OfflineReg

Registry Basics

Registry entries use the following format in the Windows Registry Editor (regedit.exe) -

The <Key> is displayed as a folder tree in the left panel of the Windows Registry Editor. <Keys> in a registry hive can be viewed/accessed in a similar manner to that used when browsing a folder tree in the Windows Explorer file-manager - with an expandable/collapsible tree view. The currently selected <Key> is displayed in the form of a path in the bar at the bottom of the Registry Editor window.

<Value> is a value under the <Key> selected in the folder tree in the left panel . Each <Value> in a <Key> must have a unique name - included <Values> of different <Types>. Please note that a <Value> is displayed under the Name column in the Windows Registry Editor.

<Type> can be one of the data types listed in table 1

<Data> is the information contained in the selected <Key> <Value>.

Using an example from the HKLM\SYSTEM\ControlSet001\Control <Key>, the <Value> CurrentUser is a REG_SZ <Type> entry containing the <Data> USERNAME

Table 1.
Table displaying the different <Value> <Types> supported in OfflineReg. The first column displays the <Type> as displayed in the Windows Registry Editor, the second column displays the corresponding numeric identifier used in the OfflineReg setvalue command, and the third column lists a summary of each <Type> (the Descriptions below have been copied from here) -

Type OfflineReg ID Description
REG_SZ 1 A fixed-length text string.
REG_MULTI_SZ 7 A multiple string. Values that contain lists or multiple values in a form that people can read are generally this type. Entries are separated by spaces, commas, or other marks.
REG_EXPAND_SZ 2 A variable-length data string. This data type includes variables that are resolved when a program or service uses the data.
REG_DWORD 4 Data represented by a number that is 4 bytes long (a 32-bit integer). Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format. Related values are DWORD_LITTLE_ENDIAN (least significant byte is at the lowest address) and REG_DWORD_BIG_ENDIAN (least significant byte is at the highest address).
REG_QWORD 11 Data represented by a number that is a 64-bit integer. This data is displayed in Registry Editor as a Binary Value and was introduced in Windows 2000.
REG_BINARY 3 Raw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.

OfflineReg

OfflineReg has been developed by Erwan.l. It is a console program that provides a frontend for the Windows API functions in the off-line registry library (Offreg.dll), and can be used to access off-line registry hives. Please note the use of off-line - if a registry hive is already loaded/mounted then OfflineReg will not be able to access it. Offreg.dll is "...a binary redistributable dynamic-link library (DLL)....Offreg.dll is provided in the Windows Driver Kit (WDK)..." - it is included in the OfflineReg download package. Please refer to the Offline Registry Library web-page for more information about the Offreg.dll library.

The common method of accessing an off-line registry hive involves mounting/loading it to make any required changes and then unmounting/unloading it. Loading a registry hive requires elevated user privileges. OfflineReg provides a scriptable tool for editing off-line registry hives and can be executed from an account with standard user privileges.

It is also worth mentioning that certain registry keys have security and access rights/permissions, and these cannot be edited when an off-line hive is loaded. Security permissions are not an issue when using OfflineReg as it will bypass them.

OfflineReg Commands

The command syntax in OfflineReg varies depending on the command being executed. table 2 contains a list of commands supported in OfflineReg version 0.9.9.

Table 2.
The following table displays a list of supported commands with a brief summary of each. Click on the Command to view the syntax and examples -

Command Summary
create Create a new (empty) registry <Hive>.
createkey Create a new <Key>. If this is a subkey, then any parent <Key> must already be present in the target registry hive or this command will fail.
deletevalue Delete a <Value> (and its <Data>) from the selected <Key>.
deletekey Delete the selected <Key>. If the <Key> contains subkeys this command will fail. Use the deletekeys command if a <Key> contains subkeys.
deletekeys Delete the selected <Key> and all subkeys it contains.
enumkeys List all subkeys contained in the selected <Key>.
enumkeysr List all subkeys contained in the selected <Key> and recursively loop through all subkeys to display the full <Key> structure.
enumvalues List all <Values> in the selected <Key>.
enumallvalues List all <Values> (including its corresponding <Type> and <Data>) in the selected <Key>.
getvalue Parse the <Value> <Type> and <Data> of the selected <Key> <Value>
getvaluebyteat Retrieve a REG_BINARY byte at a given offset from the selected <Key><Value> in the target <Hive>.
import Add settings from a registry file (.reg).
run Run (multiple) commands from a file.
setvalue Write <Value> and <Data> to the selected <Key>, or write the <Data> to the selected <Key> <Value>.
setvaluebyteat Write a byte at a given offset in the selected <Key><Value> in the target <Hive> (supported <Value> <Type> is REG_BINARY).

create

Create a new (empty) registry <Hive>. The <Key> specified in this command must be at the <Hive> root.

