Registry entries use the following format in the Windows Registry Editor (regedit.exe) -
The <Key> is displayed as a folder tree in the left panel of the Windows Registry Editor. <Keys> in a registry hive can be viewed/accessed in a similar manner to that used when browsing a folder tree in the Windows Explorer file-manager - with an expandable/collapsible tree view. The currently selected <Key> is displayed in the form of a path in the bar at the bottom of the Registry Editor window.
<Value> is a value under the <Key> selected in the folder tree in the left panel . Each <Value> in a <Key> must have a unique name - included <Values> of different <Types>. Please note that a <Value> is displayed under the Name column in the Windows Registry Editor.
<Type> can be one of the data types listed in table 1
<Data> is the information contained in the selected <Key> <Value>.
Using an example from the HKLM\SYSTEM\ControlSet001\Control <Key>, the <Value> CurrentUser is a REG_SZ <Type> entry containing the <Data> USERNAME
Table 1.
Table displaying the different <Value> <Types> supported in OfflineReg. The first column displays the <Type> as displayed in the Windows Registry Editor, the second column displays the corresponding numeric identifier used in the OfflineReg setvalue command, and the third column lists a summary of each <Type> (the Descriptions below have been copied from here) -
| Type | OfflineReg ID | Description |
|---|---|---|
| REG_SZ | 1 | A fixed-length text string. |
| REG_MULTI_SZ | 7 | A multiple string. Values that contain lists or multiple values in a form that people can read are generally this type. Entries are separated by spaces, commas, or other marks. |
| REG_EXPAND_SZ | 2 | A variable-length data string. This data type includes variables that are resolved when a program or service uses the data. |
| REG_DWORD | 4 | Data represented by a number that is 4 bytes long (a 32-bit integer). Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format. Related values are DWORD_LITTLE_ENDIAN (least significant byte is at the lowest address) and REG_DWORD_BIG_ENDIAN (least significant byte is at the highest address). |
| REG_QWORD | 11 | Data represented by a number that is a 64-bit integer. This data is displayed in Registry Editor as a Binary Value and was introduced in Windows 2000. |
| REG_BINARY | 3 | Raw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format. |
OfflineReg has been developed by Erwan.l. It is a console program that provides a frontend for the Windows API functions in the off-line registry library (Offreg.dll), and can be used to access off-line registry hives. Please note the use of off-line - if a registry hive is already loaded/mounted then OfflineReg will not be able to access it. Offreg.dll is "...a binary redistributable dynamic-link library (DLL)....Offreg.dll is provided in the Windows Driver Kit (WDK)..." - it is included in the OfflineReg download package. Please refer to the Offline Registry Library web-page for more information about the Offreg.dll library.
The common method of accessing an off-line registry hive involves mounting/loading it to make any required changes and then unmounting/unloading it. Loading a registry hive requires elevated user privileges. OfflineReg provides a scriptable tool for editing off-line registry hives and can be executed from an account with standard user privileges.
It is also worth mentioning that certain registry keys have security and access rights/permissions, and these cannot be edited when an off-line hive is loaded. Security permissions are not an issue when using OfflineReg as it will bypass them.
The command syntax in OfflineReg varies depending on the command being executed. table 2 contains a list of commands supported in OfflineReg version 0.9.9.
Table 2.
The following table displays a list of supported commands with a brief summary of each. Click on the Command to view the syntax and examples -
| Command | Summary |
|---|---|
| create | Create a new (empty) registry <Hive>. |
| createkey | Create a new <Key>. If this is a subkey, then any parent <Key> must already be present in the target registry hive or this command will fail. |
| deletevalue | Delete a <Value> (and its <Data>) from the selected <Key>. |
| deletekey | Delete the selected <Key>. If the <Key> contains subkeys this command will fail. Use the deletekeys command if a <Key> contains subkeys. |
| deletekeys | Delete the selected <Key> and all subkeys it contains. |
| enumkeys | List all subkeys contained in the selected <Key>. |
| enumkeysr | List all subkeys contained in the selected <Key> and recursively loop through all subkeys to display the full <Key> structure. |
| enumvalues | List all <Values> in the selected <Key>. |
| enumallvalues | List all <Values> (including its corresponding <Type> and <Data>) in the selected <Key>. |
| getvalue | Parse the <Value> <Type> and <Data> of the selected <Key> <Value> |
| getvaluebyteat | Retrieve a REG_BINARY byte at a given offset from the selected <Key><Value> in the target <Hive>. |
| import | Add settings from a registry file (.reg). |
| run | Run (multiple) commands from a file. |
| setvalue | Write <Value> and <Data> to the selected <Key>, or write the <Data> to the selected <Key> <Value>. |
| setvaluebyteat | Write a byte at a given offset in the selected <Key><Value> in the target <Hive> (supported <Value> <Type> is REG_BINARY). |
Create a new (empty) registry <Hive>. The <Key> specified in this command must be at the <Hive> root.
