I'm working with a new property schema, and have been in the habit of checking the registry when I register or unregister a new version. One of the primary places to check this is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PROPERTYSYSTEM\PROPERTYSCHEMA
.
Interestingly, I occasionally lose access to this registry location in Regedit. I see see this (note the absence of PropertySchema):
I know the schemas are still registered, because I can use the prop.exe tool and propschema SDK sample application to describe them. The properties are available in Windows Explorer and in Search.
Also, I can use PowerShell to list the contents of this hive:
C:\Users\carlton> cd hklm:
HKLM:\>
C:\Users\carlton> cd hklm:
HKLM:\> cd SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PROPERTYSYSTEM\PROPERTYSCHEMA
HKLM:\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PROPERTYSYSTEM\PROPERTYSCHEMA> dir
Hive: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PROPERTYSYSTEM\PROPERTYSCHEMA
Name Property
---- --------
0000 (default) : C:\Program Files\Internet Explorer\ie9props.propdesc
SchemaId : {D9B5ABA1-5E8A-4902-B6A1-50B3C0311C2E}
URI : ie9props.propdesc
CompactURI : 5376bae4b39f43768806afcb6b8ff5464bf9c989d1a819c6e6d99ba1e8ce2512
0001 (default) : C:\Program Files\Microsoft Office\Office14\Custom.propdesc
SchemaId : {537AAAB1-1D85-48DC-A99E-16EB8C309FE5}
URI : custom.propdesc
CompactURI : 2e3be58e5cbbc0da093956b46a3905f11cf0f5bbf11987a8619e25f7261ee8be
0002 (default) : C:\apps\MSOffice\Office14\VisioCustom.propdesc
SchemaId : {18503526-0466-4942-AC6E-41C1D380EABA}
URI : visiocustom.propdesc
...
Anyway, I don't understand how this happens, and whether I should be worried about it. Exporting this key from a colleague's machine and re-importing it can temporarily help, as it will show keys in Regedit that were hidden/missing (even if they weren't on my colleague's machine).
I'm in the Administrators group, running Windows 7 SP1.
One of the easiest ways to find registry keys and values is using the Get-ChildItem cmdlet. This uses PowerShell to get a registry value and more by enumerating items in PowerShell drives. In this case, that PowerShell drive is the HKLM drive found by running Get-PSDrive .
A malicious program could hide itself in a registry key by creating a string with a long name, which would allow the malicious string and any created after it in the same key to remain hidden, according to Secunia. Keys are stored in the Windows Registry, which saves a PC's configuration settings.
To delete the registry key using PowerShell, we can use the Remove-Item command. Remove-Item command removes the registry key from the path specified. For example, we have the registry key name NodeSoftware stored at the path HKLM, under the Software key.
There are two ways to open Registry Editor in Windows 10: In the search box on the taskbar, type regedit, then select Registry Editor (Desktop app) from the results. Right-click Start , then select Run. Type regedit in the Open: box, and then select OK.
The 32bit program data on 64bit systems available in 'Wow6432Node' folder of the registry (in above case 'SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS...'). This is transparent to the applications, hence you can read data from applications but you don't see that in Regedit.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With