This work is licensed under the Creative Commons Attribution-ShareAlike 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Originally written by Kynan Dent (http://kynan.org) for TWATech Radio (http://twatech.org). Welcome to TWAT Radio Episode 82: Windows From The Command Line Hi, my names's kynan and I'm hopefully going to provide you with some information on making Windows system administration from the command line a little easier. I originally intended to just do one show and mention everything all at once but it got too long and messy so I've decided to cut it down and I'm going to stretch it out over a couple of shows and mention only a specific utility or class of utilities each time. I'll be talking about command line utilities and their usage for the Windows NT family of Operating Systems. We're going to look at the utilities that come from Microsoft as part of a base Windows install (or possibly on the CD but not actually installed) or as part of a Resource Kit. We'll also have a look at some very handy third party tools that can be easily obtained for free. Because of the nature of this medium (ie audio) it's going to be a little difficult to discuss command line tools without being very very boring so I'm going to mention the tool and what you can do with it, where you can get it if it's not a part of a normal install and provide a brief insight into how I'd use it. This should be enough information for you to go and get your hands on them and work out the intricacies yourself if it sounds interesting to you. Today I'm going to talk about Registry editing from the command line but before I get to that I want to mention some online-resources that a lot of people don't realise are available. Microsoft actually provides the manual for all of the NT family of operating systems (with the exception of NT4) online and in the bowels of these manuals are what Microsoft calls the "Command Line Referensce". This is basically a list of all of the command line tools that come with the base OS and instructions on how to use them. Get your pens ready because I'm going to give you some tiny URLS. I hate trying to say http://tinyurl.com so I'm not going to say it again - I'm just going to tell you the tinyurl part of the url. So, for Windows 2000 you can find the Command Line Reference at: http://tinyurl.com/kmy For Windows XP: http://tinyurl.com/36leu and for Windows 2003: http://tinyurl.com/qaer3 Apart from the command line reference there is a lot of good info there so have a dig around. Lets get on to todays tools. Like I said before, we're going to look at some command line tools that you can use to edit the registry. As we all know, essentially the registry is the heart of the Windows OS and I'm assuming that you're an admin and you know all about the registry and you're aware that there IS a reason that every Microsoft Knowledgebase article that mentions tweaking the registry has this warning on the front of it: IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. Although my favourite warning comes from the Regedit helpfile: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! CAUTION: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Personally I've NEVER destroyed a machine by messing with the registry but I DO know of people who have caused themselves some pretty severe problems. Don't be afraid of the registry, but it IS worth being cautious, especially with the tools I'm about to talk about because there isn't going to be an "Are you sure?" button popping up! Onwards! As you know, the normal GUI way to access the registry is via either regedit.exe or REGEDT32.EXE. There are a couple of command line parameters that will allow you to use regedit.exe to create backups and make additions to the registry. To backup a portion of or even the entire registry, use the /E switch. If you want the whole thing then REGEDIT /E will do the trick. If you want a particular branch then you need to add the key after the /E like this: "REGEDIT /E "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion". If you do this you'll end up with a plain text file dump of the registry or branch that you specified. In a similar way you can put data back into the registry. By crafting a plain text file using the right syntax you can create a file that regedit will happily import. The command line for this is just regedit . This is all pretty clumsy though - we want to manipulate things on the fly, not mess around with text files that have to be copied around all over the place and REG or the "Console Registry Tool for Windows" is the tool to do just that! REG.EXE lives in the %SYSTEMROOT%\System32 directory and is a part of the base install for Windows XP and Windows 2003. You'll need to dig it out of the resource kit for NT4 but the XP version will work on Windows 2000. Be aware that the NT4 version is very different to the Windows 2000 version. The version number for NT4 is 1.10 whilst the newer Windows 2000+ version is 2 and I thin Windows XP is at version 3. The syntax for REG is pretty simple, REG followed byt the operation you want to perform, followed by the parameters specific to that operation. The operations that REG can do are: +- Screenshot ------------------------------------------------------------------ LOCAL C:\>reg /? Console Registry Tool for Windows - version 3.0 Copyright (C) Microsoft Corp. 1981-2001. All rights reserved REG Operation [Parameter List] Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ] ... +- End: Screenshot ------------------------------------------------------------- That looks pretty comprehensive! You can do nearly everything you'd ever need to do to the registry from here the only thing you can't do is search. The QUERY operation will only print out what keys are present at whatever key you specify, it can't search. Obviously that's a bit of a bummer so we'll detour briefly to look at REGFIND. REGFIND is a resource kit tool that allows you to search for a string in the registry and you can get it at http://tinyurl.com/nuvhj. REGFIND is also a bit more than it seems because not only is it REGFIND, it can also be REG FIND and REPLACE! It goes without saying that search and replace is something you should think about VERY carefully before using on the Registry, REGFIND isn't going to stop and ask if you're REALLY sure before it replaces all occurences of "Win" with "Lose" for example and I'd say that'd be pretty disastrous! The REGFIND syntax is pretty SIMPLE. REGFIND followed by a string will search the whole registry for data values that contain that string. You scan expand out to search in key and value names with -n and -y will make the search case insensitive. Unfortunately REGFIND doesn't