7

Is there an easy (automated) way to delete all subkeys in a key in the Windows registry without deleting the key itself?

Thanks

Cameron
  • 203
  • 2
  • 3
  • 9

8 Answers8

7

With Windows7 or Vista, you can use Powershell commands like this, referring to the registry path the same way that you refer to a file system path:

Remove-Item -Path HKLM:\Software\Test\Key1 -Recurse
Remove-Item -Path HKLM:\Software\Test\Key2 -Recurse
Remove-Item -Path HKLM:\Software\Test\Key3 -Recurse
Remove-Item -Path HKLM:\Software\Test\Key4 -Recurse
djangofan
  • 4,172
  • 10
  • 45
  • 59
5

Excerpted from Working with Registry Keys:

If you wanted to remove all items within HKCU:\CurrentVersion but not HKCU:\CurrentVersion itself, you could instead use:

#Requires -Version 3.0
Remove-Item -Path HKCU:\CurrentVersion\* -Recurse

Note: Registry values belonging to HKCU:\CurrentVersion are not removed.

  • Link is dead. [This is probably what you were referring to.](https://docs.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.2#removing-all-keys-under-a-specific-key) – Trisped Apr 07 '22 at 20:59
2

Do you know what the sub-keys are in advance? If so you can do it with a .reg file using something like this to delete all sub-keys of Test:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Test\Key1]
[-HKEY_LOCAL_MACHINE\Software\Test\Key2]
[-HKEY_LOCAL_MACHINE\Software\Test\Key3]
[-HKEY_LOCAL_MACHINE\Software\Test\Key4]

The minus sign at the start of the line tells it to delete that key, full syntax here: http://support.microsoft.com/kb/310516

If not, then you're looking for a script that'll enumerate all the sub-keys and then go through deleting them all one by one. I've got one that'll do this at work, but I'm at home and can't get to it!

GAThrawn
  • 2,424
  • 3
  • 20
  • 38
  • Question is actually a moot point now, I don't need to do this anymore. And no, I do not know the subkeys in advance. Thanks anyway! – Cameron Aug 31 '09 at 23:00
1

Here is the powershell way to delete all the subkey of a Registry key:

$path = "Any valid Path ..."
(gci $path).PsPath  | foreach { if($_){Remove-Item $_ -Force} }

For Example :

$path = "HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices"
(gci $path).PsPath  | foreach { if($_){Remove-Item $_ -Force} }
1

The original poster clarifies the question by indicating that they want the tree deleted, but not the actual root key of the tree. As such, this is not quite an answer because it will delete the entire tree, including the root. Nevertheless, because when searching for an answer to the questions title, this shows up high in the search results, I felt it was helpful to post this answer.

<#
.SYNOPSIS 
 Give ownership of a file, folder, or registry key to the specified user.

.DESCRIPTION
 Give the current process the SeTakeOwnershipPrivilege" and "SeRestorePrivilege" rights which allows it
 to reset ownership of an object.  The script will then set the owner to be the specified user.

.PARAMETER Path (Required)
 The path to the object on which you wish to change ownership.  It can be a file, folder, or registry key

.PARAMETER User (Required)
 The user whom you want to be the owner of the specified object.  The user should be in the format
 <domain>\<username>.  Other user formats will not work.  For system accounts, such as System, the user
 should be specified as "NT AUTHORITY\System".  If the domain is missing, the local machine will be assumed.

.PARAMETER Recurse (switch)
 Causes the function to parse through the Path recursively.

.INPUTS
 None. You cannot pipe objects to Take-Ownership

.OUTPUTS
 None

.NOTES
 Name:    Take-Ownership.ps1
 Author:  Jason Eberhardt
 Date:    2017-07-20
#>
function Take-Ownership {
  [CmdletBinding(SupportsShouldProcess=$false)]
  Param([Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Path,
        [Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$User,
        [Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$Recurse)

  Begin {
    $AdjustTokenPrivileges=@"
using System;
using System.Runtime.InteropServices;

  public class TokenManipulator {
    [DllImport("kernel32.dll", ExactSpelling = true)]
      internal static extern IntPtr GetCurrentProcess();

