liminfo

Windows Registry Reference

Free reference guide: Windows Registry Reference

40 results

About Windows Registry Reference

The Windows Registry Reference is a comprehensive, searchable cheat sheet covering all major areas of the Windows Registry across eight categories: Hives, Keys, Value Types, Startup Programs, Services, Network, Security, and Tools. Each entry documents the exact registry path or command syntax, explains what it controls, and provides a practical example — making it easy to look up how to query, add, delete, or export registry data whether you are a system administrator, security analyst, or developer.

This reference is built for Windows administrators, IT professionals, and developers who need to configure startup entries, manage Windows services, harden security settings, or automate registry operations via the command line. It covers all five root hives (HKLM, HKCU, HKCR, HKU, HKCC), the full set of reg.exe commands (query, add, delete, export, import, copy, compare, save, restore), all six value data types (REG_SZ, REG_DWORD, REG_QWORD, REG_BINARY, REG_MULTI_SZ, REG_EXPAND_SZ), and PowerShell registry cmdlets like Get-ItemProperty and Set-ItemProperty.

The reference is organized so you can quickly find the registry keys that control startup program execution (Run, RunOnce, Startup folder), Windows service start types and dependencies, TCP/IP and DNS network parameters, SMB version control, LSA security settings, UAC configuration, Windows Defender policies, and Credential Guard. Whether you are troubleshooting boot issues, hardening a server, or scripting deployments, this reference provides accurate paths and examples drawn directly from Windows system internals.

Key Features

  • All five Windows Registry hives: HKLM, HKCU, HKCR, HKU, and HKCC with canonical example paths
  • Complete reg.exe CLI command coverage: query, add, delete, export/import, copy, compare, save/restore
  • All six registry value data types: REG_SZ, REG_DWORD, REG_QWORD, REG_BINARY, REG_MULTI_SZ, REG_EXPAND_SZ
  • Startup program keys: Run (user and system), RunOnce, Startup folder path, DisableTaskMgr policy
  • Windows service registry keys: Services hive, ImagePath, Start value (Boot/Auto/Manual/Disabled), DependOnService
  • Network registry settings: TCP/IP parameters, DNS server configuration, Windows Firewall, SMBv1 disable, WinHTTP proxy
  • Security policy keys: LSA settings, UAC configuration, Windows Defender policies, Credential Guard, audit policy
  • PowerShell registry management: Get-ItemProperty, Set-ItemProperty, and regedit GUI backup/restore workflows

Frequently Asked Questions

What are the five main Windows Registry hives?

The five root hives are: HKEY_LOCAL_MACHINE (HKLM) for system-wide hardware and software settings, HKEY_CURRENT_USER (HKCU) for the currently logged-in user's settings, HKEY_CLASSES_ROOT (HKCR) for file associations and COM objects, HKEY_USERS (HKU) for all user profiles, and HKEY_CURRENT_CONFIG (HKCC) for the current hardware profile.

How do I query a registry value from the command line?

Use the reg query command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion /v ProgramFilesDir. The /v flag specifies the value name. Omit /v to list all values under a key, or add /s to recurse through all subkeys. You can also search for keywords with reg query HKLM\SOFTWARE /s /f "keyword".

What are the differences between REG_SZ, REG_DWORD, and REG_EXPAND_SZ?

REG_SZ stores a plain null-terminated string. REG_DWORD stores a 32-bit integer (use for flags, counts, and enable/disable settings). REG_EXPAND_SZ stores a string that may contain environment variable references like %USERPROFILE% which are expanded when the value is read. Use REG_EXPAND_SZ for paths that should adapt to each user's environment.

How do I add a program to Windows startup via the registry?

Add a string value (REG_SZ) under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for the current user, or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for all users. The value name is a label for your program, and the data is the full path to the executable, for example "C:\Program Files\MyApp\app.exe". Use RunOnce instead of Run if the program should only run once on next logon.

How do I disable SMBv1 through the registry?

Set the SMB1 DWORD value to 0 under HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. The full command is: reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v SMB1 /t REG_DWORD /d 0 /f. This disables the legacy SMBv1 protocol which was exploited by WannaCry and other ransomware.

How do I change a Windows service start type via the registry?

The start type is stored as a DWORD at HKLM\SYSTEM\CurrentControlSet\Services\{ServiceName}\Start. The values are: 0 (Boot), 1 (System), 2 (Automatic), 3 (Manual), 4 (Disabled). To disable the Print Spooler for example: reg add HKLM\SYSTEM\CurrentControlSet\Services\Spooler /v Start /t REG_DWORD /d 4 /f.

How do I back up and restore registry keys?

Use reg export to save a key to a .reg file: reg export HKCU\Software\MyApp backup.reg. To restore, use reg import backup.reg. For low-level hive files, use reg save HKLM\SOFTWARE C:\backup\software.hiv and reg restore. You can also open regedit, right-click a key, and choose Export to create a .reg backup file with the GUI.

How do I configure UAC settings through the registry?

UAC settings are stored under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. The key values include: EnableLUA (REG_DWORD 1 to enable UAC, 0 to disable) and ConsentPromptBehaviorAdmin (2 for prompt for credentials, 5 for prompt for consent, 0 for no prompt). Disabling UAC by setting EnableLUA to 0 reduces security and is not recommended for production systems.

Can I manage the registry with PowerShell instead of reg.exe?

Yes. PowerShell exposes the registry as a PSDrive. Use Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion" to read values, and Set-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Setting" -Value "NewValue" to write them. PowerShell is generally preferred in scripts because it returns structured objects that are easier to process than the text output of reg.exe.