cheat sheet
reg
Query, add, modify, export, and import Windows registry keys and values with the built-in reg.exe — the scriptable, no-dependency tool for everything from one-off tweaks to full backup-and-restore.
reg — Windows Registry from the Command Line
What it is
reg.exe is the built-in Windows command-line tool for reading and writing the registry. It is the scriptable counterpart to regedit.exe — same hives, same values, same access controls, but driveable from cmd.exe, batch files, scheduled tasks, and remote sessions where a GUI is unavailable. Use reg when you need to ship a registry change in a deployment script, when you're working inside the Windows Recovery Environment, or when a key is too deep to navigate quickly in regedit. The PowerShell equivalents are Get-ItemProperty, Set-ItemProperty, and the HKLM: / HKCU: PSDrives — covered briefly below — but reg remains the lowest-common-denominator tool that works on every Windows version from XP to Server 2025.
Availability
reg.exe ships as C:\Windows\System32\reg.exe on every Windows install since XP. Most operations require an elevated prompt; reads from HKCU and reads of world-readable HKLM keys do not.
reg /?
Output:
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT | FLAGS ]
Syntax
The general form is reg <verb> <key> [options]. Every operation accepts a UNC-style \\computer prefix to target a remote machine where the Remote Registry service is running.
reg <VERB> [\\Computer\]<KeyPath> [/v ValueName | /ve] [/t Type] [/d Data] [/f] [/s] [/reg:32|/reg:64]
Output: (none — exits 0 on success)
Essential verbs and switches
| Verb | Meaning |
|---|---|
QUERY | Read a key or value |
ADD | Create or overwrite a key/value |
DELETE | Remove a key or value |
COPY | Copy a key tree to another location |
SAVE | Save a key to a binary hive file (.hiv) |
RESTORE | Restore a key from a .hiv file (overwrites) |
EXPORT | Export a key tree to a .reg text file |
IMPORT | Import a .reg file (merges values) |
COMPARE | Compare two keys or values |
LOAD / UNLOAD | Load a hive file at a temporary mount point |
FLAGS | Read/set virtualisation flags |
| Switch | Meaning |
|---|---|
/v Name | Target a specific value name |
/ve | Target the (Default) value (empty-name value) |
/t Type | Value type: REG_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD, REG_MULTI_SZ, REG_BINARY, REG_NONE |
/d Data | Data for /v |
/s | Recurse into subkeys (for QUERY/DELETE) — /s separator for MULTI_SZ on ADD |
/f | Force, no confirmation |
/reg:32 | Force 32-bit registry view (WOW6432Node) |
/reg:64 | Force 64-bit registry view |
The registry hives
The registry is a tree rooted at the Computer node with six top-level hives. Each has a short name used in reg commands.
| Short | Long | What lives there |
|---|---|---|
HKLM | HKEY_LOCAL_MACHINE | System-wide settings (software, services, drivers, security) |
HKCU | HKEY_CURRENT_USER | Settings for the currently logged-in user |
HKCR | HKEY_CLASSES_ROOT | File-extension associations and COM classes (merged HKLM\Software\Classes + HKCU\Software\Classes) |
HKU | HKEY_USERS | Loaded user profiles by SID (use HKU\.DEFAULT for the default new-user profile) |
HKCC | HKEY_CURRENT_CONFIG | Current hardware-profile settings |
HKPD | HKEY_PERFORMANCE_DATA | Performance counters (read-only, not stored on disk) |
If you're not sure whether a setting belongs in
HKLMorHKCU, write a quick test value to one, log off and back on, and see whether it survived.HKLMis global and requires admin;HKCUis per-user and doesn't.
QUERY — reading keys and values
reg query is the read verb. It works on a key (lists immediate values), a key with /s (recurses into subkeys), or with /v to read a specific value. Output is plain text, easy to parse with findstr or PowerShell.