Syntax: -

Or

Example 1: -
Create an empty <Hive> -

Output -

Example 2: -
Create a new <Hive> with <Key> ControlSet001 at its root -

Output -

createkey

Create a new <Key>.

NOTES - see example 2 (below) for instructions on creating a <Key> at the root of the selected <Hive>.

Syntax: -

Or (see Example 2) Or (see Example 3)

Example 1: -
The following command will create <Key> E and all parent <Keys> and subkeys in the chain.

Output -

A screenshot of the <Hive> is displayed below. The screenshot shows the <Hive> mounted as HKLM\_TEMPREG in the Windows Registry Editor, with all <Keys> and subkeys created after running the above command expanded in the tree view -

Example 2: -
The following command will achieve identical results to the command in Example 1 - creating <Key> E and all parent <Keys> and subkeys in the chain. The only difference in the syntax is appending the new key to the existing <Key> parameter, rather than as a seperate parameter following the createkey command.

Example 3: -
To create a <Key> at the root of a <Hive>, use the following syntax -

E.g. -

Output -

deletevalue

Delete a <Value> (and its <Data>) from the selected <Key>.

Syntax: -

Attempting to delete a <Value> that does not exist will result in the following error message -

Attempting to delete a <Value> from a <Key> that does not exist will result in the following error message -

Example: -

Output -

deletekey

Delete the selected <Key>.

NOTE - whilst this command can be used to delete a <Key>, it will not be able to delete a <Key> that contains any subkeys. If a <Key> contains subkeys, use the deletekeys command.

Syntax: -

The following error will be displayed if attempting to delete a <Key> containing subkeys -

The following error message will be displayed if attempting to delete a <Key> that does not exist in the target <Hive> -

The following error message will be displayed if attempting to delete a <Key> when the parent <Key> does not exist in the target <Hive> -

Example 1: -

Output -

deletekeys

Delete the selected <Key> and all subkeys it contains.

Syntax: -

The following error will be displayed if attempting to delete a <Key> that does not exist in the target <Hive> -

Example 1: -

Output -

enumkeys

Display a list of subkeys contained in the selected <Key>.

Syntax: -

The following error will be displayed if attempting to read a <Key> that does not exist in the target <Hive> -

Example: -

Output -

enumkeysr

List all subkeys contained in the selected <Key> and recursively loop through all subkeys to display the full <Key> structure.

Syntax: -

Example:

Output -

enumvalues

Display a list of all <Values> contained in the selected <Key>.

Syntax: -

The following error will be displayed if the target <Key> does not contain any <Values>

The following error will be displayed if the target <Key> does not exist -

Example: -

Output -

enumallvalues

Display a list of all <Values> (including <Data> and <Type>) contained in the selected <Key>.

Syntax: -

The following error will be displayed if the target <Key> does not contain any <Values>

The following error will be displayed if the target <Key> does not exist -

Example: -

Output -

getvalue

Parse the <Value> <Type> and <Data> of the selected <Key> <Value>

Syntax: -

Attempting to read a <Value> that does not exist will result in the following error messages -

Attempting to read a <Value> from a <Key> that does not exist will result in the following error message -

Example(s): -

Output -

getvaluebyteat

Retrieve a byte at a given offset in the selected <Key><Value> in the target <Hive>. Supported <Value> <Type> - REG_BINARY.

Syntax: -

Example 1:

Output -

import

Import the settings from a Registry File to the selected <Hive>.

NOTE - the import command is not fully implemented. Some <Types> in a .reg file may cause error. Caution should also be used as .reg files may contain entries for multiple <Hives>.

