< Back
Get-ForensicRegistryKey
Post
NAME Get-ForensicRegistryKey
SYNOPSIS
Gets the keys of the specified registry hive.
SYNTAX
Get-ForensicRegistryKey -HivePath <String> [-Key <String>] [<CommonParameters>]
Get-ForensicRegistryKey -HivePath <String> [-Recurse <SwitchParameter>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicRegistryKey cmdlet parses a registry hive and returns the subkeys of the specified key.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-HivePath <String>
The registry hive to parse.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Key [<String>]
The key to begin listing subkeys from.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Recurse [<SwitchParameter>]
Recursively list all keys in the specified hive.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Registry.NamedKey
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicRegistryKey -HivePath C:\\Windows\\system32\\config\\SOFTWARE -Key Tenable
HivePath : C:\\Windows\\system32\\config\\SOFTWARE
WriteTime : 8/14/2015 4:18:52 PM
NumberOfSubKeys : 0
NumberOfVolatileSubKeys : 0
NumberOfValues : 1
FullName : Tenable\\Nessus
Name : Nessus
Allocated : True
This command gets the subkeys of the HKLM:\\SOFTWARE\\Tenable key.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-RegistryKey -HivePath C:\\Windows\\system32\\config\\SAM -Recurse
This gets all keys in the SAM hive.
RELATED LINKS
SYNOPSIS
Gets the keys of the specified registry hive.
SYNTAX
Get-ForensicRegistryKey -HivePath <String> [-Key <String>] [<CommonParameters>]
Get-ForensicRegistryKey -HivePath <String> [-Recurse <SwitchParameter>] [<CommonParameters>]
DESCRIPTION
The Get-ForensicRegistryKey cmdlet parses a registry hive and returns the subkeys of the specified key.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-HivePath <String>
The registry hive to parse.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Key [<String>]
The key to begin listing subkeys from.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Recurse [<SwitchParameter>]
Recursively list all keys in the specified hive.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Registry.NamedKey
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicRegistryKey -HivePath C:\\Windows\\system32\\config\\SOFTWARE -Key Tenable
HivePath : C:\\Windows\\system32\\config\\SOFTWARE
WriteTime : 8/14/2015 4:18:52 PM
NumberOfSubKeys : 0
NumberOfVolatileSubKeys : 0
NumberOfValues : 1
FullName : Tenable\\Nessus
Name : Nessus
Allocated : True
This command gets the subkeys of the HKLM:\\SOFTWARE\\Tenable key.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-RegistryKey -HivePath C:\\Windows\\system32\\config\\SAM -Recurse
This gets all keys in the SAM hive.
RELATED LINKS