Guide on Editing the Windows Registry.

Correct Registry Syntax.md

Last Revised: 2021-04-29 (added the section about file creation and default file naming.)

I made this guide to help me or anyone else who is interested in editing the Windows Registry.

It is possible to modify the entries of the Windows Registry. To do this, you need to create a file that ends with the extension .reg.

---

.reg file encoding:

File Extension: .reg File Encoding: UCS-2 LE BOM (UTF-16) (Previously used 8 bit, also called single byte before version 5.00 but uses 16 bit, double byte as of now) Line Endings: \r\n (carriage return + new line characters are used at the end of all lines in the Windows Registry)

When you export a key from the Windows Registry; you get a .reg file with the UCS-2 LE BOM encoding which is a UTF-16 file encoding. This is because Windows has switched from using ANSI to UTF-16 file encoding when they switched from the Windows Registry Editor version 4.00 to version 5.00.

Some history: Windows Registry was introduced in Windows 3.1. Windows 95 and 98 used the Windows Registry Editor version 4.00 Which was ANSI. (Older, deprecated format) Windows 2000 and later version of Windows, use the Registry Editor version 5.00 which is UTF-16. (Unicode, the newer better format) This of course, results in the registry being larger in the size it occupies in the disk. Simply going from 8 bit to 16 bit doubles the data size of the Windows Registry. But, I approve of this design decision, and the filesize is not an issue nowadays.

I tested the file encodings that work and do not work:

UTF-8 = works.
UTF-8 BOM = works.
UCS-2 BE BOM = does not work.
UCS-2 LE = does not work.
UCS-2 LE BOM = works (preferred encoding).

It uses the \r\n line endings everywhere internally. This is because everything that is Windows, especially internally, uses this line ending. If your .reg file uses the \n line endings it will still work, but using it internally such as in hex values or anywhere else inside the registry is a mistake. As this line ending will not be recognized. So, to be safe, just use the \r\n line endings everywhere in the registry.

Windows Registry also exports the files with 2 blank lines at the bottom of the file. Perhaps this is because it is null terminated or has the byte order mark (BOM) character at the end of the file.

Thus, these are the standards that we should follow when making a .reg file.

So, for example, if you first create a .txt file and then rename it and change its extension to .reg , your file will probably in the ANSI or the UTF-8 format.

And those formats work too. But I highly recommend formatting all .reg files with the /r/n line endings as well as setting the encoding of the file to UCS-2 LE BOM.

Fortunately, there is an easier way to create .reg files with the correct encoding and the correct syntax.

Simply copy paste the below into a .reg file and merge the file into the Windows Registry:

Windows Registry Editor Version 5.00

;; Adds a new entry to the Context Menu -> New -> Windows Registry File.
;; The file will be created with the following string already in it:

;;
;;    Windows Registry Editor Version 5.00
;;
;;    ;; comment reserved
;;
;;    []
;;
;;

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:FF,FE,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,\
  00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,\
  72,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,\
  00,30,00,0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,\
  65,00,6e,00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,\
  00,0a,00,0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName" = hex(2):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,46,00,69,00,6c,00,65,\
  00,00,00
"FriendlyTypeName.bak" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\
  00,52,00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,\
  74,00,2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00

Or, you can download this .reg file from this web address: https://github.com/SalviaSage/The-Registry-Repo/tree/master/Add%20Entries%20to%20the%20%27New%27%20Context%20Menu/Windows%20Registry%20File%20(.reg) .

If you want to uninstall it, again, make a .reg file and copy paste the below code into it, save it and merge it:

Windows Registry Editor Version 5.00

;; Deletes the Windows Registry entry from the "Create New" Context Menu.

[-HKEY_CLASSES_ROOT\.reg\ShellNew]

[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
  00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,\
  2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00
"FriendlyTypeName.bak" = -

You can also download this uninstallation file here: https://github.com/SalviaSage/The-Registry-Repo/tree/master/Add%20Entries%20to%20the%20%27New%27%20Context%20Menu/Windows%20Registry%20File%20(.reg) .

Now, you can just right click anywhere and go to 'new' and create your .reg file from there and it will have the UCS-2 LE BOM encoding as well as the necessary syntax for editing the registry already present so you don't have to type that every time.

---

THE BELOW SECTION DEALS WITH HOW TO MAKE 'CREATE NEW' ENTRIES WITH THE BOM ENCODINGS.

Example:

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,00,67,00,\
  69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,00,20,\
  00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,00,\
  0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
  00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,\
  0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

Becomes:

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:ff,fe,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,\
  00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,\
  00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,\
  00,0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
  00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,0d,\
  00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

Adding the FF,FE hex values there causes the file to be created with the BOM instead of without it.

This can be useful in some situations, as it is useful here with the registry files.

