How to find and delete multiple Windows registry entries?

10

2

I need to clean the Windows registry after manually removing a program. What I need to do is following.

  1. Find all keys, values, and data containing "something".
  2. Delete all keys, values, and data matching the description.

Can I use the Reg command in CMD for this somehow?

By "something" in this case, I mean "office12".

Samir

Posted 2013-09-18T19:28:19.820

Reputation: 17 919

regedt33 is open source tool to find and replace in multiple keys. – JinSnow – 2017-05-07T06:37:31.563

You could, but most likely you wouldn't get what you wanted. I will expand later but consider programs may place registry entries on non-obvious places (which is why uninstallers exist). For the REG command here's the help

– Doktoro Reichard – 2013-09-18T19:45:54.733

@DoktoroReichard What would the syntax be for querying all root keys and not just specific keys like HKLM? Is it possible to redirect Reg Query to Reg Delete so that found matches are deleted? Can you do it in one line and without any advanced scripting, batch processing, etc.? – Samir – 2013-09-18T19:53:51.260

Can you define what you consider to be "something"? Are you looking for value names, key names, data in values, or what? – Doktoro Reichard – 2013-09-18T20:11:14.573

I mean "office12". It doesn't matter if it's a key, value or data. I want to search them all, just like you can check what you want to find using the Ctrl+F (find) command in RegEdit. – Samir – 2013-09-18T20:22:39.040

I was really just looking for a way to automate the process a little bit. Instead of having to do Ctrl+F, type "office12" in the text field, Enter, DEL, F3, DEL, F3, DEL, F3, DEL, etc. – Samir – 2013-09-18T20:23:53.967

Answers

7

Try Powershell:

Get-ChildItem -path HKLM:\ -Recurse | where { $_.Name -match 'office12'} | Remove-Item -Force

This will traverse recursively throw HKEY_LOCAL_MACHINE and delete all matching keys. More info here

Krzysztof Gapski

Posted 2013-09-18T19:28:19.820

Reputation: 201

1Can you explain what this command will do? – Burgi – 2016-12-19T00:27:08.857

I get permission denied after running powershell as Administrator, and ideas – Dr Manhattan – 2018-06-05T09:53:27.977

@DrManhattan Regedit, select you key, right-click-->Permissions-->Advanced-->Owner, select Administrators, Apply. Then grand FC to "System", and, if you like, to "Administrators" also. – Krzysztof Gapski – 2018-06-05T10:11:20.277

Many thanks, that worked, however i had to specify the location because PermissionDenied: (HKEY_LOCAL_MACHINE\SECURITY:String) so i made the command Get-ChildItem -path HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall -Recurse | where { $_.Name -match 'mcafee'} | Remove-Item -Force

You guessed it, removing mcafee – Dr Manhattan – 2018-06-06T15:48:06.890

5

I think an application called RegScanner can help you, although as noted in other answers, it might not be exactly what you want to do with your registry, so use it with care.

For more destructive power, you can use PsExec with it, e.g.

C:\progs\PsExec.exe -i -d -s c:\progs\regscanner-x64\regscanner.exe

which will make it run as SYSTEM user. If you still can't delete some registry keys, this article explains how to edit permissions on registry keys.

analytik

Posted 2013-09-18T19:28:19.820

Reputation: 159

1

Like I said in the comment, you can delete registry keys all you want, either using the command prompt, or manually with Regedit. Now, the big problem is your first point.

  1. Find all keys, values, and data containing "something".

Unless you were monitoring / auditing the registry when you installed the program (and assuming the happy scenario the program didn't add registry keys at runtime, if so you would need to monitor the registry from start to finish), the program might have added keys to the registry in non-obvious places.

Most programs add their registry keys in the HKEY_CURRENT_USERS\Software or in HKEY_LOCAL_MACHINE\Software in a dedicated branch (I'm looking at wxMaxima, for instance, located in the first path). If you deleted the corresponding branch you could in theory delete all keys associated with the program. However, some programs might alter something somewhere on the rest of the registry, and that doesn't have a good rule of thumb.

If, on the other hand, you did monitor everything, then reversing the changes is trivial (because you know what were they). I suppose you could reinstall the program on a virtual environment and monitor there. In theory you would receive the same results.

