How can I specify REG_EXPAND_SZ entries in a .REG file?

REG_MULTI_SZ data in .reg files must be encoded in hexadecimal. If the content never changes, you can create a dummy item in your registry with the data, export it, and adjust that to your needs.

If it does change, it will probably be far easier to use the reg program included with Windows to add it. To do so, call reg in this format:

Reg Add <KEY> /v <NAME> /t REG_MULTI_SZ /d <DATA> /s <SEPERATOR>

The seperator switch is optional. If not used, the strings to be written should be seperated by the escape sequence for the null character (\0). For instance, to add a item named Flair to HKLM\SOFTWARE\WhizBang\Excite-O-Rama with the strings foo, bar, and baz you would run:

Reg Add HKLM\SOFTWARE\WhizBang\Excite-O-Rama /v Flair /t REG_MULTI_SZ /d foo\0bar\0baz

To separate the data with commas instead, you would run:

Reg Add HKLM\SOFTWARE\WhizBang\Excite-O-Rama /v Flair /t REG_MULTI_SZ /d foo,bar,baz /s ,

For more information, consult Microsoft Docs for the Reg command.

• dword: = DWORD
• hex(2): = Expandable-String
• hex(7): = Multi-String

A DWORD is a 32-bit unsigned integer (decimal range: 0 - 4294967295), and, in the registry, a DWORD always begins with 0x and has 8 digits that follow 0x. This can be in decimal or hexadecimal format; for example, 1000 can be written as 0x00001000 or 0x000003e8.

DWORDS can only make use of the digits 0 - 9. Strings, of any kind, always use ASCII, and in ACSII, 1000 can only be written as 31,30,30,30. For the String data type, ASCII works in the background without you even knowing because the computer only understands 1s and 0s.

For Expandable-String and Multi-String data types, these save your entries as a series of ASCII codes in a hexadecimal format, separated by commas and hex zeroes; so an Expandable-String of 1000 would be hex(2):31,00,30,00,30,00,30,00

Let's convert %PROGRAMFILES% into an Expandable-String:

1. Use an ASCII to Hex Conversion Tool, input %PROGRAMFILES% into the text box, User defined Output delimiter: %, select Convert, and it will give you:

   %25%50%52%4F%47%52%41%4D%46%49%4C%45%53%25
   

2. Copy/paste that result into a text editor: Move the first % to the end, Find/Replace all % with ,00, and remove the comma at the very end of the string. You should get:

   25,00,50,00,52,00,4F,00,47,00,52,00,41,00,4D,00,46,00,49,00,4C,00,45,00,53,00,25,00
   

3. Finally:

   hex(2):25,00,50,00,52,00,4F,00,47,00,52,00,41,00,4D,00,46,00,49,00,4C,00,45,00,53,00,25,00
   

This lesson contains all the knowledge required to reverse engineer any hex-coded registry entry that is not encrypted.