Search notes:

Windows registry: reg query

reg.exe query allows to query the registry for specific keys, values and/or data from a console application such as cmd.exe or PowerShell.

Command lines options

/v Queries for a specific key value. Can be omitted to search all values.
/ve Queries the default value.
/s Queries subkeys and values recursively. (Similar to the /s option in cmd.exe's dir command).
/se Specifies the separator (length of 1 character only) in values whose data type is REG_MULTI_SZ. (Default is "\0")
/f What to search for. * is a wildcard. Values with spaces need to be enclosed in double quotes. Default is *.
/k Search in key names only.
/d Search in data only.
/c Search case sensitively (default is case insensitive)
/e Return exact matches only.
/t Limit search to data type of value, can be: REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD, REG_BINARY, REG_NONE. Default is all data types.
/z Also show numeric equivalent
/reg:32, /reg:64 Search 32-bit or 64-bit registry view, respectively

The possibly most useful combination of options

The most useful combination of options is probably /s with /f: it recursively searches for everything that matches a given value (also as substring). 
C:\> reg query HKLM /s /f someData

Examples with test data

The following batch files attempt to demonstrate a few flags and usages of reg query.

insert-values.bat

insert-values.bat simply inserts some test data (a handful of keys and values) under HKEY_CURRENT_USER\Software\tq84. 
@echo off
rem
rem     Creating keys
rem     =============
rem     A key can be created by specifying
rem     it's path after "reg add".

        reg  add HKCU\Software\tq84                                               > nul

rem
rem     It's not necessary to add path componenents
rem     one by one. reg is clever enough to create
rem     all needed keys (here: apple and banana) before
rem     creating the last one (cherry)

       reg add HKCU\Software\tq84\apple\banana\cherry                             > nul


rem
rem    Add a few values
rem      /v  specifies the name of the value
rem      /d  specifies its value
rem      /t  specifies the values data type
rem      /ve is used to write a key's default value
rem
rem
       reg add HKCU\Software\tq84\apple               /v  valOne   /t REG_SZ /d foo      > nul
       reg add HKCU\Software\tq84\apple\banana        /v  valTwo   /t REG_SZ /d bar      > nul
       reg add HKCU\Software\tq84\apple               /v  valThree /t REG_SZ /d baz      > nul
       reg add HKCU\Software\tq84\apple\banana        /ve          /t REG_SZ /d apple    > nul
       reg add HKCU\Software\tq84\apple\banana\cherry /v  apple    /t REG_SZ /d fruit    > nul

rem
rem    Wait for the user to check the newly created keys
rem    with regedit:
rem
Github repository about-Windows-Registry, path: /tools/reg/query/insert-values.bat

show.bat

show.bat demonstrates a few queries below the newly inserted HKEY_CURRENT_USER\Software\tq84 key. 
@echo  off


rem
echo   ** Show the values and keys of a given key
rem
@      reg query HKCU\Software\tq84\apple
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem        valOne    REG_SZ    foo
rem        valThree    REG_SZ    baz
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana


rem
echo   ** Show a key and all its subkeys and values recursively
rem
@      reg query HKCU\Software\tq84       /s
rem
rem    HKEY_CURRENT_USER\Software\tq84
rem        (Default)    REG_SZ
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem        valOne    REG_SZ    foo
rem        valThree    REG_SZ    baz
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana
rem        valTwo    REG_SZ    bar
rem        (Default)    REG_SZ    apple
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana\cherry
rem        (Default)    REG_SZ
rem        apple    REG_SZ    fruit

rem
echo   ** Find values whose name is apple **
rem
@      reg query HKCU\Software\tq84        /s   /v apple
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana\cherry
rem        apple    REG_SZ    fruit
rem

rem
echo   ** Find everything with apple: keys, value-names and values.
rem    /v  specifically searches for values, /f searches for
rem    everything.
rem
@      reg query HKCU\Software\tq84        /s   /f apple

rem
echo   ** Restrict previous query to key names only by adding the /k flag
rem
@      reg query HKCU\Software\tq84        /s   /f apple    /k
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem

rem
echo   ** Restrict previous query to searching in data using the /d flag:
rem
@      reg query HKCU\Software\tq84        /s   /f apple    /d
rem
rem HKEY_CURRENT_USER\Software\tq84\apple\banana
rem     (Default)    REG_SZ    apple
rem

rem
echo   ** Searching with a substring (part) of the searched item
rem
@      reg query HKCU\Software\tq84 /s /f ppl
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana
rem        (Default)    REG_SZ    apple
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana\cherry
rem        apple    REG_SZ    fruit
Github repository about-Windows-Registry, path: /tools/reg/query/show.bat

cleanup.bat

Finally, cleanup.bat removes the HKEY_CURRENT_USER\Software\tq84 key entirely. 
@echo  off


rem
echo   ** Show the values and keys of a given key
rem
@      reg query HKCU\Software\tq84\apple
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem        valOne    REG_SZ    foo
rem        valThree    REG_SZ    baz
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana


rem
echo   ** Show a key and all its subkeys and values recursively
rem
@      reg query HKCU\Software\tq84       /s
rem
rem    HKEY_CURRENT_USER\Software\tq84
rem        (Default)    REG_SZ
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem        valOne    REG_SZ    foo
rem        valThree    REG_SZ    baz
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana
rem        valTwo    REG_SZ    bar
rem        (Default)    REG_SZ    apple
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana\cherry
rem        (Default)    REG_SZ
rem        apple    REG_SZ    fruit

rem
echo   ** Find values whose name is apple **
rem
@      reg query HKCU\Software\tq84        /s   /v apple
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana\cherry
rem        apple    REG_SZ    fruit
rem

rem
echo   ** Find everything with apple: keys, value-names and values.
rem    /v  specifically searches for values, /f searches for
rem    everything.
rem
@      reg query HKCU\Software\tq84        /s   /f apple

rem
echo   ** Restrict previous query to key names only by adding the /k flag
rem
@      reg query HKCU\Software\tq84        /s   /f apple    /k
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem

rem
echo   ** Restrict previous query to searching in data using the /d flag:
rem
@      reg query HKCU\Software\tq84        /s   /f apple    /d
rem
rem HKEY_CURRENT_USER\Software\tq84\apple\banana
rem     (Default)    REG_SZ    apple
rem

rem
echo   ** Searching with a substring (part) of the searched item
rem
@      reg query HKCU\Software\tq84 /s /f ppl
rem
rem    HKEY_CURRENT_USER\Software\tq84\apple
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana
rem        (Default)    REG_SZ    apple
rem    
rem    HKEY_CURRENT_USER\Software\tq84\apple\banana\cherry
rem        apple    REG_SZ    fruit
Github repository about-Windows-Registry, path: /tools/reg/query/show.bat

Index