Skip to content

Instantly share code, notes, and snippets.

@SalviaSage

SalviaSage/Correct Windows Registry Syntax.md

Last active April 18, 2025 22:05
Show Gist options
  • Save SalviaSage/8eba542dc27eea3379a1f7dad3f729a0 to your computer and use it in GitHub Desktop.
Save SalviaSage/8eba542dc27eea3379a1f7dad3f729a0 to your computer and use it in GitHub Desktop.
Download ZIP
Guide on editing the Windows Registry.
Raw
Correct Windows Registry Syntax.md

Correct Windows Registry Syntax

Last Revised: 2025-04-18

I made this guide to help anyone interested in editing the Windows Registry.

Signed;
    𝓞. 𝓞𝔃𝓽𝓮𝓴𝓲𝓷

It is possible to modify the entries of the Windows Registry.
To do this, you need to create a file that ends with the extension .reg.

.reg file encoding:

File Extension: .reg
File Encoding: UCS‑2 LE BOM (UTF‑16)
    (Previously used 8‑bit, also called single byte, before version 5.00. But uses 16‑bit, double‑byte now.)
Line Endings: \r\n (carriage return + line feed characters, CRLF, are used at the end of all lines in the Windows Registry.)

When you export a key from the Windows Registry; you get a .reg file with the UCS‑2 LE BOM encoding which is a UTF‑16 file encoding. This is because Windows switched from using ANSI to UTF‑16 file encoding when it switched from REGEDIT4 to Windows Registry Editor Version 5.00.

Some history: Windows Registry was introduced in Windows 3.1. Windows 95 and Windows 98 used the Windows Registry Editor version 4.00, which was ANSI, the older, deprecated format. Windows 2000 and later versions of Windows use the Windows Registry Editor version 5.00 which is UTF‑16, the newer Unicode format. Going from 8‑bit to 16‑bit doubled the file size of the Windows Registry. However, I approve of this design decision, and the file size is not an issue nowadays.

I tested the file encodings that work and that do not work:

UTF‑8 = works.
UTF‑8 BOM = works.
UCS‑2 BE BOM = does not work.
UCS‑2 LE = does not work.
UCS‑2 LE BOM = works (preferred encoding).

Windows Registry uses the \r\n line endings everywhere internally.

This is because everything that is Windows, especially internally, uses this line ending. If your .reg file uses the \n line endings it will still work, but using it internally, such as in hex values or anywhere else inside the registry is a mistake as this line ending will not be recognised. So, to be safe, use the \r\n line endings everywhere in Windows Registry.

Windows Registry exports registry files with two blank lines at the bottom of the file. Perhaps that is because they are null‑terminated or have the byte order mark (BOM) character at the end of files.

Thus, these are the standards that we should follow when making a .reg file.

So, for example, if you first create a .txt file and then rename it and change its extension to .reg, your file will probably be in the ANSI or the UTF‑8 format.

Those formats work too, but, I highly recommend formatting all .reg files with the /r/n line endings and setting the encoding of the files to UCS‑2 LE BOM.

Fortunately, there is an easier way to create .reg files with the correct encoding and syntax.

Simply copy and paste the below code into a .reg file and merge the file into the Windows Registry:

Windows Registry Editor Version 5.00

;; Adds a new entry to the Context Menu -> New -> Windows Registry File.
;; The file will be created with the following string already in it:

;;    Windows Registry Editor Version 5.00
;;
;;    ;; comment reserved
;;
;;    []
;;
;;

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:FF,FE,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,\
  00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,\
  72,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,\
  00,30,00,0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,\
  65,00,6e,00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,\
  00,0a,00,0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName" = hex(2):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
  52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,46,00,69,00,6c,00,65,\
  00,00,00
"FriendlyTypeName.bak" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\
  00,52,00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,\
  74,00,2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00

Or, you can download this .reg file from my web address:
https://github.com/SalviaSage/The-Registry-Repo/tree/master/Add%20Entries%20to%20the%20%27New%27%20Context%20Menu/Windows%20Registry%20File%20(.reg)

If you want to uninstall it, make a .reg file, and, copy and paste the below code in it. Save it, and merge it.

Windows Registry Editor Version 5.00

;; Deletes the Windows Registry entry from the "Create New" Context Menu.

[-HKEY_CLASSES_ROOT\.reg\ShellNew]

[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
  00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,\
  2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00
"FriendlyTypeName.bak" = -

You can also download this uninstallation file here:
https://github.com/SalviaSage/The-Registry-Repo/tree/master/Add%20Entries%20to%20the%20%27New%27%20Context%20Menu/Windows%20Registry%20File%20(.reg)

Now, you can right‑click anywhere and go to "new" and create your .reg file from there and it will have the UCS‑2 LE BOM encoding and the necessary syntax for editing the Windows Registry already present so you don't have to type that every time.