Syntax: -
Example 1: -
Create an empty <Hive> -
Output -
Example 2: -
Create a new <Hive> with <Key> ControlSet001 at its root -
Output -
Create a new <Key>.
NOTES - see example 2 (below) for instructions on creating a <Key> at the root of the selected <Hive>.
Syntax: -
Example 1: -
The following command will create <Key> E and all parent <Keys> and subkeys in the chain.
Output -
A screenshot of the <Hive> is displayed below. The screenshot shows the <Hive> mounted as HKLM\_TEMPREG in the Windows Registry Editor, with all <Keys> and subkeys created after running the above command expanded in the tree view -
Example 2: -
The following command will achieve identical results to the command in Example 1 -
creating <Key> E and all parent <Keys> and subkeys in the chain. The only difference in the syntax is appending the new key to the existing <Key> parameter, rather than as a seperate parameter following the createkey command.
Example 3: -
To create a <Key> at the root of a <Hive>, use the following syntax -
E.g. -
Output -
Delete a <Value> (and its <Data>) from the selected <Key>.
Syntax: -
Attempting to delete a <Value> that does not exist will result in the following error message -
Attempting to delete a <Value> from a <Key> that does not exist will result in the following error message -
Example: -
Output -
Delete the selected <Key>.
NOTE - whilst this command can be used to delete a <Key>, it will not be able to delete a <Key> that contains any subkeys. If a <Key> contains subkeys, use the deletekeys command.
Syntax: -
The following error will be displayed if attempting to delete a <Key> containing subkeys -
The following error message will be displayed if attempting to delete a <Key> that does not exist in the target <Hive> -
The following error message will be displayed if attempting to delete a <Key> when the parent <Key> does not exist in the target <Hive> -
Example 1: -
Output -
Delete the selected <Key> and all subkeys it contains.
Syntax: -
The following error will be displayed if attempting to delete a <Key> that does not exist in the target <Hive> -
Example 1: -
Output -
Display a list of subkeys contained in the selected <Key>.
Syntax: -
The following error will be displayed if attempting to read a <Key> that does not exist in the target <Hive> -
Example: -
Output -
List all subkeys contained in the selected <Key> and recursively loop through all subkeys to display the full <Key> structure.
Syntax: -
Example:
Output -
Display a list of all <Values> contained in the selected <Key>.
Syntax: -
The following error will be displayed if the target <Key> does not contain any <Values>
The following error will be displayed if the target <Key> does not exist -
Example: -
Output -
Display a list of all <Values> (including <Data> and <Type>) contained in the selected <Key>.
Syntax: -
The following error will be displayed if the target <Key> does not contain any <Values>
The following error will be displayed if the target <Key> does not exist -
Example: -
Output -
Parse the <Value> <Type> and <Data> of the selected <Key> <Value>
Syntax: -
Attempting to read a <Value> that does not exist will result in the following error messages -
Attempting to read a <Value> from a <Key> that does not exist will result in the following error message -
Example(s): -
Output -
Retrieve a byte at a given offset in the selected <Key><Value> in the target <Hive>. Supported <Value> <Type> - REG_BINARY.
Syntax: -
Example 1:
Output -
Import the settings from a Registry File to the selected <Hive>.
NOTE - the import command is not fully implemented. Some <Types> in a .reg file may cause error. Caution should also be used as .reg files may contain entries for multiple <Hives>.
