Registry (and file system) reporting tools available for free from a company called SomarSoft (www.somarsoft.com). DumpReg is a GUI-based tool for dumping the contents of Registry subtrees. Perhaps most interestingly, DumpReg reports on the date and time a Registry key was last modified — information that is not normally exposed in any of the Win2K Registry viewing tools. In addition to simply dumping the contents of the Registry, you can filter on a given string and sort by either time last modified or keyname. DumpReg also includes an option for dumping a remote computer’s Registry keys. Finally, it has a reporting option that lets you either print the dump or save it to a file for later review.
DumpSec is a GUI tool for dumping the Access Control Lists (ACLs) for various system resources. You can dump everything from file system permissions to Registry permissions and report or save the output to a file. DumpACL also supports dumping ACLs for remote computer resources. Figure 16 shows an example of a DumpACL’s output for HKEY_CURRENT_USER.
Registry Search and Replace
The Registry search and replace tool (by Steven J. Hoek Software Development, http://www.iserv.net/~sjhswdev/) is a GUI-based shareware tool that does just as its name implies. It provides a slick interface for doing advanced search-and-replace operations against local and remote registries.
RegAdmin
RegAdmin is a GUI-based shareware tool from Aelita software (http://www.aelita.com/products /AdminAssist.htm), and is part of Aelita’s Administrator Assistant Tool Kit. It lets you set Registry security on a local or remote computer in a more user-friendly way than other tools, such as Regedt32 or Regini. Most importantly, it also includes a logging function that lets you log any changes you make in Registry security for later review.
SUMMARY
In this chapter, I discussed the various tools that you can use to view and manipulate Registry keys and values — those available in Win2K (Regedit and Regedt32), in the Resource Kit (Reg and Regini), and from third-party sources.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