Syntax: -

Example 1: -

Contents of D:\settings.reg -

Output -


OfflineReg version 1.0.1 improves the handling of .reg files and will create the required key structure. The following example will work even if any of the parent keys and subkeys are missing -

Output -

run

Execute a series of commands from a file to the selected <Hive>.

NOTE - the run command is similar to the import command in terms of syntax and execution. The target registry <Hive> will not be saved until after all commands in the <FILE> have been executed. Seperate commands should be added line by line.

Syntax: -

Example 1: -

Contents of D:\commands.txt -

Output -

setvalue

Write <Value> and <Data> to the selected <Key>, or write the <Data> to the selected <Key> <Value>.

NOTE(S) - To add a Default <Value> to a <Key> refer to example 4. Refer to Example 2 and/or the Handling Spaces in Keys/Paths section for examples on dealing with spaces in paths. Refer to the Escape Characters section for dealing with special characters (e.g. percentage (%)).

Syntax: -

<Type> must use a numeric identifier. These are shown in the table below - with the different <Types> mapped to the numeric identifier used in the setvalue command in OfflineReg -

Type OfflineReg ID Example
REG_SZ 1 see here
REG_EXPAND_SZ 2 see here
REG_BINARY 3 see here
REG_DWORD 4 see here.

NOTE - use decimal values in the <Data> field.
REG_MULTI_SZ 7 see here.

NOTE - enclose the contents of the <Data> field in quotes ("), with a space as a seperater.
REG_QWORD 11

Example 1: (REG_SZ)

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Example 2: (REG_SZ)

The above example is similar to Example 1, but will handle spaces in the <Value> and <Data> fields. This command will add the following entry to the A\B\C\D\E\Test <Key> -

Example 3: (REG_SZ)

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Example 4: (REG_EXPAND_SZ)
Use in a console -

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Example 5: (REG_EXPAND_SZ) -
Use in a batch file

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Example 6: (REG_BINARY) -

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Example 7: (REG_DWORD) -

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Example 8: (REG_MULTI_SZ) -

The above example will add the following entry to the A\B\C\D\E\Test <Key> -

Sample batch file containing all of the setvalue examples above (with the exception of example 4). The first command in the batch will create a new registry hive (see here).

A screenshot of the <Hive> created after running the above batch file is displayed below. The screenshot shows the <Hive> mounted as HKLM\_TempSystem in the Windows Registry Editor, with all <Keys> and subkeys created after running the above commands expanded in the tree view -

setvaluebyteat

Write a byte at a given offset to the selected <Key><Value> in the target <Hive>. Supported <Value> <Type> - REG_BINARY.

Syntax: -

Example:
The following example can be adapted and used to allow logging in to a Windows account without a password. Use caution! The <Key> name (000003e9 in the example below) may need to be edited to reflect the account <Key> in the target <Hive>. This example has been adapted from a post made by the OfflineReg developer Erwan on the reboot.pro forum (see here).

First, lets check for the available account <Key> names using the enumkeys command -

Output -

Now lets check the existing values at <Offsets> 160 and 172 using the getvaluebyteat command -

Output -

Changing the values at <Offsets> 160 and 172 to 0 (zero) will allow log on without a password.

Output -

Now lets recheck the values at <Offsets> 160 and 172 using the getvaluebyteat command -

Output -

Handling Spaces in Keys/Paths

Using the setvalue command syntax as an example -

The following elements can be wrapped in quotes (") to handle paths -

E.g. -

If the <Data> in a <Value> contains special character then escape characters will need to be used (see here).

Escape Characters

Standard escape characters can be used. Adjust as required if using a batch file or console.

Please note that if using paths with spaces then enclose in quotation marks ("). If escaping a character within quotation marks then the quotes will also need to be escaped. E.g. to escape
"%SystemRoot%\Some Path" use ^"^%SystemRoot^%\Some Path^" (applies to console only).

Commands with escape characters for use in a console -

Commands with escape characters for use in a batch file -

Screenshot of the results after executing the above commands (as displayed in the Windows Registry Editor) -

Help and Links

The OfflineReg version released on 28/1/2018 was used in this guide. The file has a Date modified timestamp of 28/01/2018 17:02 and the following checksums -

64-bit version

The following information is displayed if running offlinereg-win32.exe without any parameters -

Document date - 29th January 2018