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
      internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
      internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
    [DllImport("advapi32.dll", SetLastError = true)]
      internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    internal struct TokPriv1Luid {
      public int Count;
      public long Luid;
      public int Attr;
    }

    internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
    internal const int TOKEN_QUERY = 0x00000008;
    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

    public static bool AddPrivilege(string privilege) {
      bool retVal;
      TokPriv1Luid tp;
      IntPtr hproc = GetCurrentProcess();
      IntPtr htok = IntPtr.Zero;
      retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
      tp.Count = 1;
      tp.Luid = 0;
      tp.Attr = SE_PRIVILEGE_ENABLED;
      retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
      retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
      return retVal;
    }

    public static bool RemovePrivilege(string privilege) {
      bool retVal;
      TokPriv1Luid tp;
      IntPtr hproc = GetCurrentProcess();
      IntPtr htok = IntPtr.Zero;
      retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
      tp.Count = 1;
      tp.Luid = 0;
      tp.Attr = SE_PRIVILEGE_DISABLED;
      retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
      retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
      return retVal;
    }
  }
"@
  }

  Process {
    $Item=Get-Item $Path
    Write-Verbose "Giving current process token ownership rights"
    Add-Type $AdjustTokenPrivileges -PassThru > $null
    [void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") 
    [void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") 

    # Change ownership
    $Account=$User.Split("\")
    if ($Account.Count -eq 1) { $Account+=$Account[0]; $Account[0]=$env:COMPUTERNAME }
    $Owner=New-Object System.Security.Principal.NTAccount($Account[0],$Account[1])
    Write-Verbose "Change ownership to '$($Account[0])\$($Account[1])'"

    $Provider=$Item.PSProvider.Name
    if ($Item.PSIsContainer) {
      switch ($Provider) {
        "FileSystem" { $ACL=[System.Security.AccessControl.DirectorySecurity]::new() }
        "Registry"   { $ACL=[System.Security.AccessControl.RegistrySecurity]::new()
                       # Get-Item doesn't open the registry in a way that we can write to it.
                       switch ($Item.Name.Split("\")[0]) {
                         "HKEY_CLASSES_ROOT"   { $rootKey=[Microsoft.Win32.Registry]::ClassesRoot; break }
                         "HKEY_LOCAL_MACHINE"  { $rootKey=[Microsoft.Win32.Registry]::LocalMachine; break }
                         "HKEY_CURRENT_USER"   { $rootKey=[Microsoft.Win32.Registry]::CurrentUser; break }
                         "HKEY_USERS"          { $rootKey=[Microsoft.Win32.Registry]::Users; break }
                         "HKEY_CURRENT_CONFIG" { $rootKey=[Microsoft.Win32.Registry]::CurrentConfig; break }
                       }
                       $Key=$Item.Name.Replace(($Item.Name.Split("\")[0]+"\"),"")
                       $Item=$rootKey.OpenSubKey($Key,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership) }
        default { throw "Unknown provider:  $($Item.PSProvider.Name)" }
      }
      $ACL.SetOwner($Owner)
      Write-Verbose "Setting owner on $Path"
      $Item.SetAccessControl($ACL)
      if ($Provider -eq "Registry") { $Item.Close() }

      if ($Recurse.IsPresent) {
        # You can't set ownership on Registry Values
        if ($Provider -eq "Registry") { $Items=Get-ChildItem -Path $Path -Recurse -Force | Where-Object { $_.PSIsContainer } }
        else { $Items=Get-ChildItem -Path $Path -Recurse -Force }
        $Items=@($Items)
        for ($i=0; $i -lt $Items.Count; $i++) {
          switch ($Provider) {
            "FileSystem" { $Item=Get-Item $Items[$i].FullName
                           if ($Item.PSIsContainer) { $ACL=[System.Security.AccessControl.DirectorySecurity]::new() }
                           else { $ACL=[System.Security.AccessControl.FileSecurity]::new() } }
            "Registry"   { $Item=Get-Item $Items[$i].PSPath
                           $ACL=[System.Security.AccessControl.RegistrySecurity]::new()
                           # Get-Item doesn't open the registry in a way that we can write to it.
                           switch ($Item.Name.Split("\")[0]) {
                             "HKEY_CLASSES_ROOT"   { $rootKey=[Microsoft.Win32.Registry]::ClassesRoot; break }
                             "HKEY_LOCAL_MACHINE"  { $rootKey=[Microsoft.Win32.Registry]::LocalMachine; break }
                             "HKEY_CURRENT_USER"   { $rootKey=[Microsoft.Win32.Registry]::CurrentUser; break }
                             "HKEY_USERS"          { $rootKey=[Microsoft.Win32.Registry]::Users; break }
                             "HKEY_CURRENT_CONFIG" { $rootKey=[Microsoft.Win32.Registry]::CurrentConfig; break }
                           }
                           $Key=$Item.Name.Replace(($Item.Name.Split("\")[0]+"\"),"")
                           $Item=$rootKey.OpenSubKey($Key,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership) }
            default { throw "Unknown provider:  $($Item.PSProvider.Name)" }
          }
          $ACL.SetOwner($Owner)
          Write-Verbose "Setting owner on $($Item.Name)"
          $Item.SetAccessControl($ACL)
          if ($Provider -eq "Registry") { $Item.Close() }
        }
      } # Recursion
    }
    else {
      if ($Recurse.IsPresent) { Write-Warning "Object specified is neither a folder nor a registry key.  Recursion is not possible." }
      switch ($Provider) {
        "FileSystem" { $ACL=[System.Security.AccessControl.FileSecurity]::new() }
        "Registry"   { throw "You cannot set ownership on a registry value"  }
        default { throw "Unknown provider:  $($Item.PSProvider.Name)" }
      }
      $ACL.SetOwner($Owner)
      Write-Verbose "Setting owner on $Path"
      $Item.SetAccessControl($ACL)
    }
  }
}