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
RtkAudUService REG_SZ "C:\Program Files\Realtek\Audio\HDA\RtkAudUService64.exe" -background
Read a single value
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth
Output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
Recursive search
/s walks every subkey under the target. Combined with /f <pattern> it becomes a registry search — invaluable for tracking down a setting whose location you don't remember.
rem Find every value mentioning the word 'Defender'
reg query HKLM /s /f "Defender" /d
Output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
DisableAntiSpyware REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
TamperProtection REG_DWORD 0x5
End of search: 2 match(es) found.
The /d switch limits the search to data values; without /d the search matches in key names, value names, and data — useful, but slow on HKLM. Add /k and /v to scope further (/k = match in key names only, /v = match in value names).
Reading from the 32-bit view on 64-bit Windows
On 64-bit Windows, 32-bit applications see a redirected view of HKLM\SOFTWARE rooted at HKLM\SOFTWARE\WOW6432Node. Use /reg:32 to read what a 32-bit app would see without typing the WOW6432Node path.
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /reg:32 /s | findstr DisplayName
Output:
DisplayName REG_SZ 7-Zip 23.01 (x64)
DisplayName REG_SZ Notepad++ (32-bit x86)
DisplayName REG_SZ Git
ADD — creating and modifying values
reg add creates a key if it doesn't exist and sets a value if /v is supplied. Without /f it prompts to overwrite an existing value; in scripts always add /f.
reg add HKCU\Software\Acme /v Greeting /t REG_SZ /d "Hello, Alice" /f
Output:
The operation completed successfully.
Value types and their data formats
The /t switch picks the registry type; /d formats the data accordingly. The most common types and how to specify them:
/t | Data format | Example |
|---|---|---|
REG_SZ | Plain string | /d "Hello world" |
REG_EXPAND_SZ | String with %VAR% expansion at read | /d "%USERPROFILE%\bin" |
REG_DWORD | 32-bit number (decimal or 0x hex) | /d 0x1 or /d 1 |
REG_QWORD | 64-bit number | /d 0xFFFFFFFFFFFF |
REG_MULTI_SZ | List, \0-separated; supply separator with /s | /d "a\0b\0c" /s \0 |
REG_BINARY | Hex byte stream, no spaces | /d 4861436b |
REG_NONE | No-data marker | (omit /d) |
Creating a REG_DWORD
By far the most common Windows tweak — DWORD flags for enabling/disabling features.
rem Disable Cortana for the current user
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f
Output:
The operation completed successfully.
Creating a REG_MULTI_SZ
Multi-string values use \0 as the in-line separator and require the /s \0 flag so reg knows which character is the delimiter.
reg add HKCU\Software\Acme /v Plugins /t REG_MULTI_SZ /d "alpha\0beta\0gamma" /s \0 /f
reg query HKCU\Software\Acme /v Plugins
Output:
The operation completed successfully.
HKEY_CURRENT_USER\Software\Acme
Plugins REG_MULTI_SZ alpha\0beta\0gamma
Creating a REG_EXPAND_SZ
Useful for paths that should resolve at read time — e.g. for per-user binary directories that move with the user profile.
reg add "HKCU\Environment" /v Path /t REG_EXPAND_SZ /d "%USERPROFILE%\bin;%PATH%" /f
Output:
The operation completed successfully.
After this, new processes started by Explorer will see the expanded value; refresh the environment by signing out and back in, or by broadcasting WM_SETTINGCHANGE.
DELETE — removing keys and values
reg delete removes either a value (with /v or /ve), or a whole key tree (without /v). Always add /f in scripts to skip the confirmation prompt.
rem Delete a single value
reg delete HKCU\Software\Acme /v Greeting /f
Output:
The operation completed successfully.
rem Delete the whole key tree
reg delete HKCU\Software\Acme /f
Output:
The operation completed successfully.
rem Delete the (Default) value only
reg delete HKCU\Software\Acme /ve /f
Output:
The operation completed successfully.
