How to use Registry Keys in a Batch File

Version 9

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x



    There are many options for deploying a Registry key:


    • Batch Files

      (The topic of this article.)
    • Package Builder Executable

    • Custom Vulnerability

    • VBScript


    Before modifying or querying a registry key, it is important to understand the options available to you for doing so.


    This document focuses on working with Registry keys in a batch file.


    Accessing Registry Keys


    All registry keys are accessible at all times through the following hives:




    While there appear to be other hives, these are actually just reference locations that already exist under the above two hives.


    What does it mean to reference another hive?  It means that if hive X references hive Y, then both hives are the exact same hive with just different names pointing to the same place.  Making a change to either hive X or Hive Y modifies the same hive since they both are just name references for the same hive.


    Accessing the User's hive (HKEY_CURRENT_USER)


    There is the misconception that the only way to modify a user's registry key is to modify HKEY_CURRENT_USER, which is not the case.  Each user's registry hive is available under HKEY_USERS.  HKEY_CURRENT_USER actually references the hive under HKEY_USERS.


    If the process is run by Local System, the HKEY_CURRENT_USER hive references the HKEY_USERS\.DEFAULT user hive, which is a reference to the HKEY_USERS\S-1-5-18 hive.


    If the process is run by a logged in local or Domain user, then the HKEY_CURRENT_USER hive references that of the current logged in user.  The HKEY_USERS equivalent would be something like the following:



    The long string is a Security ID or SID.


    Matching Security IDs (SIDS) with Usernames


    Microsoft explains that the easiest way to determine which SID belongs to which username is to do the following:


    1. Open Regedit.

    2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList

    3. Under the ProfileList key, you will see the SIDs. By selecting each one individually, you can look at the value of the ProfileImagePath string and see what user name is associated with that particular SID by looking at the folder that is used in Documents and Settings.


    Sometimes you will see different folders for a user as follows:



    If a username has a .Computername or .DomainName, it is not part of the username, but the .computername or .domain is used to differentiate a local user and a domain user that have the same name.  The first user to login gets the name without a .Domain or a .ComputerName.  If a domain user then logs in second and has the same name, a .domain extension is added.  If a local user logs in second and has the same name, a .computername extension is added. This is important to note when parsing user names with a batch file, vbscript, or other coding tool.


    The _Classes keys can be ignored.  There will be a similar registry key that looks as follows:



    Notice it ends in _Classes. This registry key is not a user hive, but is just another reference to a key inside the same user hive:




    Modifying the Registry within a Batch File



    Now that you know how all registry keys can be accessed from HKEY_LOCAL_MACHINE and HKEY_USERS, and how to find out which user key is which, it is now time to determine the best method for updating a registry key.


    Accessing the Registry with a Batch File


    The way a batch file is written to deploy as a Distribution Package is different than the way it would be written to be run by a user who double clicks on it.  In fact, a batch file that works by double-clicking on it is probably not going to work in a Distribution Package.  Before writing a batch file to deploy as a Distribution Package in Ivanti EPM it is beneficial to read the following document to avoid common errors.


    Understanding Batch File Distribution Packages


    Batch files can be deployed with Ivanti EPM and run as Local System if using either a Push Delivery Method. If using a Policy Delivery Method but the user is not a local administrator to their workstation, the batch file also runs as Local System. If using a Policy Delivery Method and the user is a local administrator to their workstation, the batch file will run as that user. A tool called StartAsUser.exe can be called in the script to run commands as a user despite using either a Push Delivery Method or Policy Delivery Method to a user who is not a local administrator.  However, the user must be logged in and must have permissions to perform the command for it to be successful.


    Using Regedit to Add, Change, or Remove a Registry Key


    Regedit.exe can add, change, or remove registry keys, however, it cannot simply query them.  It also cannot alter Registry key permissions.


    This example uses Regedit.exe to add a simple registry key.  It requires one additional file.  When creating the Ivanti EPM Batch File Distribution Package, make the batch file the primary package and make sure to add the .reg file as an additional file.


    REM Add a registry key and values with Regedit.exe  REM and a .reg file REM  REM /s is used to avoid an "Are you sure" prompt  regedit.exe /s somefile.reg


    The somefile.reg would look something like this.  For more information on the syntax of a .reg file, including the syntax for deleting a registry key or registry value, see this site:


    Windows Registry Editor Version 5.00  [HKEY_LOCAL_MACHINE\SOFTWARE\SomeRegKey] "SomeDWORD"=dword:00000001 "SomeString"="Hello, World!"


    The additional file can be avoided by having the batch file create the additional file when it runs, like this:


    REM Add a registry key and values with Regedit.exe  REM and a .reg file  REM Create the Registry key  > "%temp%\somefile.reg" ECHO Windows Registry Editor Version 5.00 >> "%temp%\somefile.reg" ECHO. >> "%temp%\somefile.reg" ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\SomeRegKey] >> "%temp%\somefile.reg" ECHO "SomeDWORD"=dword:00000001 >> "%temp%\somefile.reg" ECHO "SomeString"="Hello, World!"  REM /s is used to avoid an "Are you sure" prompt  regedit.exe /s "%temp%\somefile.reg"


    Using Reg.exe

    Reg.exe is another tool that can access the registry, however, as well as add, modify, or delete Registry values, it can query, copy, compare, import, export, and more. It cannot alter Registry key permissions.  Reg.exe is included by default Windows XP and later Operating Systems but is not included by default in Windows 2000 or earlier Operating Systems and had to be added from the Windows 2000 Resource Kit.


