GetBinaryValue

Binary registry values are very cryptic, and difficult for humans to make sense of. However, there is useful information in the registry that is stored in binary format. As an advanced system administrator, you might find yourself interested in understanding, and possibly even editing, certain binary entries. For example, services are organized in groups. The GroupOrderList subkey stores information about the order in which groups of services are loaded when Windows boots. This information looks similar to the following:

17 0 0 0 14 0 0 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 8 0 0 0 9 0 0 0 10 0 0 0 11 0 0 0 12 0 0 0 13 0 0 0 15 0 0 0 16 0 0 0 17 0 0 0

Although this type of information is rarely useful to a system administrator, it can be important to support personnel troubleshooting computer problems. If support personnel need to know the value of a binary registry entry, you can use scripts to retrieve this information.

The caution about manipulating registry entries directly is even more relevant with binary entry values. For one thing, they are cryptic, with no obvious meaning. Along the same lines, they are difficult to remember in case you need to restore their original values. Although there is no harm in reading one of these values, be very careful about modifying the value in any way.

The Registry Provider includes the GetBinaryValue method to enable you to work with binary entry values. The method takes, as one of its parameters, a variable that is used to store the retrieved value. The value is returned as an array of bytes. Therefore, to extract the value, you need to loop through the array, extracting a single byte with each pass.

For an example of how to use GetBinaryValue, see the example in the GetDWORDValue topic.

The Multithreaded Remote Registry Gathering with Powershell sample gathers specific subkey values or an entire registry key s subkey values with PowerShell and multithreading.

The following code sample uses WMI to read a binary registry value.

Example

Do not run below example code just to see what happens next. Many methods seriously affect your system. Always make sure you actually understand what the method and the code do.

param
(
  [Parameter(Mandatory)]
  [UInt32]
  $hDefKey,

  [Parameter(Mandatory)]
  [String]
  $sSubKeyName,

  [Parameter(Mandatory)]
  [String]
  $sValueName
)


Invoke-CimMethod -ClassName StdRegProv -MethodName GetBinaryValue -Arguments $PSBoundParameters

To run this method on one or more remote systems, use New-CimSession:

param
(
  [Parameter(Mandatory)]
  [UInt32]
  $hDefKey,

  [Parameter(Mandatory)]
  [String]
  $sSubKeyName,

  [Parameter(Mandatory)]
  [String]
  $sValueName,

  [String[]]
  $ComputerName,

  [PSCredential]
  $Credential
)


$session = New-CimSession -ComputerName $ComputerName -Credential $Credential

Invoke-CimMethod -ClassName StdRegProv -MethodName GetBinaryValue -Arguments $PSBoundParameters -CimSession $session

Remove-CimSession -CimSession $session

Learn more about Invoke-CimMethod and invoking WMI methods.

Syntax

uint32 GetBinaryValue(
  [in]  uint32 hDefKey = HKEY_LOCAL_MACHINE,
  [in]  string sSubKeyName,
  [in]  string sValueName,
  [out] uint8  uValue[]
);

Parameters

hDefKey

[Flags()]Enum StdRegProvhDefKey
{
  HKEY_CLASSES_ROOT     = 2147483648 # 
  HKEY_CURRENT_USER     = 2147483649 # 
  HKEY_LOCAL_MACHINE    = 2147483650 # 
  HKEY_USERS            = 2147483651 # 
  HKEY_CURRENT_CONFIG   = 2147483653 # 
}

Return Value

Returns a value of type UInt32. Typically, a value of 0 indicates success.

See Also

Additional methods implemented by StdRegProv:

CheckAccess()

CheckAccess() verifies that the user has the specified access permissions.

CreateKey()

CreateKey() creates a subkey.

DeleteKey()

DeleteKey() deletes a subkey.

DeleteValue()

DeleteValue() deletes a named value.

EnumKey()

EnumKey() enumerates subkeys.

EnumValues()

EnumValues() enumerates the named values of a key.

GetDWORDValue()

GetDWORDValue() gets the DWORD data value of a named value.

GetExpandedStringValue()

GetExpandedStringValue() gets the expanded string data value of a named value.

GetMultiStringValue()

GetMultiStringValue() gets the multiple string data values of a named value.

GetQWORDValue()

GetQWORDValue() gets the QWORD data values of a named value.

GetSecurityDescriptor()

GetSecurityDescriptor() gets the security descriptor for a key.

GetStringValue()

GetStringValue() gets the string data value of a named value.

SetBinaryValue()

SetBinaryValue() sets the binary data value of a named value.

SetDWORDValue()

SetDWORDValue() sets the DWORD data value of a named value.

SetExpandedStringValue()

SetExpandedStringValue() sets the expanded string data value of a named value.

SetMultiStringValue()

SetMultiStringValue() sets the multiple string values of a named value.

SetQWORDValue()

SetQWORDValue() sets the QWORD data values of a named value.

SetSecurityDescriptor()

SetSecurityDescriptor() sets the security descriptor for a key.

SetStringValue()

SetStringValue() sets the string value of a named value.

Requirements

To use StdRegProv, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

StdRegProv was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

StdRegProv lives in the Namespace Root/CIMv2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

StdRegProv is implemented in Stdprov.dll and defined in RegEvent.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\RegEvent.mof