WMI Tasks: Registry

WMI tasks for the registry create and modify registry keys and values. For other examples, see the TechNet ScriptCenter at http://www.microsoft.com/technet.

The script examples shown in this topic obtain data only from the local computer. For more information about how to use the script to obtain data from remote computers, see Connecting to WMI on a Remote Computer.

The following procedure describes how to run a script.

To run a script

  1. Copy the code and save it in a file with a .vbs extension, such as filename.vbs. Ensure that your text editor does not add a .txt extension to the file.
  2. Open a command prompt window and navigate to the directory where you saved the file.
  3. Type cscript filename.vbs at the command prompt.
  4. If you cannot access an event log, check to see if you are running from an Elevated command prompt. Some Event Log, such as the Security Event Log, may be protected by User Access Controls (UAC).

Note

By default, cscript displays the output of a script in the command prompt window. Because WMI scripts can produce large amounts of output, you might want to redirect the output to a file. Type cscript filename.vbs > outfile.txt at the command prompt to redirect the output of the filename.vbs script to outfile.txt.

The following table lists script examples that can be used to obtain various types of data from the local computer.

How do I... WMI classes or methods
...read registry key values using WMI? Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in root\default namespace. You cannot get any instances of this class because the [System Registry Provider](https://msdn.microsoft.com/library/aa393886) is a method and event provider only. However, you can get registry data through methods such as [EnumKey](https://msdn.microsoft.com/library/aa390387) or [EnumValue](https://msdn.microsoft.com/library/aa390388). The [Win32_Registry](https://msdn.microsoft.com/library/aa394394), located in root\cimv2 namespace, gets data about the registry as a whole, such as how large it is.
VB
const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "Console"
strValueName = "HistoryBufferSize"
oReg.GetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
WScript.Echo "Current History Buffer Size: " & dwValue
PowerShell
$HKEY_CURRENT_USER =2147483649
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$Key = "Console"
$Value = "HistoryBufferSize"
$results = $reg.GetDWORDValue($HKEY_CURRENT_USER, $Key, $value)
"Current History Buffer Size: {0}" -f $results.uValue
...create a new registry key?

Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in root\default namespace, and the [CreateKey](https://msdn.microsoft.com/library/aa389385) method.

VB
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\NewKey" objReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath WScript.Echo "Created registry key HKEY_LOCAL_MACHINE\SOFTWARE\NewKey"

PowerShell
$HKEY_Local_Machine =2147483650 
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$Key     = "SOFTWARE\NewKey"
$results   = $reg.CreateKey($HKEY_LOCAL_MACHINE, $Key)
If ($results.Returnvalue -eq 0) {"Key created"} 
...create a new registry value under a key?

Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in the root\default namespace, and the [CreateKey](https://msdn.microsoft.com/library/aa389385) method. Then use one of the Set methods, depending on what registry datatype the value is, such as the [SetDWORDValue](https://msdn.microsoft.com/library/aa393297). The Set methods create a value if it does not already exist. For more information, see [Mapping a Registry Data Type to a WMI Data Type](mapping-a-registry-data-type-to-a-wmi-data-type.md).

VB
Const HKEY_LOCAL_MACHINE = &H80000002
strKeyPath = "SOFTWARE\NewKey"
strComputer = "."
Set objReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strValueName = "Example_Expanded_String_Value"
strValue = "%PATHEXT%"
objReg.SetExpandedStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
WScript.Echo "Example expanded_String_Value at " & "HKEY_LOCAL_MACHINE\SOFTWARE\NewKey"
PowerShell
$HKEY_Local_Machine =2147483650 
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$ValueName = "Example_Expanded_String_Value"
$Value     = "%PATHEXT%"
$Key       = "SOFTWARE\NewKey"
$results   = $reg.SetExpandedStringValue($HKEY_LOCAL_MACHINE, $Key, $ValueName, $Value)
If ($results.Returnvalue -eq 0) {"Value created"}
...avoid getting an Invalid Class error when trying to write a script to read the registry?

Use the root\default namespace when accessing the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class. StdRegProv is not part of the cimv2 namespace, which is why an "Invalid Class" error is generated if you try to connect to "root\cimv2:StdRegProv".

VB
Const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set oReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv") 
strKeyPath = "Console"
strValueName = "HistoryBufferSize"
oReg.GetDWORDValue HKEY_CURRENT_USER, strKeyPath, strValueName, dwValue
Wscript.Echo "Current History Buffer Size: " & dwValue
...check security on a specific registry key?

Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in root\default namespace and the [CheckAccess](https://msdn.microsoft.com/library/aa384911) method. You can only check the access rights for the current user that is running the script or application. You cannot check the access rights for another specified user.

...read and write binary registry values?

Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in "Root\Default" namespace and the [GetBinaryValue](https://msdn.microsoft.com/library/aa390440) and [SetBinaryValue](https://msdn.microsoft.com/library/aa393286) methods. Registry values that appear in the RegEdt32 utility as a series of byte hexadecimal values are in the REG_BINARY data format. For more information, see [Mapping a Registry Data Type to a WMI Data Type](mapping-a-registry-data-type-to-a-wmi-data-type.md). The following VBScript code example creates a new key with a binary value. The binary value is supplied in the iValues byte array specified in Hex.

VB
const HKEY_LOCAL_MACHINE = &H80000002
strKeyPath = "SOFTWARE\NewKey"
strComputer = "."
iValues = Array(&H01,&Ha2,&H10)
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SOFTWARE\NewKey"
BinaryValueName = "Example Binary Value"

oReg.SetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,BinaryValueName,iValues

The following script reads the binary value.

VB
const HKEY_LOCAL_MACHINE = &H80000002 
strKeyPath = "SOFTWARE\NewKey"
strValueName = "Example Binary Value"
strComputer = "."
dim iValues(3)
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,iValues
For i = lBound(iValues) to uBound(iValues)
Wscript.Echo iValues(i)
Next
PowerShell
$HKEY_Local_Machine =2147483650 
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$ValueName = "Example Binary Value"
$Values     = @(0x54, 0x46, 0x4C)
$Key       = "SOFTWARE\NewKey"
$results   = $reg.GetBinaryValue($HKEY_LOCAL_MACHINE, $Key, $ValueName)
Foreach ($byte in $results.uvalue) {"{0}" -f $byte.tostring("x")}
...read and write registry values that contain multiple strings?

Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in root\default namespace and the [GetMultiStringValue](https://msdn.microsoft.com/library/aa390458) and [SetMultiStringValue](https://msdn.microsoft.com/library/aa393465) methods. Registry keys that appear in the RegEdt32 utility as a series of strings separated by spaces are in the REG_MULTI_SZ data format. For more information, see [Mapping a Registry Data Type to a WMI Data Type](mapping-a-registry-data-type-to-a-wmi-data-type.md). The following VBScript code example creates a new key and a new multistring value.

VB
const HKEY_LOCAL_MACHINE = &H80000002
strKeyPath = "SOFTWARE\NewKey"
MultValueName = "Example Multistring Value"
strComputer = "."
iValues = Array("string1", "string2")
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
oReg.SetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,MultValueName,iValues
PowerShell
$HKEY_Local_Machine =2147483650 
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$Key       = "SOFTWARE\NewKey"
$ValueName = "Example MultiString Value"
$Values     = @("Thomas", "Susan", "Rebecca")
$Key       = "SOFTWARE\NewKey"
$results   = $reg.SetMultiStringValue($HKEY_LOCAL_MACHINE, $Key, $ValueName, $Values)
If ($results.Returnvalue -eq 0) {"Value Set"} 

The following script reads the multistring value.

VB
const HKEY_LOCAL_MACHINE = &H80000002
strKeyPath = "SOFTWARE\NewKey"
strComputer = "."
iValues = Array("string1", "string2")
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
MultValueName = "Example Multistring Value"
oReg.GetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,MultValueName,iValues
For Each strValue In iValues
WScript.echo strValue
Next
PowerShell
# Define Constants
$HKEY_Local_Machine =2147483650 
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$Key       = "SOFTWARE\NewKey"
$ValueName = "Example MultiString Value"
$results   = $reg.GetMultiStringValue($HKEY_LOCAL_MACHINE, $Key, $ValueName)
$results.svalue
...remove a registry key?

Use the [StdRegProv](https://msdn.microsoft.com/library/aa393664) class, located in root\default namespace and the [DeleteKey](https://msdn.microsoft.com/library/aa389872) methods.

PowerShell
$HKEY_Local_Machine =2147483650 
$computer ='.'
$reg = [WMIClass]"ROOT\DEFAULT:StdRegProv"
$Key     = "SOFTWARE\NewKey"
$results   = $reg.DeleteKey($HKEY_LOCAL_MACHINE, $Key)
If ($results.Returnvalue -eq 0) {"Key Removed"} 

WMI Tasks for Scripts and Applications

WMI C++ Application Examples

TechNet ScriptCenter

Modifying the System Registry

StdRegProv