---

.reg file syntax:

• Windows Registry Editor Version 5.00 must be present on line 1.
• The second line must be blank.
• There must be a blank line between all [HKEY_] entries.
• There should be a blank line at the very bottom of the .reg file.the registry editor exports with 2 blank lines at the end (as discussed above).
• The comment syntax is the semi-colon (;) (there are no multi-line comments, as far as I know.) (I like to use an extra comment syntax to differentiate actual comments from commented out code.)

Example .reg file:

Windows Registry Editor Version 5.00

;; Adds a new entry to the Context Menu -> New -> Windows Registry File.
;; The file will be created with the following string already in it:

;;    Windows Registry Editor Version 5.00
;;
;;    ;; comment reserved
;;
;;    []
;;

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,00,67,00,\
  69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,00,20,\
  00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,00,\
  0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
  00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,\
  0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName" = hex(2):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,\
  00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,46,00,69,00,6c,00,65,00,\
  00,00
"FriendlyTypeName.bak" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\
  00,52,00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,\
  74,00,2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00

• If you want to delete a KEY, just put a minus sign before the directory name. Example:

[-HKEY_CLASSES_ROOT\regfile]

• If you want to delete an entry(value) inside a key, (not the key directory itself) type the name of the value and assign it to a minus sign. Example:

[HKEY_CLASSES_ROOT\.bmp\ShellNew]
"NullFile" = -

• If you launch the Registry Editor as System (not as the administrator, but as system) you can see some of the hidden keys. There are 3rd party apps that allow launching programs as system. (PowerRun, NSudo.) You can also make edits to some of the protected keys and values that otherwise you wouldn't be able to edit.

• The only way to correctly insert new lines inside a string is with the \r\n characters entered as hex (0D,00,0A,00).

• Only \n (0A,00) does not work here, neither is it possible to make new lines without using hex values. I tried to, and couldn't.

• Hex values are accepted. Strings can be entered as hex values in the following format:

"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
  45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
  00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00

• These keys are not case sensitive (0e == 0E). The registry editor exports them in the small-case. So, we should stick with that format as well, but it doesn't matter otherwise.

• The hex values wrap at 80 characters UNLESS if the string that the hex values are assigned to already exceed 80 characters. Example of a hex value with the first line exceeding the 80 characters wrap:

"windowspackagesettings-notifications-microsoft.microsoftsolitairecollection_8wekyb3d8bbwe"=hex:94,\
  2d,13,87,31,e6,d3,01

Notice how only the first hex value is there which is then warped down with the \ syntax. If the string was not as long, then more hex values would have been there which would then warp at 80. (Although I think the code will still work if you don't warp, it is better to warp for legibility and that is what the Registry Editor does also.)

• The next line must start with two spaces. Look at the example above, notice the second line for the hex values starts with two empty spaces.

• There is another registry editor called Registry Finder which can do more than the Windows Registry Editor in some areas. It is a very good complementary to the Windows Registry Editor.

• It can import and export binary data, this data must be in the string format, not in the hex format.

  ​ It can undo the changes with CTRL+Z.

  ​ It is very fast and it's very good at searching and finding registry entries.

  ​ It can also export individual values from keys whereas the Windows Registry Editor only exports whole keys.

  ​ There are many other features. Check out this free program here: http://registry-finder.com/ . ​ (Thanks Sergey Filippov.)

• Pay attention to all the extra double 00 characters when entering strings as hex values into the registry. This is because Microsoft switched from using single byte to double byte values for the Registry and other areas of Windows. This then made it so that all the hex values were followed by these double 00s.

So, simply converting things to regular, single byte hex does not work here! Read more about that here: https://tinyapps.org/blog/201204010730_registry_hex_to_text.html .

• There is a converter here at this address that can convert strings to this hex format correctly: https://gchq.github.io/CyberChef/#recipe=Find_/_Replace%28%7B%27option%27:%27Extended%20%28%5C%5Cn,%20%5C%5Ct,%20%5C%5Cx...%29%27,%27string%27:%27%5C%5Cn%27%7D,%27%5C%5Cr%5C%5Cn%27,true,false,true,false%29Encode_text%28%27UTF-16LE%20%281200%29%27%29Find_/_Replace%28%7B%27option%27:%27Regex%27,%27string%27:%27%5E%27%7D,%27%5C%5Cxff%5C%5Cxfe%27,true,false,true,false/disabled%29Find_/_Replace%28%7B%27option%27:%27Regex%27,%27string%27:%27%24%27%7D,%27%5C%5C0%5C%5C0%27,true,false,true,false/disabled%29To_Hex%28%27Comma%27%29 .

• Here is the link to convert from "double byte string hex" to "regular string". https://gchq.github.io/CyberChef/#recipe=From_Hex%28%27Comma%27%29Decode_text%28%27UTF-16LE%20%281200%29%27%29 .

• NOTE: The converter doesn't warp at 80 characters, you have to do this manually. (See the above example with the \ syntax for information on how to do that.)

• For null-terminated files, the binary data ends with 3 double zeroes (00,00,00). The last 2 is the null termination character, and the double zeroes before that is a part of the double byte hex value. So, make sure that you have the correct syntax at the end of the hex value or your value will not be null-terminated!

