Last Revised: 2024-09-07
I made this guide to help anyone interested in editing the Windows Registry.
It is possible to modify the entries of the Windows Registry.
To do this, you need to create a file that ends with the extension .reg.
.reg file encoding:
File Extension: .reg File Encoding: UCS-2 LE BOM (UTF-16) (Previously used 8-bit, also called single byte before version 5.00 but uses 16-bit, double-byte as of now) Line Endings: \r\n (carriage return + newline characters are used at the end of all lines in the Windows Registry)
When you export a key from the Windows Registry; you get a .reg file with the UCS-2 LE BOM encoding which is a UTF-16 file encoding. This is because Windows switched from using ANSI to UTF-16 file encoding when they switched from the REGEDIT4 to Windows Registry Editor Version 5.00.
Some history: Windows Registry was introduced in Windows 3.1. Windows 95 and Windows 98 used the Windows Registry Editor version 4.00 Which was ANSI (Older, deprecated format). Windows 2000 and later versions of Windows use the Windows Registry Editor version 5.00 which is UTF-16 (Unicode, the newer better format). Simply going from 8-bit to 16-bit doubles the file-size of the Windows Registry. But, I approve of this design decision, and the file-size is not an issue nowadays.
I tested the file encodings that work and that do not work:
UTF-8 = works. UTF-8 BOM = works. UCS-2 BE BOM = does not work. UCS-2 LE = does not work. UCS-2 LE BOM = works (preferred encoding).
It uses the \r\n line endings everywhere internally. This is because everything that is Windows, especially internally, uses this line ending. If your .reg file uses the \n line endings it will still work, but using it internally such as in hex values or anywhere else inside the registry is a mistake as this line ending will not be recognised. So, to be safe, use the \r\n line endings everywhere in Windows Registry.
Windows Registry also exports the files with 2 blank lines at the bottom of the file. Perhaps this is because it is null-terminated or has the byte order mark (BOM) character at the end of the file.
Thus, these are the standards that we should follow when making a .reg file.
So, for example, if you first create a .txt file and then rename it and change its extension to .reg, your file will probably be in the ANSI or the UTF-8 format.
And those formats work too, But I highly recommend formatting all .reg files with the /r/n line endings as well as setting the encoding of the file to UCS-2 LE BOM.
Fortunately, there is an easier way to create .reg files with the correct encoding and syntax.
Simply copy paste the below into a .reg file and merge the file into the Windows Registry:
Windows Registry Editor Version 5.00
;; Adds a new entry to the Context Menu -> New -> Windows Registry File.
;; The file will be created with the following string already in it:
;;
;; Windows Registry Editor Version 5.00
;;
;; ;; comment reserved
;;
;; []
;;
;;
[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:FF,FE,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,\
00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,\
72,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,\
00,30,00,0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,\
65,00,6e,00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,\
00,0a,00,0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00
[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName" = hex(2):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,46,00,69,00,6c,00,65,\
00,00,00
"FriendlyTypeName.bak" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\
00,52,00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,\
74,00,2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00
Or, you can download this .reg file from my web address: https://github.com/SalviaSage/The-Registry-Repo/tree/master/Add%20Entries%20to%20the%20%27New%27%20Context%20Menu/Windows%20Registry%20File%20(.reg)
If you want to uninstall it, make a .reg file, and copy and paste the below code in it. Save it and merge it.
Windows Registry Editor Version 5.00
;; Deletes the Windows Registry entry from the "Create New" Context Menu.
[-HKEY_CLASSES_ROOT\.reg\ShellNew]
[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,\
2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00
"FriendlyTypeName.bak" = -
You can also download this uninstallation file here: https://github.com/SalviaSage/The-Registry-Repo/tree/master/Add%20Entries%20to%20the%20%27New%27%20Context%20Menu/Windows%20Registry%20File%20(.reg)
Now, you can right-click anywhere and go to "new" and create your .reg file from there and it will have the UCS-2 LE BOM encoding and the necessary syntax for editing the Windows Registry already present so you don't have to type that every time.
THE BELOW SECTION DEALS WITH MAKING "CREATE NEW" ENTRIES WITH BOM ENCODINGS.
Example:
[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,00,67,00,\
69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,00,20,\
00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,00,\
0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,\
0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00
Becomes:
[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:ff,fe,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,\
00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,\
00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,\
00,0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,0d,\
00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00
Adding the FF,FE
hex values at the start of the file creates it with the BOM instead of without it.
This can be useful in some situations, as it is useful here with registry files.
.reg file syntax:
Windows Registry Editor Version 5.00
must be present on line 1.REGEDIT4
can also be present on line 1, which is still seen in some registry files, this is the earlier version that still works.- The second line must be blank.
