Registry Access in Live Response

In a Live Response session for a Windows sensor, the reg command provides direct access to the remote computer’s Windows Registry.

The syntax of the Live Response reg command is:

reg [action] [key or value] [options]

The following table shows the reg command actions and their options. These options are intended to mirror the Windows default reg.exe command syntax. For all reg command actions, key paths can take hive references in either short or long form: HKLM or HKEY_LOCAL_MACHINE .


Action	Description
query	Format: reg query`[key or value] [options]` Options: (none) – If no option switch is specified, query for the specified key `-v` – Query for the specified value For example: `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
add	Format: reg add`[key] [options]` Options: `-v` – Value for the key to be added `-d` – Data for the key to be added `-t` – Type of the key to be added; accepted types are: `REG_NONE` `REG_BINARY` `REG_SZ` `REG_EXPAND_SZ` `REG_MULTI_SZ` `REG_DWORD` `REG_DWORD_BIG_ENDIAN` `REG_QWORD` For example: reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run -v calc -t REG_SZ -d c:\windows\system32\calc.exe
delete	Format: reg delete`[key or value] [options]` Options: (none) – If no option switch is specified, delete the specified key `-v` – Delete the specified value For example: `reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run -v calc`