    More information on Reg.exe can be found by searching REG command on Microsoft's website or going to this Technet site:


    The options to Reg.exe can be seen by running Reg.exe /? at a command prompt.


    C:\>reg /?  Console Registry Tool for Windows - version 3.0 Copyright (C) Microsoft Corp. 1981-2001.  All rights reserved   REG Operation [Parameter List]    Operation  [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ]  Return Code: (Except of REG COMPARE)    0 - Successful   1 - Failed  For help on a specific operation type:    REG Operation /?  Examples:    REG QUERY /?   REG ADD /?   REG DELETE /?   REG COPY /?   REG SAVE /?   REG RESTORE /?   REG LOAD /?   REG UNLOAD /?   REG COMPARE /?   REG EXPORT /?   REG IMPORT /?  C:\>


    Using Reg.exe to Add Registry Keys and Values


    To add the same Registry keys as shown in the Regedit example, the following batch file could be used.


    REM Add a registry key and values with Reg.exe  REG ADD HKLM\Software\SomeRegKey REG ADD HKLM\Software\SomeRegKey /v SomeDWORD /t REG_DWORD /d 1 REG ADD HKLM\Software\SomeRegKey /v SomeString /t REG_SZ /d "Hello, World"


    Create a Batch File Distribution Package and deploy the batch file with any Delivery Method.


    Using Reg.exe to Query Registry Keys


    Registry keys can also be queried and the values can be accessed and used in a batch file.


    Example 1

    The LDClient directory may be in different places on different agent workstations.  Some XP embedded workstations don't even have a C drive.  So calling c:\program files\LANDESK\LDClient with a hard set path may not work for all your devices.  Here is a simple example of how to query the registry key to get the LDClient directory.


    @ECHO OFF REM REM Copyright Jared Barneck REM  GOTO main  :f_ldmain   REM This :f_ldmain works as a function and can be run in :main using this syntax:   REM call :f_ldmain   REM It has an "f_" beginning to mark it as a function.    REM Get the correct path to the managementsuite directory.   REM "tokens 2* makes token 2 and 3, with 3 having all remaining data on the line, including spaces/   FOR /F "tokens=2*" %%a in ('REG QUERY HKLM\SOFTWARE\LANDESK\ManagementSuite\WinClient /v Path ^|FINDSTR Path') DO SET ldclientdir=%%b GOTO end   :main   CALL :f_ldmain   ECHO "The LDClient directory is here:"   ECHO %ldclientdir%   ECHO . GOTO end  :end



    Example 2

    Here is another example to get a list of SIDs from HKEY_USERS the REG QUERY command can be used as shown.


    C:\>REG QUERY HKU  ! REG.EXE VERSION 3.0  HKEY_USERS  HKEY_USERS\.DEFAULT  HKEY_USERS\S-1-5-19  HKEY_USERS\S-1-5-19_Classes  HKEY_USERS\S-1-5-20  HKEY_USERS\S-1-5-20_Classes  HKEY_USERS\S-1-5-21-1715567821-879983540-682003330-36408  HKEY_USERS\S-1-5-21-1715567821-879983540-682003330-36408_Classes  HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031  HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031_Classes  HKEY_USERS\S-1-5-18


    While this command only provides a list of subkeys in HKEY_USERS and is not useful by itself in a batch file deployed by Ivanti EPM, it can be used with other commands in a batch file and become more useful.  For example, if a registry must be added to all the users registry keys, this output can be parsed to list the valid users that can login (since some of the SIDs are for the Network Service or other accounts that are not login accounts).


    Parsing the output above is not easy. The output has a bunch of unneeded spaces and is not very clean.  The first addition we can make to the REG QUERY command is to pipe it to Findstr to get only the HKEY_USERS\.DEFAULT and any valid SIDs for users.  The Findstr syntax can be seen by running Findstr /? at a command prompt.  If you do not understand the Regular Expressions used in the Findst command, don't worry, just copy the syntax used in the example.


    The following is an example output of this command on a workstation with only two valid login users.


    C:\>REG QUERY HKU |Findstr /R "DEFAULT S-1-5-[0-9]*-[0-9-]*$" HKEY_USERS\.DEFAULT HKEY_USERS\S-1-5-21-1715567821-879983540-682003330-36408 HKEY_USERS\S-1-5-21-1937564237-1933792563-196172844-1031


    Now we have a simple output that can be parsed with advanced batch file commands to make a Registry modification to the .DEFAULT hive, and each login user's hive.  By changing the .DEFAULT, all future new users will get the change, but the current users will not, so they have to be modified explicitly.


    The following batch file will find all login users and add a Registry key to their hives as well as add the same Registry key to the .DEFAULT hive.


    REM Modify a registry key in for all logged in users REM Also modify it in the .DEFAULT hive so future users get it. REM REM Copyright Jared Barneck REM  GOTO main  :modkey   REM %1 is the value of %a that is passed.   REG Add HKU\%1\SomeRegKey   REG ADD HKU\%1\SomeRegKey /v SomeDWORD /t REG_DWORD /d 1   REG ADD HKU\%1\SomeRegKey /v SomeString /t REG_SZ /d "Hello, World"   REM Going to :end here only ends this instance of the call to the    REM :modkey label. It does not end the whole batch file. GOTO end  :main   FOR /F "tokens=2* delims=\" %%a IN ('REG QUERY HKU ^|Findstr /R "DEFAULT S-1-5-[0-9]*-[0-9-]*$"') DO CALL :modkey %%a   REM Going to :end here ends the whole batch file. GOTO end  :end