EXPORT and IMPORT — .reg files
.reg files are the canonical text format for sharing registry changes. They round-trip through EXPORT (read) and IMPORT (write) and can be applied by double-click in Explorer. Unlike SAVE/RESTORE (binary hives), .reg files are human-readable and merge with existing values rather than overwriting whole keys.
rem Export a key tree to a .reg file
reg export "HKCU\Software\Microsoft\Office" C:\Backup\office.reg /y
Output:
The operation completed successfully.
The output .reg file starts with a magic header and contains every value beneath the key:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office]
"UserName"="Alice Dev"
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common]
"OptIn"=dword:00000001
rem Import a .reg file (merges with existing values)
reg import C:\Backup\office.reg
Output:
The operation completed successfully.
A
.regfile with a minus sign before the bracketed key (e.g.[-HKEY_CURRENT_USER\Software\Acme]) means "delete this key on import". Use this to ship cleanup files alongside install files.
SAVE and RESTORE — hive files
SAVE writes a binary .hiv file that preserves every attribute of the key tree — owner, ACLs, classes, the lot. RESTORE overwrites the destination key entirely (no merge). This is what you want for backups before a risky change.
reg save HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Backup\run.hiv
Output:
The operation completed successfully.
rem Restore from the binary hive (entire key tree replaced)
reg restore HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Backup\run.hiv
Output:
The operation completed successfully.
.hivfiles are not portable between Windows versions; use them as same-machine backups, not as a cross-version distribution format. Use.regfor the latter.
LOAD and UNLOAD — mounting an offline hive
When repairing an unbootable system or modifying another user's profile, mount their NTUSER.DAT file as a temporary hive under HKLM or HKU. Pick a unique mount key name; the data inside is reachable as if it were a normal hive while loaded.
rem Load Bob's NTUSER.DAT under HKU\BobTemp
reg load HKU\BobTemp C:\Users\bob\NTUSER.DAT
Output:
The operation completed successfully.
rem Edit Bob's settings without him being logged in
reg add "HKU\BobTemp\Software\Microsoft\Windows\CurrentVersion\Run" /v Pings /t REG_SZ /d "ping example.com" /f
Output:
The operation completed successfully.
rem Unload when finished (must, otherwise the file stays locked)
reg unload HKU\BobTemp
Output:
The operation completed successfully.
COPY — duplicating a key tree
reg copy clones every value and subkey under a source key to a destination key — useful when relocating settings under a new product name, mirroring HKCU defaults into HKU\.DEFAULT for new-user templates, or staging a registry change in a sandbox key before promoting it. Without /s only the immediate values copy; add /s to recurse. Use /f to overwrite without prompting.
rem Mirror an entire key tree to a new location
reg copy HKCU\Software\Acme HKCU\Software\AcmeBackup /s /f
Output:
The operation completed successfully.
Source and destination can live in different hives, and \\computer prefixes work on either side for cross-machine copies. The destination key is created if it doesn't exist; existing values at the destination are overwritten when names collide.
Remote registry — \\computer prefix
If the Remote Registry service is running on the target (it's disabled by default on modern Windows; enable with sc \\target config RemoteRegistry start= demand && sc \\target start RemoteRegistry), most verbs accept a \\Computer\ prefix.
reg query \\myhost\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
rem Push a setting to a remote machine
reg add "\\myhost\HKLM\Software\Acme" /v Deployed /t REG_DWORD /d 1 /f
Output:
The operation completed successfully.
reg vs PowerShell Get-ItemProperty
Modern Windows admins increasingly script the registry from PowerShell. The two tools have different strengths.
| Task | reg | PowerShell |
|---|---|---|
| One-off cmd.exe tweak | reg add ... | Set-ItemProperty -Path HKCU:\Software\Acme -Name Greeting -Value Hi |
| Read a single value into a variable | for /f parsing the output | (Get-ItemProperty HKCU:\Software\Acme).Greeting |
| Type-aware writes | Verbose /t REG_DWORD etc. | New-ItemProperty -PropertyType DWord |
| Atomic conditional update | Awkward | if ((Get-ItemProperty -Path ...).Foo -ne 1) { Set-ItemProperty ... } |
| Working in WinRE / minimal env | reg.exe always present | PowerShell not always |
.reg file authoring | First-class export | Must construct manually |
Rule of thumb: reg for installer scripts and recovery; PowerShell for anything that needs flow control or runs as part of a larger script.