The below section deals with making "create new" entries with BOM encodings:

Example:

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,00,67,00,\
  69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,00,20,\
  00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,00,\
  0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
  00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,\
  0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

Becomes:

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:ff,fe,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,\
  00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,\
  00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,\
  00,0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
  00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,0d,\
  00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

Adding the FF,FE hex values at the start of the file creates it with the BOM instead of without it. This can be useful in some situations, as it is useful here with registry files.

.reg file syntax:

  • Windows Registry Editor Version 5.00 must be present on line 1.
  • REGEDIT4 can also be present on line 1, which is still seen in some registry files, this is the earlier version that still works.
  • The second line must be blank.
  • There must be a blank line between all [HKEY_] entries.
  • There should be a blank line at the end of .reg files.
    The Registry Editor exports with two blank lines at the end of the files as discussed above.
  • The comment syntax is the semi‑colon ;.
    There are no multi‑line comments.
    I like to use an extra comment syntax ;; to differentiate actual comments from commented‑out code.

Example .reg file:

Windows Registry Editor Version 5.00

;; Adds a new entry to the Context Menu -> New -> Windows Registry File.
;; The file will be created with the following string already in it:

;;    Windows Registry Editor Version 5.00
;;
;;    ;; comment reserved
;;
;;    []
;;

[HKEY_CLASSES_ROOT\.reg\ShellNew]
"Data" = hex:57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,00,65,00,67,00,\
  69,00,73,00,74,00,72,00,79,00,20,00,45,00,64,00,69,00,74,00,6f,00,72,00,20,\
  00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,20,00,35,00,2e,00,30,00,30,00,\
  0d,00,0a,00,0d,00,0a,00,3b,00,3b,00,20,00,63,00,6f,00,6d,00,6d,00,65,00,6e,\
  00,74,00,20,00,72,00,65,00,73,00,65,00,72,00,76,00,65,00,64,00,0d,00,0a,00,\
  0d,00,0a,00,5b,00,5d,00,0d,00,0a,00,0d,00,0a,00

[HKEY_CLASSES_ROOT\regfile]
"FriendlyTypeName" = hex(2):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,52,\
  00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,20,00,46,00,69,00,6c,00,65,00,\
  00,00
"FriendlyTypeName.bak" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\
  00,52,00,6f,00,6f,00,74,00,25,00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,\
  74,00,2e,00,65,00,78,00,65,00,2c,00,2d,00,33,00,30,00,39,00,00,00
  • If you want to delete a KEY, put a hyphen‑minus character before the directory name. Example:
[-HKEY_CLASSES_ROOT\regfile]
  • If you want to delete an entry(value) inside a key, type the name of the value and assign it to a hyphen‑minus character. Example:
[HKEY_CLASSES_ROOT\.bmp\ShellNew]
"NullFile" = -
  • If you launch the Registry Editor as System (not as the administrator, but as System) you can see some of the hidden keys.
    There are third‑party computer programs that allow the launching of programs as System such as PowerRun and NSudo.
    You can also make edits to some of the protected keys and values that otherwise you won't be able to edit.
  • The only way to correctly insert new lines inside a string is with the \r\n characters entered as hex (0D,00,0A,00).
    Only \n (0A,00) does not work here, and it is not possible to make new lines without using hex values. I tried and I couldn't.
  • Hex values are accepted. Strings can be entered as hex values in the following format:
"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
  45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
  00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00
  • These keys are not case‑sensitive (0e == 0E).
    The registry editor exports them in the small case. So, we should stick with that format, but it doesn't matter otherwise.
  • The hex values wrap at 80 characters unless the string that the hex values are assigned to already exceeds 80 characters.
    Example of a hex value with the first line exceeding the 80 characters wrap:
"windowspackagesettings-notifications-microsoft.microsoftsolitairecollection_8wekyb3d8bbwe"=hex:94,\
  2d,13,87,31,e6,d3,01

Notice how only the first hex value is there which is then wrapped down with the \ syntax. If the string were not as long, more hex values would have been there which would then wrap at 80. Although I think the code will still work if you don't wrap, it is better to wrap for legibility and that is also what the Registry Editor does.

  • The next line must start with two spaces.
    Look at the example above, and notice the second line for the hex values starting with two empty spaces.
  • There is another registry editor called Registry Finder which can do more than the Windows Registry Editor in some areas.
    It complements the Windows Registry Editor.
  • It can import and export binary data, this data must be in the string format, not in the hex format.
  • It can undo changes with CTRL+Z.
  • It is fast and it's good at searching and finding registry entries.
  • It can also export individual values from keys whereas the Windows Registry Editor only exports whole keys.
  • There are many other features. Check out this free program here:
    http://registry-finder.com/ (Thanks Sergey Filippov.)
  • Pay attention to all the 00 characters when entering strings as hex values into the registry.
    This is because Microsoft switched from using single‑byte to double‑byte values for the Windows Registry and other areas of Windows.
    This made it so that all the hex values were followed by these double zeros.