From reading the REG help, no option is available to do what you propose on 1. What REG QUERY does is to check the values inside a registry key. To paste a usage:

C:\Documents and Settings\User>reg query HKCU\Software\wxMaxima

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\wxMaxima
    ShowTips    REG_DWORD       0x1
    tipNum      REG_DWORD       0xb
    pos-x       REG_DWORD       0xfffffffc
    pos-y       REG_DWORD       0xfffffffc
    pos-w       REG_DWORD       0x408
    pos-h       REG_DWORD       0x2ea
    pos-max     REG_DWORD       0x1
    lastPath    REG_SZ  (some random path)
    maxima      REG_SZ  C:\Maxima\\bin\maxima.bat
    parameters  REG_SZ  -X '--dynamic-space-size 1000'
    fontSize    REG_DWORD       0xc
    mathFontsize        REG_DWORD       0xc
    matchParens REG_DWORD       0x1
    showLong    REG_DWORD       0x0
    fixedFontTC REG_DWORD       0x1
    changeAsterisk      REG_DWORD       0x0
    enterEvaluates      REG_DWORD       0x0
    saveUntitled        REG_DWORD       0x1
    openHCaret  REG_DWORD       0x0
    defaultPort REG_DWORD       0xfaa
    usejsmath   REG_DWORD       0x1
    keepPercent REG_DWORD       0x1
    pos-restore REG_DWORD       0x0
    language    REG_DWORD       0x0
    fontEncoding        REG_DWORD       0x0

HKEY_CURRENT_USER\Software\wxMaxima\AUI

HKEY_CURRENT_USER\Software\wxMaxima\RecentDocuments

HKEY_CURRENT_USER\Software\wxMaxima\Style

HKEY_CURRENT_USER\Software\wxMaxima\Wiz

I'm looking for solutions. One I found involves exporting the Registry to a text file and from there filter the results.

Doktoro Reichard

Posted 2013-09-18T19:28:19.820

Reputation: 4 896

Don't mind newer versions of Windows, this problem is on Windows XP. So that suits me nicely. It's XP Pro SP3. – Samir – 2013-09-18T20:02:33.463

The program I removed was Microsoft Office 2007. I didn't want to uninstall it. But after installing a newer version of Windows Installer (from 3.0 to 3.1) and then SP3 (with bundled Windows Installer 4.5) the problem arose. Basically all MSI or Windows Installer based programs started misbehaving. When I would log on to Windows I would get a "Windows Installer" dialog box "preparing to install" and it would say the "network resource" is unavailable. It looked similar to this one! If I clicked Cancel it would come up again.

– Samir – 2013-09-18T20:12:23.440

I had to kill the process to get out of this loop. Then another program, "Logitech Communication Manager" would start messing with me. If I tried to use the uninstaller for any of the two programs, it would bring me the "installer" instead. So it was like stuck, trying to install something, from a "network resource" supposedly???... I couldn't take it anymore, so I had to forcefully kill them both! I don't care for any of them. I did try to follow different Microsoft KB articles, this one among others. But to no avail...

– Samir – 2013-09-18T20:16:27.563

1That being said, the problem might not even have to do with registry settings. Had you any reason to suspect that? If not, why not post another question detailing your real problem. It might attract people that might know a way to solve it. Also relevant is whether it only happens with that MATLAB .msi or everything in general. – Doktoro Reichard – 2013-09-18T20:16:30.277

So that was the background. No, Matlab MSI file is no my problem. I posted the link to someone elses screenshot. Just to showcase the type of dialog box/prompt I was getting. Mine had something to do with Logiteche Communication Manager, and the other one was Office 2007 related. – Samir – 2013-09-18T20:19:18.217

Like I said, your original question is misleading. With this solved, post another question detailing all this you have said. The problem might not be registry related. – Doktoro Reichard – 2013-09-18T20:21:55.983

Alright, will do. Just to confirm, the Reg Query command can only display the values inside a key? It cannot do a value search or a data search in e.g. a root key á la RegEdit style? – Samir – 2013-09-18T20:27:11.150

It can, but you would need to know the path beforehand, which would give you a lot of trouble. – Doktoro Reichard – 2013-09-18T21:12:39.110

let us continue this discussion in chat

– Samir – 2013-09-18T21:29:24.807

The second link above in the third comment points to a KB article on removing Office 2003. That's not right, I meant the KB article for removing Office 2007.

– Samir – 2013-09-18T22:02:18.773

0

While uninstalling, use RevoUninstaller and then CCleaner. This'll get just about every reference relatively safely.

T.Todua

Posted 2013-09-18T19:28:19.820

Reputation: 2 436

Revo Uninstaller is a worhtless junk. I have literally not seen it doing anything. – None – 2017-05-05T11:32:08.860

Asked: 2013-09-18T19:28:19.820

Viewed: 68 870 times

Active: 2017-05-07T06:07:37.893