# PowerShell equivalents of the reg.exe examples above
Set-ItemProperty -Path HKCU:\Software\Acme -Name Greeting -Value "Hello, Alice" -Force
New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Search `
-Name CortanaConsent -PropertyType DWord -Value 0 -Force
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).PSObject.Properties |
Where-Object { $_.MemberType -eq 'NoteProperty' -and $_.Name -notlike 'PS*' } |
Select-Object Name, Value
Output:
Name Value
---- -----
SecurityHealth %ProgramFiles%\Windows Defender\MSASCuiL.exe
RtkAudUService "C:\Program Files\Realtek\Audio\HDA\RtkAudUService64.exe" -background
Common pitfalls
- Typo in the key path silently creates a new key —
reg add HKLM\SOFTWAR\... /fhappily createsHKLM\SOFTWAR, a sibling of the realSOFTWAREhive root. Always paste paths from a known-good source, and verify withreg queryimmediately after. - 32-bit vs 64-bit redirection — on 64-bit Windows, 32-bit applications see
HKLM\SOFTWARE\WOW6432Nodeinstead ofHKLM\SOFTWARE. If a 32-bit app can't find a key your installer wrote, you probably wrote to the 64-bit view; use/reg:32to target the 32-bit view explicitly. REG_EXPAND_SZis not expanded byreg query— the displayed value is the literal stored string with%VAR%. The OS expands at read time, not display time. Use PowerShell's[Environment]::ExpandEnvironmentVariables(...)to see the resolved value.- Importing a
.regfile with line-ending mismatch fails silently —.regfiles must be UTF-16 LE with a BOM and CRLF line endings. Files written by Linux tools as UTF-8 LF will import as empty. UseiconvorOut-File -Encoding Unicodeto convert. - Forgot
/f— without/f,reg addandreg deleteprompt on stdin, which blocks scripts forever. Always add/ffor unattended use. reg unloadwon't unmount if anything has an open handle — closeregedit, any PowerShell sessions browsing the mount point, and any other tool reading from it before callingunload. Otherwise the file remains locked.- Per-machine vs per-user
Runkeys — bothHKLM\Software\Microsoft\Windows\CurrentVersion\RunandHKCU\Software\Microsoft\Windows\CurrentVersion\Runexist. Putting a value inHKLMstarts it for every user at logon;HKCUonly for the current user. Choose deliberately.
Real-world recipes
Add a context-menu "Open in VS Code" entry
A classic shell tweak — adds "Open with Code" to the right-click menu for files and directories. The command subkey's (Default) value uses %V to pass the right-clicked path to the program.
@echo off
set CODE="%LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe"
rem File context menu
reg add "HKCU\Software\Classes\*\shell\Open with Code" /ve /d "Open with Code" /f
reg add "HKCU\Software\Classes\*\shell\Open with Code" /v Icon /t REG_EXPAND_SZ /d %CODE% /f
reg add "HKCU\Software\Classes\*\shell\Open with Code\command" /ve /t REG_EXPAND_SZ /d "%CODE% \"%%1\"" /f
rem Directory context menu (right-click empty space inside folder)
reg add "HKCU\Software\Classes\Directory\Background\shell\Open with Code" /ve /d "Open with Code" /f
reg add "HKCU\Software\Classes\Directory\Background\shell\Open with Code" /v Icon /t REG_EXPAND_SZ /d %CODE% /f
reg add "HKCU\Software\Classes\Directory\Background\shell\Open with Code\command" /ve /t REG_EXPAND_SZ /d "%CODE% \"%%V\"" /f
echo Done — restart Explorer (or sign out) to see the new entries.
