• HKEY_LOCAL_MACHINE, or the short version HKLM
• HKEY_CURRENT_USER, or HKCU
• HKEY_CLASSES_ROOT, or HKCR
• HKEY_USERS, or HKU
• HKEY_CURRENT_CONFIG, or HKCC

This commands queries the given keys and subkeys. It will list all values and their data under the key. In contrast to Microsoft SWReg will also list the decimal equivalent of the hexadecimal values that REG shows.

You can add numeric data in two ways, the familiar decimal way, or as a hexadecimal value. To enter a hexadecimal value you have to enter the data starting with 0x. So to add 64 to the Registry in hexadecimal you enter 0x40 as Data.

On top of what REG implements you can also add four extra types of Registrydata with SWREG. These are shown in bold above. To add data to these 4 types (and to REG_BINARY and REG_NONE) enter the data in binary. For use with REG_NONE data there is a switch (/B) that will make the program use an interpreted binary version of the supplied data. Omission of this switch results in the same addition as reg.exe does.

As an example... Suppose that the supplied data was deadbeef. Without /B this will be entered as 64006500610064006200650065006600, with the /B switch as deadbeef

To use environment variables in REG_EXPAND_SZ values you have to play a bit with the data. The problem is that it depends on the Operating System that you are using. In Windows 95, 98 and ME you will always have to enter the variable with double quotes (") surrounded. If you don't, then Windows will substitute the variable with the actual value of the variable. So to enter the text %SystemRoot% in a REG_EXPAND_SZ value you will have to supply %"SystemRoot"% as data, otherwise you'll end up with C:\WINDOWS (most probably) in the Registry. On the other hand with Windows 2000 and XP it depends on how you use SWReg. If it is used in a batchfile you have to use two percentage signs to denote an environment variable. Straight on the command line itself, act as if it were Windows 98 and use ". To enter %SystemRoot% from a batchfile use %%SystemRoot%%, from the command line %"SystemRoot"%.

As doublequotes are used to keep parameters with spaces as one, this rises the question how to add a doublequote on the commandline itself. The solution is to use the backslash character as an escape sign, so simply prepend the doublequote with a backslash and everything should go. An example is: "He said: \"Hi!\""

This deletes the given value under the the specified key. Unlike Microsoft I operate under the assumption that you know what you are doing. There are no questions, it simply deletes!

Just as with REG SWreg copies the contents of SourceKeyName to DestKeyName. REG sets default permissions to the new key in Windows versions that support Permissions on the Registry. SWReg does not! You asked it to copy, this would logically include permissions as well. To mimic the behavior of REG and set default permissions include the /noacls switch to the command.

This will save a key to a hive file. To save as a text file (a Regfile or Regscript) use EXPORT.

This will restore a hive file to a key. The command will overwrite all the values and subkeys stored in the key if the already exists. To import a Regfile use IMPORT.

This command will load a hive file into the Registry. The key you want to load the file in has to be either in HKEY_LOCAL_MACHINE or in HKEY_USERS because the other keys are shortcuts (pointers) to other parts in the Registry.

This command will unload a key in the Registry.

This will compare two keys in the Registry and report the differences. Optionally this command can check two values, and report only the differences, only the matches, both or nothing. If Valuename is not given it will compare all the values under the given key.

This will export a key to a "regscript" or "Regfile". A textual representation of the contents of the key in question.

When run under Windows 95, Windows 98, or Windows ME the output will be in ASCII coding. Under Windows 2000 and Windows XP the result will be a file in Unicode. If you want an ASCII file on these platforms you will have to add the /nt4-parameter to the command.

This command will incorporate the changes in the file into the Registry. Before it will be imported, a test of the file in question will be performed, and if found that it cannot import the file it will show a message what is wrong.

In effect this is the same as copy. It will only delete the SourceKeyName afterwards (provided permissions are granted to do that).

This command will manipulate the permissions to a Registry key. Since the manipulation of permissions is the same as with files I refer to the documentation of SWXCACLS to find the deeper meaning of the various switches. The differences between these two programs I will explain now.

• The GUI permissions are simplified to just 2. Full Control (F) and Read (R). Other permissions are not granted to Registry keys.
• Since Registry keys are slightly different in behavior to files and folders. The Specific rights that can be granted are the following:
  • E  Synchronize
  • D  Take Ownership
  • C  Change Permissions
  • B  Read Permissions
  • A  Delete
  • 6  Create Link
  • 5  Notify
  • 4  Enumerate Subkeys
  • 3  Create Subkeys
  • 2  Set Value
  • 1  Query Value
  As you can see I've omitted a few that are defined with SWXCACLS. I have done this so the permissions are sort of transparent.
• One predefined group has been added to the possible groups you can assign permissions to: (R) Restricted.
• The SPEC switch has been augmented with the minus sign switch to indicate that given permissions are only to this key and the direct Subkeys. The permissions will not be propagated to the lower Subkeys
• Another difference with SWXCACLS is that Registry keys can include NULL characters (see NULL command). To facilitate the permission manipulation of these keys I've added an optional NULL sequence. This will not work with the /RESET parameter as that will automatically handle these keys when encountered

This command will output the number of subkeys and value that are present in the key. It will be only that specific key, not for its subkeys. It will also show the last date and time that the Registry key was written to.

See the documentation for the various subcommands to find the meaning of the parameters.

A simple trick to hide the contents of a Registry key is to insert a NULL character somewhere in it. The technical explanation behing this is that in programming languages a string ends with a NULL terminator. Some functions in a programming language allow the programmer to input more memory than needed. As long as the called function knows how much memory there is to work with, the called function is happy. By using these functions programmers create Registry keys that cannot be opened by programs that use the "normal" functions to manipulate the Registry. End effect... The key cannot be opened and thus can be used to store secret data.

As is to be expected ADD will add one of these keys (and optionally a value), DELETE will get rid of it and QUERY gives you a way to check for the existence of these keys. You can also use these functions to add, delete and query keys that do not have NULL characters embedded in them though.

By default, the NULL sequence is \0. Unfortunately this would mean that you will not be able to use these functions to manipulate a NULL embedded Registrykey that contains the sequence of its own. To overcome this problem all the subcommands have an extra parameter (/n) with which you can specify an alternative NULL sequence, for example *.

The subcommand QUERY has been augmented with the /f parameter. This parameter will filter the output to only contain the NULL embedded keys and their contents, all according to the other provided command line switches.

Registry shortcuts (or officially SymLinks) are shortcuts to other keys in the Registry. One of the most familiar shortcuts to users is the HKEY_CURRENT_USER key that points to a key under the HKEY_USERS key. With the subcommands in LINK you can ADD and DELETE these links.

Be careful with this command because it will do just as you ask... And leave you with the mess after execution. If you delete a vital SymLink in the Registry you may end up in a Blue Screen and an unbootable computer. Enjoy the hours of reinstalling afterward!