Syntax: -
Example 1: -
Contents of D:\settings.reg -
Output -
OfflineReg version 1.0.1 improves the handling of .reg files and will create the required key structure. The following example will work even if any of the parent keys and subkeys are missing -
Output -
Execute a series of commands from a file to the selected <Hive>.
NOTE - the run command is similar to the import command in terms of syntax and execution. The target registry <Hive> will not be saved until after all commands in the <FILE> have been executed. Seperate commands should be added line by line.
Syntax: -
Example 1: -
Contents of D:\commands.txt -
Output -
Write <Value> and <Data> to the selected <Key>, or write the <Data> to the selected <Key> <Value>.
NOTE(S) - To add a Default <Value> to a <Key> refer to example 4. Refer to Example 2 and/or the Handling Spaces in Keys/Paths section for examples on dealing with spaces in paths. Refer to the Escape Characters section for dealing with special characters (e.g. percentage (%)).
Syntax: -
<Type> must use a numeric identifier. These are shown in the table below - with the different <Types> mapped to the numeric identifier used in the setvalue command in OfflineReg -
| Type | OfflineReg ID | Example |
|---|---|---|
| REG_SZ | 1 | see here |
| REG_EXPAND_SZ | 2 | see here |
| REG_BINARY | 3 | see here |
| REG_DWORD | 4 | see here. NOTE - use decimal values in the <Data> field. |
| REG_MULTI_SZ | 7 | see here. NOTE - enclose the contents of the <Data> field in quotes ("), with a space as a seperater. |
| REG_QWORD | 11 |
Example 1: (REG_SZ)
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Example 2: (REG_SZ)
The above example is similar to Example 1, but will handle spaces in the <Value> and <Data> fields. This command will add the following entry to the A\B\C\D\E\Test <Key> -
Example 3: (REG_SZ)
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Example 4: (REG_EXPAND_SZ)
Use in a console -
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Example 5: (REG_EXPAND_SZ) -
Use in a batch file
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Example 6: (REG_BINARY) -
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Example 7: (REG_DWORD) -
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Example 8: (REG_MULTI_SZ) -
The above example will add the following entry to the A\B\C\D\E\Test <Key> -
Sample batch file containing all of the setvalue examples above (with the exception of example 4). The first command in the batch will create a new registry hive (see here).
A screenshot of the <Hive> created after running the above batch file is displayed below. The screenshot shows the <Hive> mounted as HKLM\_TempSystem in the Windows Registry Editor, with all <Keys> and subkeys created after running the above commands expanded in the tree view -
Write a byte at a given offset to the selected <Key><Value> in the target <Hive>. Supported <Value> <Type> - REG_BINARY.
Syntax: -
Example:
The following example can be adapted and used to allow logging in to a Windows account without a password. Use caution! The <Key> name (000003e9 in the example below) may need to be edited to reflect the account <Key> in the target <Hive>. This example has been adapted from a post made by the OfflineReg developer Erwan on the reboot.pro forum (see here).
First, lets check for the available account <Key> names using the enumkeys command -
Output -
Now lets check the existing values at <Offsets> 160 and 172 using the getvaluebyteat command -
Output -
Changing the values at <Offsets> 160 and 172 to 0 (zero) will allow log on without a password.
Output -
Now lets recheck the values at <Offsets> 160 and 172 using the getvaluebyteat command -
Output -
Using the setvalue command syntax as an example -
The following elements can be wrapped in quotes (") to handle paths -
E.g. -
If the <Data> in a <Value> contains special character then escape characters will need to be used (see here).
Standard escape characters can be used. Adjust as required if using a batch file or console.
Please note that if using paths with spaces then enclose in quotation marks ("). If escaping a character within quotation marks then the quotes will also need to be escaped. E.g. to escape
"%SystemRoot%\Some Path" use ^"^%SystemRoot^%\Some Path^" (applies to console only).
Commands with escape characters for use in a console -
Commands with escape characters for use in a batch file -
Screenshot of the results after executing the above commands (as displayed in the Windows Registry Editor) -
The OfflineReg version released on 28/1/2018 was used in this guide. The file has a Date modified timestamp of 28/01/2018 17:02 and the following checksums -
64-bit version
The following information is displayed if running offlinereg-win32.exe without any parameters -
Document date - 29th January 2018