Output:
The operation completed successfully.
... (6 lines)
Done — restart Explorer (or sign out) to see the new entries.
Backup, change, and roll back
The safest pattern for any registry change: export first, change second, keep the export until you've verified the change works.
@echo off
set KEY=HKLM\SYSTEM\CurrentControlSet\Services\TestService
set BAK=C:\Backup\testservice_%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%.reg
md C:\Backup 2>NUL
reg export "%KEY%" "%BAK%" /y
reg add "%KEY%" /v Start /t REG_DWORD /d 4 /f
echo Disabled. Backup at %BAK%
echo To roll back: reg import "%BAK%"
Output:
The operation completed successfully.
The operation completed successfully.
Disabled. Backup at C:\Backup\testservice_20260524.reg
To roll back: reg import "C:\Backup\testservice_20260524.reg"
Read a value into a batch variable
The classic for /f parse — handle the leading whitespace and the multi-token type column.
@echo off
for /f "tokens=2,*" %%A in ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName ^| findstr ProductName') do (
set "PRODUCT=%%B"
)
echo Running on: %PRODUCT%
Output:
Running on: Windows 11 Pro
List every Run-key autostart across both hives
@echo off
echo === HKLM\Run ===
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
echo.
echo === HKLM\Run (32-bit view) ===
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /reg:32
echo.
echo === HKCU\Run ===
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Output:
=== HKLM\Run ===
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
=== HKLM\Run (32-bit view) ===
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LegacyHelper REG_SZ C:\Program Files (x86)\Acme\helper.exe
=== HKCU\Run ===
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OneDrive REG_SZ "C:\Users\alicedev\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Edit another user's profile without logging them in
Mount the offline hive, change a value, unmount.
@echo off
set USERHIVE=C:\Users\bob\NTUSER.DAT
reg load HKU\Bobtmp "%USERHIVE%"
reg add "HKU\Bobtmp\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
reg unload HKU\Bobtmp
echo Proxy disabled in Bob's profile.
Output:
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
Proxy disabled in Bob's profile.
Find every place a string appears in HKLM
reg query HKLM /s /f "alicedev" /t REG_SZ
Output:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-...-1001
ProfileImagePath REG_EXPAND_SZ C:\Users\alicedev
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
LastLoggedOnUser REG_SZ myhost\alicedev
End of search: 2 match(es) found.
Compare a key between two machines
reg compare reads both sides and reports differences. Combined with \\computer it can do cross-machine diffs without exporting first.
reg compare HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \\myhost\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Output:
< Value: SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
> Value: SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
< Value: LocalTool REG_SZ C:\Tools\bin\tool.exe
Result Compared: Different
The operation completed successfully.
Disable Windows telemetry in one script
A common provisioning step on workstations.
@echo off
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
echo Telemetry policy applied. Reboot to enforce.
Output:
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
Telemetry policy applied. Reboot to enforce.
Tips
Always include
/fin scripts, even when you expect the path not to exist — without it,regprompts on stdin and hangs the script.
.regfiles merged on import preserve existing values that aren't in the file. To replace a key wholesale, ship a.regcontaining[-HKEY...](minus prefix) to delete it, followed by[HKEY...]to re-create it.
When unsure whether a value is
REG_SZorREG_EXPAND_SZ, always pickREG_EXPAND_SZif the data contains%VAR%references — otherwise the literal%PATH%will be stored and never expanded.
Sources
- reg commands | Microsoft Learn — top-level verb reference
- reg add | Microsoft Learn —
/t,/d,/s,/fswitches - Windows registry for advanced users | Microsoft Learn — hive and value-type background
- Change registry values or permissions | Microsoft Learn — ACL guidance for protected keys