So, simply converting strings to regular, single‑byte hex does not work here! Read more about that here:
https://tinyapps.org/blog/201204010730_registry_hex_to_text.html

"Data" = "this is


a multi line string


"

The correct way to enter the above string would be in hex with the \r\n characters for new lines written in hex like this:

"Data"=hex:74,00,68,00,69,00,73,00,20,00,69,00,73,00,0D,00,0A,00,0D,00,0A,00,\
  0D,00,0A,00,61,00,20,00,6d,00,75,00,6c,00,74,00,69,00,20,00,6c,00,69,00,6e,\
  00,65,00,20,00,73,00,74,00,72,00,69,00,6e,00,67,00,0D,00,0A,00,0D,00,0A,00,\
  • If you want to edit the (Default) (value not set) values, the syntax is @ = "whatever". Example:
[HKEY_CLASSES_ROOT\DesktopBackground\Shell\Power\shell\005RefreshExplorer\command]
@ = "cmd.exe /c taskkill /f /im explorer.exe  & start explorer.exe"
  • If you want to enter your hex as an "expandable string" instead of a "regular string", then use the hex(2): syntax. Example:
"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
  45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
  00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00

It seems like all these expandable strings, that is, hex(2) strings, are null‑terminated, judging from the endings. So, make sure your REG_SZ values and hex(2) values are null‑terminated.

  • If you want to make something auto-start on boot from the registry, as opposed to using the startup folder. Go to this key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Add a regular string, give it a name and set its exact directory to what you want to execute at startup.
This also accepts some commands such as -background and -elevate. Example:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SuperF4"="\"C:\\Users\\Username\\AppData\\Roaming\\SuperF4\\SuperF4.exe\" -elevate"

The -elevate syntax there makes it so that the program is run as an Admin if it can be. That may be necessary for some programs to work properly, but in some other cases, it will break the program instead.

I think the -background syntax makes the program run in the background and not pop up when Windows boots, which would be the default behaviour.

Registry Favorites

It is also possible to make some of the registry directories "Favorites". That way, you can easily access some of the popular registry areas.

These are also done by using the registry. So, browse to the key you want to add to "Favorites", click on "Favorites" in the menu and click on "Add to favorites" and give it a name.

When you do that, a new string is made in this directory in the registry and its data is assigned to the registry directory:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

A note on new file creation and new file naming

As is discussed in this document, I tell the reader detailed information on how to add an entry into the "Create New" menu that is found in the right‑click context menu and I provide the code for doing that. I also discovered how to make the newly created file be created as a BOM file. This is because the registry files needed to be in the BOM format, which the entry was creating without. So I found how to make it BOM by using the hex values. I also found how to create a new file with a string that is already inside the file with the "Data" = syntax and this was helpful for the registry files. However, one thing I could not get around was the fact that I could not name the files differently as they appeared on the context menu entry and as they were created. So, I could change the name of the created file but I would also have to change the name from the context menu. It seemed to me like there would have been a way to name them separately, without having to rename the created file manually. Today, by accident, I have discovered a way of doing so using the "ItemName" = hex(2): syntax and I wanted to note that down as I believe it can be useful. The name of the newly created item can be directly obtained from its name as it is stored in a Windows .dll file as opposed to us trying to name it ourselves. When we name it ourselves we can not get around the fact that the context menu entry and the created file share their names but when we grab the name from the .dll using the aforementioned syntax we can then go ahead and give another name to the entry menu with the syntax "FriendlyTypeName" = hex(2):. However, it can be difficult to find out where the name is stored, but if you can find that out, then this is one sure way of making the entry name and the created file name separate.

Check out this syntax for reference:

"ItemName" = hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
  00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,77,00,73,00,68,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,\
  00,34,00,38,00,30,00,32,00

Here the hex value says @%SystemRoot%\System32\wshext.dll,-4802.
So, we are obtaining the name of the file from this file, in its 4802 key value.

Thanks for reading my guide. 🙋
Further Reading:
http://www.informit.com/articles/article.aspx?p=1378466&seqNum=2

END

@sbohning
Copy link

sbohning commented Jan 14, 2025
edited
Loading

Thanks for putting together this useful guide!
One point on terminology, though, I think wherever you have UCS-2 it should be UTF-16. Per other sources, Windows uses UTF-16 LE (BOM).

FYI, my understanding of this is limited to Wikipedia description of "UTF-16". UCS-2 always uses exactly two bytes, 16 bits. UTF-16 is the same for Unicode characters / code points up to U+FFFF, but it can encode higher code points, using four bytes, 32 bits. E.g. for a REG_SZ key "A😀" ("A" and a GRINNING FACE emoji), the key exported to a .reg file has a BOM sat the start of the file, and for the key value shows little-endian 41 00 3D D8 00 DE. That is A = U+0041, and GRINNING FACE = U+1F600 encoded in UTF-16 as pair D83D DE00). Any 16-bit pairs in the range 0xD800 - 0xDCFF require extra decoding from UTF-16, basically dropping the first 6 bits of each and combining what is left to get a 20-bit Unicode code point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment