Skip to main content

How to Search the Registry for a String in Batch Script

Searching the entire Windows Registry for a specific piece of text (be it a program name, a configuration value, or a user setting) is a powerful diagnostic and administrative capability. This can help you find where a program stores its settings, locate all references to a specific server, or troubleshoot persistent configuration issues. The standard, built-in command-line tool for this comprehensive task is REG.EXE.

This guide will teach you how to use the REG QUERY command with its built-in search functionality. You will learn how to search for text in registry keys, values, and data, how to make your search recursive, and how to save the results to a file for analysis.

The Core Command: REG QUERY /F

The REG.EXE utility's QUERY command is used to display the contents of a registry key. Its /F (Find) switch transforms it from a simple display tool into a powerful search engine.

Syntax: REG QUERY <KeyName> /f <SearchString> [Options]

  • <KeyName>: The starting key for the search (e.g., HKLM\Software). You must specify a starting point.
  • /f <SearchString>: The find switch, followed by the text you are searching for.
  • [Options]: Additional switches to control the depth and scope of the search.

The Key Search Parameters Explained

To control your search, you combine the /f switch with several other options.

SwitchNameDescription
/f <String>Find(Required) The string to search for. Must be in double quotes if it contains spaces.
/kSearch KeysSearches only the names of registry keys. This is the default if no other scope is set.
/vSearch ValuesSearches only the names of registry values.
/dSearch DataSearches only the data stored within registry values.
/sSearch Subkeys(Essential) Makes the search recursive, searching the specified key and all subkeys beneath it.
/cCase-sensitiveMakes the search case-sensitive. By default, it is case-insensitive.
/eExact matchesSearches for the exact full name of a key or value.

A typical command to find all occurrences of a string would be: REG QUERY HKLM\Software /f "My App" /s (This searches keys, values, and data).

Let's search the entire HKEY_CURRENT_USER hive for any mention of "Notepad". This will be slow.

@ECHO OFF
ECHO --- Searching the entire HKCU hive for "Notepad" ---
ECHO This will take a significant amount of time...
ECHO.

REM /s makes it recursive.
REG QUERY HKCU /f "Notepad" /s

The command will print in output every key, value, and data field where "Notepad" is found.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
    LastKey    REG_SZ    My Computer\HKEY_CURRENT_USER\Software\Microsoft\Notepad

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt
    a    REG_BINARY    ...N.o.t.e.p.a.d...

... (many more results) ...
End of search: 15 match(es) found.

How to Capture the Search Results in a Script

The output of a registry search can be massive. For any serious analysis, you should redirect the output to a file.

@ECHO OFF
SET "SearchTerm=MyApplication"
SET "SearchRoot=HKLM\Software"
SET "ReportFile=%USERPROFILE%\Desktop\Registry_Search_Results.txt"

ECHO --- Searching the Registry ---
ECHO Term: "%SearchTerm%"
ECHO Root: "%SearchRoot%"
ECHO Saving results to: "%ReportFile%"
ECHO This may take several minutes...

REM --- Redirect all output (including errors) to the report file ---
REG QUERY "%SearchRoot%" /f "%SearchTerm%" /s > "%ReportFile%" 2>&1

ECHO.
ECHO [SUCCESS] Search is complete.
START "" "%ReportFile%"

Common Pitfalls and How to Solve Them

Problem: The Search is Extremely Slow

Searching the entire registry (HKLM or HKCU) is a very intensive operation that can take many minutes to complete, as the command has to read thousands of keys.

Solution: Be as specific as possible with your starting key. If you know the setting is related to a specific piece of software, start your search there.

REG QUERY "HKLM\Software\MyCompany" /f "setting" /s

This is exponentially faster than searching all of HKLM.

Problem: "Access is denied." (Administrator Privileges)

When you recursively search HKEY_LOCAL_MACHINE or HKEY_CLASSES_ROOT, the REG command will try to read protected keys that standard users cannot access. It will print many "Access is denied" errors.

Solution: For a complete and clean search, you must run your script as an Administrator. This will grant REG QUERY the necessary permissions to read almost the entire registry.

Problem: The Search String Contains Spaces

If the text you are searching for contains spaces, you must enclose it in double quotes.

The Correct Syntax

REM This is the correct way to search for a multi-word string.
REG QUERY HKCU /f "My App Name" /s

Practical Example: Finding All References to an Old Server Name

This script is a useful tool for a system migration. It searches the entire registry for any mention of an old, decommissioned file server, allowing an administrator to find and update any lingering UNC path references.

@ECHO OFF
SETLOCAL
REM This script MUST be run as an Administrator for a full search.

SET "OldServerName=OLD-FILE-SRV"
SET "ReportFile=C:\Logs\Registry_Server_Scan.txt"

ECHO --- Searching for references to '%OldServerName%' ---
ECHO This is a full system scan and will take a very long time.
ECHO Results will be saved to: "%ReportFile%"
ECHO.
PAUSE

REM --- We search both major hives, HKLM and HKCU ---
ECHO Searching HKEY_LOCAL_MACHINE...
(
    ECHO ==========================================================
    ECHO RESULTS FOR HKEY_LOCAL_MACHINE
    ECHO ==========================================================
) > "%ReportFile%"
REG QUERY HKLM /f "%OldServerName%" /s >> "%ReportFile%" 2>&1

ECHO.
ECHO Searching HKEY_USERS (for all user profiles)...
(
    ECHO ==========================================================
    ECHO RESULTS FOR HKEY_USERS
    ECHO ==========================================================
) >> "%ReportFile%"
REG QUERY HKU /f "%OldServerName%" /s >> "%ReportFile%" 2>&1

ECHO.
ECHO [SUCCESS] Scan complete. Opening the report...
START "" "%ReportFile%"
ENDLOCAL

Conclusion

The REG QUERY /f command is the definitive, built-in tool for searching the Windows Registry from the command line.

Key takeaways for using it effectively:

  • The syntax is REG QUERY <StartKey> /f "SearchString" [options].
  • The /s switch is essential for a recursive search through a key and its subkeys.
  • Be as specific as possible with your <StartKey> to dramatically improve performance.
  • You must run your script as an Administrator to get a complete and error-free search of system-wide keys.
  • For any large-scale search, redirect the output to a file (> report.txt) for later analysis.

Table of Contents