How can I specify REG_EXPAND_SZ entries in a .REG file?
REG_MULTI_SZ
data in .reg
files must be encoded in hexadecimal. If the content never changes, you can create a dummy item in your registry with the data, export it, and adjust that to your needs.
If it does change, it will probably be far easier to use the reg
program included with Windows to add it. To do so, call reg
in this format:
Reg Add <KEY> /v <NAME> /t REG_MULTI_SZ /d <DATA> /s <SEPERATOR>
The seperator switch is optional. If not used, the strings to be written should be seperated by the escape sequence for the null character (\0
). For instance, to add a item named Flair
to HKLM\SOFTWARE\WhizBang\Excite-O-Rama
with the strings foo
, bar
, and baz
you would run:
Reg Add HKLM\SOFTWARE\WhizBang\Excite-O-Rama /v Flair /t REG_MULTI_SZ /d foo\0bar\0baz
To separate the data with commas instead, you would run:
Reg Add HKLM\SOFTWARE\WhizBang\Excite-O-Rama /v Flair /t REG_MULTI_SZ /d foo,bar,baz /s ,
For more information, consult Microsoft Docs for the Reg
command.
dword:
=DWORD
hex(2):
= Expandable-Stringhex(7):
= Multi-String
A DWORD
is a 32-bit unsigned integer (decimal range: 0
- 4294967295
), and, in the registry, a DWORD
always begins with 0x
and has 8 digits that follow 0x
. This can be in decimal or hexadecimal format; for example, 1000
can be written as 0x00001000
or 0x000003e8
.
DWORDS
can only make use of the digits 0
- 9
. Strings, of any kind, always use ASCII, and in ACSII, 1000
can only be written as 31,30,30,30
. For the String data type, ASCII works in the background without you even knowing because the computer only understands 1s and 0s.
For Expandable-String and Multi-String data types, these save your entries as a series of ASCII codes in a hexadecimal format, separated by commas and hex zeroes; so an Expandable-String of 1000
would be hex(2):31,00,30,00,30,00,30,00
Let's convert %PROGRAMFILES%
into an Expandable-String:
- Use an ASCII to Hex Conversion Tool, input
%PROGRAMFILES%
into the text box, User defined Output delimiter:%
, select Convert, and it will give you:%25%50%52%4F%47%52%41%4D%46%49%4C%45%53%25
- Copy/paste that result into a text editor: Move the first
%
to the end, Find/Replace all%
with,00,
and remove the comma at the very end of the string. You should get:25,00,50,00,52,00,4F,00,47,00,52,00,41,00,4D,00,46,00,49,00,4C,00,45,00,53,00,25,00
- Finally:
hex(2):25,00,50,00,52,00,4F,00,47,00,52,00,41,00,4D,00,46,00,49,00,4C,00,45,00,53,00,25,00
This lesson contains all the knowledge required to reverse engineer any hex-coded registry entry that is not encrypted.