RAI2504_0001: Listing registry keys with Powershell

Summary

ID	RAI2504_0001
Brief Description	This response action about working with registry keys
Author	Alex@Cyberok
Creation Date	2023/02/03
Modification Date	2023/02/03
Requirements	software
Tags	Powershell Windows
Means of action	Windows PowerShell cpe:2.3:a:microsoft:powershell:5.0:*:*:*:*:*:*:*
Targets of action	Windows Host cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Linked Response Actions	List Registry Keys Created

Description

List registry keys with Powershell.

Target system requirements

Installed Powershell.

Requirements for means of action

Enabled Powershell execution.

Expected impact result

Get a registry hive.

Implementations

To begin with, you must determine which registry keys have changed recently. If you have Sysmon installed and auditing of registry keys is enabled, then search for Sysmon events. This example searches for the last 24 hours, but you can set any time range.

Powershell command

$Date = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; StartTime=$Date; Id=12,13,14} | Select-Object TimeCreated, EventID, ProcessId, Image, TargetObject, NewName | Format-Table -AutoSize

You can show all items directly within a registry key using Get-ChildItem. Add the optional Force parameter to display hidden or system items. For example, this command displays the items directly within PowerShell drive HKCU:, which corresponds to the HKEY_CURRENT_USER registry hive:

Get-ChildItem -Path HKCU:\ | Select-Object Name

Output example:

Hive: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER

Name
----
HKEY_CURRENT_USER\AppEvents
HKEY_CURRENT_USER\Console
HKEY_CURRENT_USER\Control Panel
HKEY_CURRENT_USER\DirectShow
HKEY_CURRENT_USER\dummy
HKEY_CURRENT_USER\Environment
HKEY_CURRENT_USER\EUDC
HKEY_CURRENT_USER\Keyboard Layout
HKEY_CURRENT_USER\MediaFoundation
HKEY_CURRENT_USER\Microsoft
HKEY_CURRENT_USER\Network
HKEY_CURRENT_USER\Printers
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\System
HKEY_CURRENT_USER\Uninstall
HKEY_CURRENT_USER\WXP
HKEY_CURRENT_USER\Volatile Environment

These are the top-level keys visible under HKEY_CURRENT_USER in the Registry Editor (regedit.exe).

You can also specify this registry path by specifying the registry provider's name, followed by :: . The registry provider's full name is Microsoft.PowerShell.Core\Registry, but this can be shortened to just Registry. Any of the following commands will list the contents directly under HKCU:

Get-ChildItem -Path Registry::HKEY_CURRENT_USER
Get-ChildItem -Path Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER
Get-ChildItem -Path Registry::HKCU
Get-ChildItem -Path Microsoft.PowerShell.Core\Registry::HKCU
Get-ChildItem HKCU:

These commands list only the directly contained items, much like using DIR in cmd.exe or ls in a UNIX shell. To show contained items, you need to specify the Recurse parameter. To list all registry keys in HKCU:, use the following command.

Get-ChildItem -Path HKCU:\ -Recurse

Get-ChildItem can perform complex filtering capabilities through its Path, Filter, Include, and Exclude parameters, but those parameters are typically based only on name. You can perform complex filtering based on other properties of items using the Where-Object cmdlet. The following command finds all keys within HKCU:\Software that have no more than one subkey and also have exactly four values:

Get-ChildItem -Path HKCU:\Software -Recurse |
  Where-Object {($_.SubKeyCount -le 1) -and ($_.ValueCount -eq 4) }