1
00:00:01,340 --> 00:00:06,560
In this demo, we will enumerate the registry keys and values using Get‑Item,

2
00:00:06,560 --> 00:00:10,540
Get‑ChildItem, and Get‑ItemProperty commands.

3
00:00:10,540 --> 00:00:15,240
We will also see how to enumerate registry on a remote computer.

4
00:00:15,240 --> 00:00:20,640
We will then see how to navigate to a specific registry path using PowerShell.

5
00:00:20,640 --> 00:00:23,690
The first thing in this module, what we are going to learn,

6
00:00:23,690 --> 00:00:27,840
is to enumerate, or list registry items.

7
00:00:27,840 --> 00:00:29,960
It can be done in various ways.

8
00:00:29,960 --> 00:00:36,740
You can add Include Exclude, and Recurse parameter to refine your searches.

9
00:00:36,740 --> 00:00:40,450
We'll quickly start with the simplest way of listing an item,

10
00:00:40,450 --> 00:00:43,540
that is, by running Get‑Item command.

11
00:00:43,540 --> 00:00:47,640
When I run Get‑Item command followed by a period,

12
00:00:47,640 --> 00:00:50,360
I will get the details of current working directory,

13
00:00:50,360 --> 00:00:54,170
which is, in our case, is HKLM drive.

14
00:00:54,170 --> 00:01:00,840
Running Get‑Item* will return all child objects of the current directory.

15
00:01:00,840 --> 00:01:07,440
Here we are getting all the registry keys that reside in HKLM PS drive.

16
00:01:07,440 --> 00:01:11,320
Here we can see that my account is not having permissions to

17
00:01:11,320 --> 00:01:16,440
view or manage one of the registry keys.

18
00:01:16,440 --> 00:01:20,640
We can also list the child objects using Get‑ChildItem command.

19
00:01:20,640 --> 00:01:27,040
So when I run it, we get the same result where all the subkeys are returned.

20
00:01:27,040 --> 00:01:31,420
If you have the exact path of the registry and you want to fetch the details,

21
00:01:31,420 --> 00:01:36,240
you can directly query the complete path by using Get‑Item command.

22
00:01:36,240 --> 00:01:37,760
As in this case,

23
00:01:37,760 --> 00:01:43,040
I am querying PowerShellEngine registry key by entering its complete path.

24
00:01:43,040 --> 00:01:47,340
This will list the details of the key, along with its properties.

25
00:01:47,340 --> 00:01:50,540
If I want to query a specific registry property,

26
00:01:50,540 --> 00:01:53,260
I can use Get‑ItemProperty command,

27
00:01:53,260 --> 00:01:56,610
followed by the path where the property exists,

28
00:01:56,610 --> 00:02:01,210
and in the name parameter I must enter the name of

29
00:02:01,210 --> 00:02:03,830
the property that I wish to query.

30
00:02:03,830 --> 00:02:07,840
Here I will enter ApplicationBase,

31
00:02:07,840 --> 00:02:13,340
which is the property that resides in PowerShellEngine registry key.

32
00:02:13,340 --> 00:02:16,940
This will list out details of the registry property.

33
00:02:16,940 --> 00:02:18,100
In addition,

34
00:02:18,100 --> 00:02:21,670
it will also list some metadata of the item like the

35
00:02:21,670 --> 00:02:25,040
parent path and the Registry provider.

36
00:02:25,040 --> 00:02:25,410
Now,

37
00:02:25,410 --> 00:02:28,700
if I want to search for a specific registry key and

38
00:02:28,700 --> 00:02:31,220
I'm unsure about its exact location,

39
00:02:31,220 --> 00:02:37,340
or if I want to list all the registry paths that have a specific name in it,

40
00:02:37,340 --> 00:02:41,240
I can use parameters that help in achieving this.

41
00:02:41,240 --> 00:02:42,000
For example,

42
00:02:42,000 --> 00:02:45,150
if I want to search for all the registry keys that

43
00:02:45,150 --> 00:02:50,710
have the name PowerShell in it, I can do so by running Get‑ChildItem command.

44
00:02:50,710 --> 00:02:55,440
In the Path parameter, I'll enter the current location.

45
00:02:55,440 --> 00:02:56,280
Next,

46
00:02:56,280 --> 00:03:00,440
I'll use Include parameter and enter the name for

47
00:03:00,440 --> 00:03:03,370
which I want to perform the search.

48
00:03:03,370 --> 00:03:04,980
I will enter PowerShell.

49
00:03:04,980 --> 00:03:10,430
This will tell PowerShell to refine its search and search only for

50
00:03:10,430 --> 00:03:14,540
registry keys whose name has PowerShell in it.

51
00:03:14,540 --> 00:03:19,110
Lastly, I'll add Recurse parameter so that the search will be recursive,

52
00:03:19,110 --> 00:03:21,900
and each child path will be searched.

53
00:03:21,900 --> 00:03:26,440
Note that I'm performing the search in top‑level registry path,

54
00:03:26,440 --> 00:03:33,660
that is, HKLM, so each and every registry path under HKLM will be queried.

55
00:03:33,660 --> 00:03:36,140
When I hit Enter,

56
00:03:36,140 --> 00:03:39,600
PowerShell will start its search for registries that

57
00:03:39,600 --> 00:03:42,240
have the name PowerShell in it.