- There must be a blank line between all
[HKEY_]
entries. - There should be a blank line at the end of the .reg file. The Registry Editor exports with 2 blank lines at the end of the file as discussed above.
- The comment syntax is the semi-colon (;). There are no multi-line comments. I like to use an extra comment syntax (;;) to differentiate actual comments from commented-out code.
Example .reg file:
Windows Registry Editor Version 5.00
;; Adds a new entry to the Context Menu -> New -> Windows Registry File.
;; The file will be created with the following string already in it:
;; Windows Registry Editor Version 5.00
;;
;; ;; comment reserved
;;
;; []
;;
[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,00,67,00,\
69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,00,20,\
00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,00,\
0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,\
0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00
[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName" = hex(2):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,\
00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,46,00,69,00,6c,00,65,00,\
00,00
"FriendlyTypeName.bak" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\
00,52,00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,\
74,00,2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00
- If you want to delete a KEY, put a hyphen-minus character before the directory name. Example:
[-HKEY_CLASSES_ROOT\regfile]
- If you want to delete an entry(value) inside a key, type the name of the value and assign it to a hyphen-minus character. Example:
[HKEY_CLASSES_ROOT\.bmp\ShellNew]
"NullFile" = -
- If you launch the Registry Editor as System (not as the administrator, but as System) you can see some of the hidden keys. There are third-party computer programs that allow the launching of programs as System. (PowerRun, NSudo.) You can also make edits to some of the protected keys and values that otherwise you won't be able to edit.
- The only way to correctly insert new lines inside a string is with the \r\n characters entered as hex (0D,00,0A,00). Only \n (0A,00) does not work here, and neither is it possible to make new lines without using hex values. I tried and I couldn't.
- Hex values are accepted. Strings can be entered as hex values in the following format:
"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00
- These keys are not case-sensitive (0e == 0E). The registry editor exports them in the small case. So, we should stick with that format, but it doesn't matter otherwise.
- The hex values wrap at 80 characters unless the string that the hex values are assigned to already exceeds 80 characters. Example of a hex value with the first line exceeding the 80 characters wrap:
"windowspackagesettings-notifications-microsoft.microsoftsolitairecollection_8wekyb3d8bbwe"=hex:94,\
2d,13,87,31,e6,d3,01
Notice how only the first hex value is there which is then wrapped down with the \ syntax. If the string were not as long, more hex values would have been there which would then wrap at 80. Although I think the code will still work if you don't wrap, it is better to wrap for legibility and that is what the Registry Editor does also.
-
The next line must start with two spaces. Look at the example above, and notice the second line for the hex values starting with two empty spaces.
-
There is another registry editor called Registry Finder which can do more than the Windows Registry Editor in some areas. It is a very good complement to the Windows Registry Editor.
-
It can import and export binary data, this data must be in the string format, not in the hex format.
-
It can undo changes with CTRL+Z.
-
It is fast and it's good at searching and finding registry entries.
-
It can also export individual values from keys whereas the Windows Registry Editor only exports whole keys.
-
There are many other features. Check out this free program here: http://registry-finder.com/ . (Thanks Sergey Filippov.)
-
Pay attention to all the 00 characters when entering strings as hex values into the registry. This is because Microsoft switched from using single-byte to double-byte values for the Windows Registry and other areas of Windows. This then made it so that all the hex values were followed by these double zeros.
So, simply converting things to regular, single-byte hex does not work here! Read more about that here:
https://tinyapps.org/blog/201204010730_registry_hex_to_text.html
- There is a converter here at this address that can convert strings to this hex format correctly:
https://gchq.github.io/CyberChef/#recipe=Find_/_Replace%28%7B%27option%27:%27Extended%20%28%5C%5Cn,%20%5C%5Ct,%20%5C%5Cx...%29%27,%27string%27:%27%5C%5Cn%27%7D,%27%5C%5Cr%5C%5Cn%27,true,false,true,false%29Encode_text%28%27UTF-16LE%20%281200%29%27%29Find_/_Replace%28%7B%27option%27:%27Regex%27,%27string%27:%27%5E%27%7D,%27%5C%5Cxff%5C%5Cxfe%27,true,false,true,false/disabled%29Find_/_Replace%28%7B%27option%27:%27Regex%27,%27string%27:%27%24%27%7D,%27%5C%5C0%5C%5C0%27,true,false,true,false/disabled%29To_Hex%28%27Comma%27%29 - Here is the link to convert from "double byte string hex" to "regular string":
https://gchq.github.io/CyberChef/#recipe=From_Hex%28%27Comma%27%29Decode_text%28%27UTF-16LE%20%281200%29%27%29 - NOTE: The converter doesn't wrap at 80 characters, you have to do this manually. See the above example with the
\
syntax for information on how to do that. - For null-terminated files, the binary data ends with 3 double zeros (00,00,00). The last 2 represent the null termination character. The double zeros before that are a part of the double-byte hex value. So, make sure to have the correct syntax at the end of the hex value or your value will not be null-terminated!
