Powershell: Working With The Registry Part 2

In  part one, we covered some of the primary functions of the Microsoft Win32 API.

Now, it is time to share some more knowledge:

When you use the RegistryKey.OpenBaseKey, you can choose three options:

1. [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Default)
2. [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry32)
3. [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)

There is a world of difference between what you see in the 32 bit and the 64 bit. Test your selections to determine which will work best for you.

Also, notice that you still have one more choice to make with respect to the target hive. For

HKEY_CLASSES_ROOT:


[Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::ClassesRoot, [Microsoft.Win32.RegistryView]::Registry32)

HKEY_CURRENT_CONFIG:

[Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::CurrentConfig, [Microsoft.Win32.RegistryView]::Registry32)
HKEY_CURRENT_USER:

[Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::CurrentUser, [Microsoft.Win32.RegistryView]::Registry32)
HKEY_LOCAL_MACHINE:

[Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry32)

HKEY_USERS:

[Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::Users, [Microsoft.Win32.RegistryView]::Registry32)

Past this, in order to enumerate through the first level of subkeys,

$Names = $regkey.GetSubKeyNames()
foreach($Name in $Names)
{
        #Do something with the key name here
}

In order to open a sub key and then get the sub key names:

$Names = $regkey.OpenSubKey("Software\Microsoft").GetSubKeyNames()
foreach($Name in $Names)
{
        #Do something with the key name here
}

In order to get the Value Names:

$Names = $regkey.GetValueNames()
foreach($Name in $Names)
{
        #Do something with the key name here
}

In order to open a sub key and then get the Value Names of the sub key:

$Names = $regkey.OpenSubKey("Software\Microsoft").GetValueNames()
foreach($Name in $Names)
{
        #Do something with the key name here
}

In order to get the valuekind of a value:

$vkind = $regkey.OpenSubKey("ADODB.Connection\clsid").GetValueKind("")
Assuming you pointed the registrykey to ClassesRoot, this will return

RegistryValueKind.String

Of course, technically, the return value --albeit a string -- is actually a guid. And that enables you to open clsid\{00000514-0000-0010-8000-00AA006D2EA4}\InprocServer32.  Which will point you to the physical location of the file that can be checked for the correct physical file version and internal file version information.