58
00:03:42,240 --> 00:03:45,560
You may also use Exclude parameter if you want to

59
00:03:45,560 --> 00:03:48,020
exclude some results from the search.

60
00:03:48,020 --> 00:03:55,040
So when I enter Exclude parameter and in the argument enter PowerShell,

61
00:03:55,040 --> 00:03:58,190
this will return all the registry keys except those

62
00:03:58,190 --> 00:04:01,040
that have PowerShell in their name.

63
00:04:01,040 --> 00:04:05,870
There's also a parameter named Filter that is used to refine search,

64
00:04:05,870 --> 00:04:10,230
but it is not supported in Registry provider,

65
00:04:10,230 --> 00:04:14,840
although you can use it in FileSystem provider to filter searches

66
00:04:14,840 --> 00:04:18,940
based on the properties of the file or folder.

67
00:04:18,940 --> 00:04:22,060
It is quite fast in fetching and filtering the results,

68
00:04:22,060 --> 00:04:26,040
but unfortunately, it is not supported in Registry provider.

69
00:04:26,040 --> 00:04:30,460
Now, I would like to show you how to connect to a registry of a remote computer.

70
00:04:30,460 --> 00:04:33,730
In situations where you need to query any of the

71
00:04:33,730 --> 00:04:38,330
data store on a remote computer, you cannot do it directly from the command,

72
00:04:38,330 --> 00:04:43,090
as these generic commands like Get‑Item and Get‑ChildItem

73
00:04:43,090 --> 00:04:46,440
do not support ComputerName parameter.

74
00:04:46,440 --> 00:04:51,250
I'll show it to you by typing in Get‑ItemProperty command and

75
00:04:51,250 --> 00:04:54,060
then check each of the supported parameters.

76
00:04:54,060 --> 00:04:55,570
As you witnessed,

77
00:04:55,570 --> 00:04:58,960
there wasn't any parameter in the list that would help

78
00:04:58,960 --> 00:05:01,440
us to connect to the remote computer,

79
00:05:01,440 --> 00:05:05,540
but that doesn't mean we will not be able to connect to remote machines.

80
00:05:05,540 --> 00:05:10,240
We can do so by using PowerShell command Invoke‑Command.

81
00:05:10,240 --> 00:05:12,780
This command can be used to run any command or

82
00:05:12,780 --> 00:05:16,040
script on local or remote computers.

83
00:05:16,040 --> 00:05:20,340
Here I have the option to use ComputerName parameter.

84
00:05:20,340 --> 00:05:23,310
I can use this to connect to computers on my network.

85
00:05:23,310 --> 00:05:27,440
For this demo, I will connect to my domain controller server.

86
00:05:27,440 --> 00:05:32,340
Hence, in the name parameter I'll enter its name DC.

87
00:05:32,340 --> 00:05:33,030
Next,

88
00:05:33,030 --> 00:05:36,020
the command that we need to run must be written in curly

89
00:05:36,020 --> 00:05:39,440
braces under ScriptBlock parameter.

90
00:05:39,440 --> 00:05:40,970
I'll enter the command,

91
00:05:40,970 --> 00:05:46,440
and we will query PowerShell registry that is residing on DC server.

92
00:05:46,440 --> 00:05:50,530
When the command succeeds, we get the result on our screen.

93
00:05:50,530 --> 00:05:56,360
In PSComputerName property, we can see that the ComputerName is showing as DC.

94
00:05:56,360 --> 00:05:59,950
Similarly, by using Invoke‑Command for remote computers,

95
00:05:59,950 --> 00:06:04,440
you can also perform other operations that we are going to see further.

96
00:06:04,440 --> 00:06:08,440
Next, we are going to learn how to navigate the registry keys.

97
00:06:08,440 --> 00:06:10,660
As we have seen in earlier modules,

98
00:06:10,660 --> 00:06:14,620
Registry provider can be managed mainly by two different pairs drives,

99
00:06:14,620 --> 00:06:16,940
at HKLM and HKCU.

100
00:06:16,940 --> 00:06:21,860
This serves as an entry point to navigate to specific registry location.

101
00:06:21,860 --> 00:06:26,240
I will now open registry editor and navigate to HKLM.

102
00:06:26,240 --> 00:06:30,270
SOFTWARE, Microsoft, PowerShell.

103
00:06:30,270 --> 00:06:33,460
This is the registry entry of native PowerShell

104
00:06:33,460 --> 00:06:35,550
that comes built in with Windows.

105
00:06:35,550 --> 00:06:39,940
Under this we have a subkey, PowerShellEngine.

106
00:06:39,940 --> 00:06:44,850
This subkey has few properties, which we can see here in the right pane.

107
00:06:44,850 --> 00:06:47,610
Now, to navigate to this path using PowerShell,

108
00:06:47,610 --> 00:06:53,140
we can use Set‑Location command, followed by the complete registry path.

109
00:06:53,140 --> 00:06:55,920
We start with an entry point, which, in this case,

110
00:06:55,920 --> 00:07:02,040
is HKLM PS drive, followed by SOFTWARE, then Microsoft,

111
00:07:02,040 --> 00:07:06,970
then PowerShell, then the subkey, and finally,

112
00:07:06,970 --> 00:07:08,680
PowerShellEngine subkey.

113
00:07:08,680 --> 00:07:10,830
To list the properties,

114
00:07:10,830 --> 00:07:19,000
I will run Get‑Item property command. This will list out all the properties that we saw earlier using Registry snap‑in.