- REG_SZ values (strings) are all created null-terminated by default. The hex value for this is (00,00) as discussed above.
- In other words, all string values except the "(Default) (value not set)" values, which export empty, are null-terminated in the registry.
- Make sure to preserve the null-termination when making edits.
- Entering strings as hex instead of strings is a more sure way of getting things done.
- For example, you can only null-terminate with hex and also, can only make new lines with hex. The byte order mark and many other things can only be done with hex values.
- You can't make new lines with the example below: (tested)
"Data" = "this is
a multi line string
"
The correct way to enter the above string would be in hex with the \r\n characters for new lines written in hex like this:
"Data"=hex:74,00,68,00,69,00,73,00,20,00,69,00,73,00,0D,00,0A,00,0D,00,0A,00,\
0D,00,0A,00,61,00,20,00,6d,00,75,00,6c,00,74,00,69,00,20,00,6c,00,69,00,6e,\
00,65,00,20,00,73,00,74,00,72,00,69,00,6e,00,67,00,0D,00,0A,00,0D,00,0A,00,\
- If you want to edit the (Default) (value not set) values, the syntax is
@ = "whatever"
.
Example:
[HKEY_CLASSES_ROOT\DesktopBackground\Shell\Power\shell\005RefreshExplorer\command]
@ = "cmd.exe /c taskkill /f /im explorer.exe & start explorer.exe"
- If you want to enter your hex as an "expandable string" instead of a "regular string", then use the
hex(2):
syntax.
Example:
"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00
It seems like all these expandable strings, that is, hex(2) strings, are null-terminated, judging from the endings. So, make sure your REG_SZ values and hex(2) values are null-terminated.
- If you want to make something autostart on boot from the registry, as opposed to using the startup folder. Go to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Add a regular string, give it a name and set its exact directory to what you want to execute at startup. This also accepts some commands such as -background
and -elevate
.
Example:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SuperF4"="\"C:\\Users\\Username\\AppData\\Roaming\\SuperF4\\SuperF4.exe\" -elevate"
The "-elevate" syntax there makes it so that the program is run as an Admin if it can be. That may be necessary for some programs to work properly, but in some other cases, it will break the program instead.
I think the "-background" makes the program run in the background and not pop up when Windows boots, which would be the default behaviour.
Registry Favorites
It is also possible to make some of the registry directories "Favorites". That way, you can easily access some of the popular registry areas.
These are also done by using the registry. So, browse to the key you want to add to "Favorites", click on "Favorites" in the menu and click on "Add to favorites" and give it a name.
When you do that, a new string is made in this directory in the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
and its data is assigned to the registry directory.
A note on new file creation and new file naming
As is discussed in this document, I tell the reader detailed information on how to add an entry into the "Create New" menu that is found in the right-click context menu and I provide the code for doing that. I also discovered how to make the newly created file be created as a BOM file. This is because the registry files needed to be in the BOM format, which the entry was creating without. So I found how to make it BOM by using the hex values. I also found how to create a new file with a string that is already inside the file with the "Data" =
syntax and this was helpful for the registry files. However, one thing I could not get around was the fact that I could not name the files differently as they appeared on the context menu entry and as they were created. So, I could change the name of the created file but I would also have to change the name from the context menu. It seemed to me like there would have been a way to name them separately, without having to rename the created file manually. Today, by accident, I have discovered a way of doing so using the "ItemName" = hex(2):
syntax and I wanted to note that down as I believe it can be useful. The name of the newly created item can be directly obtained from its name as it is stored in a Windows .dll file as opposed to us trying to name it ourselves. When we name it ourselves we can not get around the fact that the context menu entry and the created file share their names but when we grab the name from the .dll using the aforementioned syntax we can then go ahead and give another name to the entry menu with the syntax "FriendlyTypeName" = hex(2):
.However, it can be difficult to find out where the name is stored, but if you can find that out, then this is one sure way of making the entry name and the created file name separate.
Check out this syntax for reference:
"ItemName" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,77,00,73,00,68,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,\
00,34,00,38,00,30,00,32,00
Here the hex value says @%SystemRoot%\System32\wshext.dll,-4802
. So, we are obtaining the name of the file from this file, in its 4802 key value.
END
Thanks for reading my guide.🙋
Further Reading:
http://www.informit.com/articles/article.aspx?p=1378466&seqNum=2 .
Yes, what you described is correct. it deletes the entry and recreates it with a blank string.
If you are trying to delete that entry in the menu altogether, that can be difficult to determine as there can be multiple CLSIDs.
They can vary from machine to machine as well and you will have to pinpoint the correct CLSIDs to make changes.
And you still might not be able to do what you are trying to do.