Finding and fetching registry value data information using PowerShell is very easy, I found in one of the organization administrators where doing unnecessary changes to the registry to specific settings, for one of the example ie: I had to get information from one of the setting under HKey_Local_Machine\System\CurrentControlSet\Services\USBSTOR\Start. If value data is set to 4, USB storage devices will disabled and would not work. But admins where changing it on the system to 3. To check the status I created script for windows 2008 and 2008 R2, This script uses traditional way to connect remote registry. Make sure Remote Registry service status is running before trying to attempt. Same can be verify using Get-Service RemoteRegistry command.
Part 1: Powershell: Get registry value data from remote computer
Part 2: Microsoft Powershell: remotely write, edit, modify new registry key and data value
Part 3: Microsoft Powershell: Delete registry key or values on remote computer
To verify you can open remote registry using File>>Connect Netowork Registry.
Next I need a Hive name (There are 5 root nodes ClassesRoot, CurrentUser, LocalMachine, Users, CurrentConfig) and key name is System\CurrentControlSet\Services\USBStor as highlighted. ValueName is Start.
Below are the hive name mappings.
ClassesRoot --> HKEY_CLASSES_ROOT
CurrentUser --> HKEY_CURRENT_USER
LocalMachine --> HKEY_LOCAL_MACHINE1
Users --> HKEY_USERS
CurrentConfig --> HKEY_CURRENT_CONFIG
Use below script to store in $PROFILE location. and relaunch the PowerShell. Procedure has been given on Powershell Active Directory: Show treeview of User or Group memberof hierarchy. This script created created using registry .net object [Microsoft.Win32.RegistryKey]. It will use your logged in user account to connect remote registry. If you multiple computer names provide it separating comma, or store them in text file and use cat to get the list.
Get-RegistryValueData -ComputerName Server01, Member01, test -RegistryHive LocalMachine -RegistryKeyPath SYSTEM\CurrentControlSet\Services\USBSTOR -ValueName Start
Useful Blogs
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
Installing, importing and using any module in powershell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
function Get-RegistryValueData { [CmdletBinding(SupportsShouldProcess=$True, ConfirmImpact='Medium', HelpURI='http://vcloud-lab.com')] Param ( [parameter(Position=0, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)] [alias('C')] [String[]]$ComputerName = '.', [Parameter(Position=1, Mandatory=$True, ValueFromPipelineByPropertyName=$True)] [alias('Hive')] [ValidateSet('ClassesRoot', 'CurrentUser', 'LocalMachine', 'Users', 'CurrentConfig')] [String]$RegistryHive = 'LocalMachine', [Parameter(Position=2, Mandatory=$True, ValueFromPipelineByPropertyName=$True)] [alias('KeyPath')] [String]$RegistryKeyPath = 'SYSTEM\CurrentControlSet\Services\USBSTOR', [parameter(Position=3, Mandatory=$True, ValueFromPipelineByPropertyName=$true)] [alias('Value')] [String]$ValueName = 'Start' ) Begin { $RegistryRoot= "[{0}]::{1}" -f 'Microsoft.Win32.RegistryHive', $RegistryHive try { $RegistryHive = Invoke-Expression $RegistryRoot -ErrorAction Stop } catch { Write-Host "Incorrect Registry Hive mentioned, $RegistryHive does not exist" } } Process { Foreach ($Computer in $ComputerName) { if (Test-Connection $computer -Count 2 -Quiet) { $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($RegistryHive, $Computer) $key = $reg.OpenSubKey($RegistryKeyPath) $Data = $key.GetValue($ValueName) $Obj = New-Object psobject $Obj | Add-Member -Name Computer -MemberType NoteProperty -Value $Computer $Obj | Add-Member -Name RegistryValueName -MemberType NoteProperty -Value "$RegistryKeyPath\$ValueName" $Obj | Add-Member -Name RegistryValueData -MemberType NoteProperty -Value $Data $Obj } else { Write-Host "$Computer not reachable" -BackgroundColor DarkRed } } } End { #[Microsoft.Win32.RegistryHive]::ClassesRoot #[Microsoft.Win32.RegistryHive]::CurrentUser #[Microsoft.Win32.RegistryHive]::LocalMachine #[Microsoft.Win32.RegistryHive]::Users #[Microsoft.Win32.RegistryHive]::CurrentConfig } } Get-RegistryValueData -ComputerName Server01, Member01, testcomp -RegistryHive LocalMachine -RegistryKeyPath SYSTEM\CurrentControlSet\Services\USBSTOR -ValueName 'Start' |
Another way I can use another process to connect registry using Invoke-Command but require special configuration POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS, This is best option if you have configured PS remoting, and you don't have to run above script or need extra stepd. You can use default inbuilt commands Get-ItemProperty combining with Invoke-Command. Below is the example cmdlet for getting information from local computer.
Get-ItemProperty -Path 'HKLM:\SOFTWARE\VMware, Inc.\VMware Tools\' -Name InstallPath | select InstallPath
Below procedure is for remote server using Invoke-Command and enclose command within carly brackets {}.
Invoke-Command -ComputerName Member01, Server01 {Get-ItemProperty -Path 'HKLM:\SOFTWARE\VMware, Inc.\VMware Tools\' -Name InstallPath | select InstallPath}
I use command prompt, CMD some times, to get registry key information. this is old fashion way to know and fetch value data from remote machine.
REG QUERY \\member01\HKLM\System\CurrentControlSet\Services\USBSTOR\ /v Start
Useful Blogs
Microsoft Powershell generate random anything (Filename, TempPath, GUID, Password)
How to Install and Use Microsoft PowerShell on Linux