  REG_SZ values (strings) are all created null-terminated by default. The hex value for this is (00,00), as discussed above.

  In other words, all string values (except the '(Default) (value not set)' values, they export empty) are null-terminated in the registry.

  Make sure to preserve the null-termination when making edits.

• Entering strings as hex instead of strings is a more sure way of getting things done.

  For example, you can only null-terminate with hex and also can only make new lines with hex. Can also probably only add the byte order mark and many other things with only hex values.

• So, you can't make new lines like with the example below: (tested)

"Data" = "this is


a multi line string


"

The correct way to enter the above string would be in hex with the \r\n characters for new lines written in hex like this:

"Data"=hex:74,00,68,00,69,00,73,00,20,00,69,00,73,00,0D,00,0A,00,0D,00,0A,00,\
  0D,00,0A,00,61,00,20,00,6d,00,75,00,6c,00,74,00,69,00,20,00,6c,00,69,00,6e,\
  00,65,00,20,00,73,00,74,00,72,00,69,00,6e,00,67,00,0D,00,0A,00,0D,00,0A,00,\

• If you want to edit the (Default) (value not set) values, the syntax is @ = "whatever".

Example:

[HKEY_CLASSES_ROOT\DesktopBackground\Shell\Power\shell\005RefreshExplorer\command]
@ = "cmd.exe /c taskkill /f /im explorer.exe  & start explorer.exe"

• If you want to enter your hex as an Expandable string instead of a regular string, then use hex(2): instead.

Example:

"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
  45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
  00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00

Also, it seems like all these expendable strings ( hex(2) strings ) are null-terminated, judging from the endings. So, make sure your REG_SZ values and hex(2) values are null-terminated.

• If you want to make something autostart on boot from the registry, as opposed to using the startup folder. Go to this key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run .

Add a regular string, give it a name and set its exact directory to what you want to execute at startup. This also accepts some commands with - such as -background and -elevate.

Example:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SuperF4"="\"C:\\Users\\Username\\AppData\\Roaming\\SuperF4\\SuperF4.exe\" -elevate"

The -elevate syntax there just makes it so the program is ran as an admin if it can. That may be necessary for some programs to work properly, but in some other cases, it will break the program instead.

I think the -background just makes the program run in the background and not pop up when windows boots, which would be the default.

---

Registry Favorites

It is also possible to make some of the registry directories "favorites". That way, you can easily access some of the popular registry areas.

These are also done by using the registry. So, simply browse to the key you want to add to favorites, click on "favorites" in the menu and click on "Add to favorites" and give it a name.

When you do that, a new string is made in this directory in the registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites and its data is assigned to the registry directory.

---

A note on new file creation and new file naming

As it is discussed in this document, I tell the reader detailed information on how to add an entry into the "Create New" menu that is found by default in the right click context menu and I provide the code for doing that. I also discovered how to make the newly created file be created as a BOM file, this was because the registry files needed to be in the BOM format, which the entry was creating without. So I found how to make it BOM by using the hex values. I also found how to create a new file with string that is already inside the file with the "Data" = syntax and this was helpful for the registry files. However, one thing I could not get around was the fact that I could not name the files differently as they appeared on the context menu entry and as they were created. So, I could change the name of the created file but I would also have to change the name from the context menu. It seemed to me like there would have been a way to name them separately, without having to then rename the created file manually. Today, by accident, I have discovered a way of doing so using the "ItemName" = hex(2): syntax and I wanted to note that down as I believe it can be useful. Basically, the name of the newly created item can be directly obtained from its name as it is stored in Windows .dll file as opposed to us trying to name it ourselves. When we name it ourselves we can not get around the fact that the context menu entry and the created file share their names but when we grab the name from the .dll using the forementioned syntax we can then go ahead and give another name to the entry menu with the syntax "FriendlyTypeName" = hex(2):.However, it can be difficult to find out where the name is stored, but if you can find that out than this is one sure way of making the entry name and the created file name separate.

Check out this syntax for reference

"ItemName" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
  00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,77,00,73,00,68,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,\
  00,34,00,38,00,30,00,32,00

Here the hex value says @%SystemRoot%\System32\wshext.dll,-4802 So, we are obtaining the name of the file from this file, in its 4802 key value.

END

Thanks for reading my guide.🙋 Further Reading: http://www.informit.com/articles/article.aspx?p=1378466&seqNum=2 .

Very cool. TY.
Trying to decipher and write the following REG file to Disable "Show more options" for ALL users (context menu)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}]
@="File Explorer Context Menu"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InProcServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InProcServer32]
@=""

It looks like it deleted an item and then adds it back again. Any idea why?

Yes, what you described is correct. it deletes the entry and recreates it with a blank string.
If you are trying to delete that entry in the menu altogether, that can be difficult to determine as there can be multiple CLSIDs.
They can vary from machine to machine as well and you will have to pinpoint the correct CLSIDs to make changes.
And you still might not be able to do what you are trying to do.