use the standard registry (regedit) format and it's output can be a bit ugly. I tend to use REGFIND to locate the area the key I'm looking for is in and then I'll switch to REG to find out exactly what's there. It's handy to specify the indent level using -i 1. The default level is four tabs for some reason and if the data you find is more than a couple of levels ddep then the output ends up wrapping all over the place. Right, back to REG. Most of the operation is pretty obvious. But let's look at an example. Lets say you wanted to check if 8.3 names are disabled on your box. You can use the QUERY option of REG to check: +- Screenshot ------------------------------------------------------------------ LOCAL C:\>reg query HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v NtfsDisable8dot3NameCreation ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem NtfsDisable8dot3NameCreation REG_DWORD 0x1 +- End: Screenshot ------------------------------------------------------------- The /v tells REG that I want to check a specific entry or value, "NtfsDisable8dot3NameCreation", and if I'd left the /v switch off then REG would return all values under the FileSystem key. When I run this command I can see that this value is a REG_DWORD and it's currently set to 0x1 so 8.3 filenames are in fact disabled on this machine. This is a big pain in the arse if certain things are expecting to be able to access directories via 8.3 names so I want to turn this option off. I can do this with REG too: The REG ADD command is very similar to the query command in syntax, you just need to add the data value. +- Screenshot ------------------------------------------------------------------ LOCAL C:\>reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v NtfsDisable8dot3NameCreation / t REG_DWORD /d 0 Value NtfsDisable8dot3NameCreation exists, overwrite(Y/N)? Y The operation completed successfully +- End: Screenshot ------------------------------------------------------------- The /v is the same and tells REG which entry we want to add (or edit in this case), the /t tells reg what data type the entry is and the /d tells reg the actual value to set the entry to. When I did this I was prompted to make sure I wanted to overwrite a value that was already present but you can get around that prompt by adding /F to the command line to force REG to overwrite anything it finds. The alternative to changing that value would be deleting it as it's not really required (8.3 is assumed to be required unless you specify otherwise). To delete the key we could do this: +- Screenshot ------------------------------------------------------------------ LOCAL C:\>reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v NtfsDisable8dot3NameCreation Delete the registry value NtfsDisable8dot3NameCreation (Y/N)? Y The operation completed successfully +- End: Screenshot ------------------------------------------------------------- Once again, /F can be used to override the prompt. This is all pretty basic though, let's look at the really cool stuff you can do with REG! REG COPY will allow you to copy a key and all its' subkeys from one portion of the registry to another (for backup purposes perhaps). It can also allow you to copy a key from the registry on one computer to another! This can be really handy if you have a standard environment and someones fragged their office settings or something, you can just copy and force an overwrite - problem solved - note that you can only access HKLM and HKU on remote machines. REG COPY is handy if you have a registry that you can access at the time to load the settings in from but if you want them in a more portable format then you've got two options. REG SAVE and REG EXPORT. Each of these options comes in a pair. You've got SAVE/RESTORE and EXPORT/IMPORT. We'll look at SAVE/RESTORE first: REG SAVE will dump what you tell it to in a binary format. You'll need REG to put back in again using the RESTORE option. It is customary to name these files with a .hiv (for hive) extension. Like the COPY option you can run this command on a remote server but there's a small gotcha, the file will be saved on the REMOTE server, not your local server! Once you've saved your file you can load it back into a registry using REG RESTORE. The painful ting about RESTORE is that you need to tell it exactly where to RESTORE the data to. If you SAVEd HKLM\Software\Windows\Mozilla then you need to specify exactly that on the command line when you run the restore. This is a double-edged sword though as this also means that you can choose to restore the SAVEd data back into another key if you wish! As an example, if I wanted to mess with the mozilla settings by exporting them and then importing them into a new test key I'd do this: +- Screenshot ------------------------------------------------------------------ LOCAL C:\>REG SAVE HKLM\Software\Mozilla Mozilla.hiv The operation completed successfully LOCAL C:\>REG add HKLM\Software\Test_Mozilla The operation completed successfully LOCAL C:\>REG RESTORE HKLM\Software\Test_Mozilla Mozilla.hiv The operation completed successfully +- End: Screenshot ------------------------------------------------------------- The difference between SAVE/RESTORE and EXPORT/IMPORT is that EXPORT will dump an ASCII text "reg" file that you can use either REG or REGEDIT to import back into the registry. This means that you can't adjust where you're going to IMPORT in the registry as the .reg file will contain fully qualified paths. Also, you can NOT run this on a remote server. +- Screenshot ------------------------------------------------------------------ LOCAL C:\>REG export HKLM\Software\Mozilla Mozilla.reg The operation completed successfully LOCAL C:\>reg import Mozilla.reg The operation completed successfully +- End: Screenshot ------------------------------------------------------------- The last pair of instructions is LOAD/UNLOAD. I don't use these a great deal but they allow you to temporarily "load" a .HIV file as a part of the registry, this can be handy if you want to play with it in REGEDIT or extract a small portion of it. OK that's it for today. I hope there was something in there that you didn't know. If you want to find out a little more about the registry then check out the Microsoft Knowledge Base article titled "Description of the Microsoft Windows registry". You can find it at http://tinyurl.com/isxm. This has been episode 82 of Today With A Tech Radio, on the web at twatech.org. Shouts to Droops, Mr p0trill0 and all the content providers for keeping TWAT on the air. My name's kynan (k y n a n) and if you've got any comments or suggestions then send an e-mail to my name at my name (dot) org. Thanks for listening