<#
.SYNOPSIS 
 Deletes a registry key recursively

.DESCRIPTION
 This function will delete the specified registry key and all its values and subkeys

.INPUTS
 None. You cannot pipe objects to Delete-RegistryKeyTree.

.EXAMPLE
 Delete-RegistryKeyTree -Hive HKCR -Key "CLSID\squid" -User $env:USERNAME

.OUTPUTS
 System.String

.NOTES
 Name:    Delete-RegistryKeyTree
 Author:  Jason Eberhardt
 Date:    2017-07-20
#>
function Delete-RegistryKeyTree {
  [CmdletBinding(SupportsShouldProcess=$false)]
  Param([Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateSet("HKCR","HKLM","HKCU","HKU","HKCC")] [string]$Hive,
        [Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Key,
        [Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$User)

  Process {
    switch ($Hive) {
      "HKCR" { $rootKey=[Microsoft.Win32.RegistryHive]::ClassesRoot; break }
      "HKLM" { $rootKey=[Microsoft.Win32.RegistryHive]::LocalMachine; break }
      "HKCU" { $rootKey=[Microsoft.Win32.RegistryHive]::CurrentUser; break }
      "HKU"  { $rootKey=[Microsoft.Win32.RegistryHive]::Users; break }
      "HKCC" { $rootKey=[Microsoft.Win32.RegistryHive]::CurrentConfig; break }
    }

    $Reg=[Microsoft.Win32.RegistryKey]::OpenBaseKey($rootKey,[Microsoft.Win32.RegistryView]::Default)
    $RegKey=$Reg.OpenSubKey($Key,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::FullControl)
    if ($RegKey -eq $null) { Write-Warning "Registry key is already deleted." }
    else {
      Write-Verbose "Deleting key $Key"
      Take-Ownership -Path "Registry::$Hive\$Key" -User $User -Recurse
      Write-Verbose "Resetting permissions on $Key"
      $ACL=New-Object System.Security.AccessControl.RegistrySecurity
      $ACL.SetAccessRuleProtection($false,$false)
      $FSR=New-Object System.Security.AccessControl.RegistryAccessRule($User, [System.Security.AccessControl.RegistryRights]::FullControl, ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow)
      $ACL.ResetAccessRule($FSR)
      $RegKey.Close()
      $RegKey=$Reg.OpenSubKey($Key,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
      $RegKey.SetAccessControl($ACL)
      $RegKey.Close()
      $Reg.Close()
      Write-Verbose "Deleting $Key"
      $result=& cmd /c "reg delete $Hive\$Key /f" 
      Write-Verbose $result[0]
    }
  }
}
1
New-Item $path -Force

The -Force argument does the job.

Bax
  • 111
  • 3
1

You can run this command :

for /f "tokens=*" %A in ('reg query HKLM\Software\policies\microsoft\') do reg delete %A /f

for /f "tokens=*" %A in ('reg query HKLM\Software\microsoft\windows\CurrentVersion\policies\') do reg delete %A /f

If it's going to be used as a batch, remember to change %A for %%A. This example deletes the computer policy.

Swisstone
  • 6,357
  • 7
  • 21
  • 32
user502807
  • 11
  • 1
-1
reg delete RegistryKey  /va

example

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va

removes all keys in Run\