source: releases/0.3.0/doc/reglookup.1.docbook @ 285

Last change on this file since 285 was 72, checked in by tim, 18 years ago

Added QWORD type support.

  • Property svn:keywords set to Id
File size: 7.9 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<refentry id='reglookup.1'>
3  <!--  $Id: reglookup.1.docbook 72 2006-07-30 20:09:07Z tim $ -->
4  <refmeta>
5    <refentrytitle>reglookup</refentrytitle>
6    <manvolnum>1</manvolnum>
7    <refmiscinfo class="sectdesc">File Conversion Utilities</refmiscinfo>
8  </refmeta>
9  <refnamediv id='name'>
10    <refname>reglookup</refname>
11    <refpurpose>windows NT+ registry reader/lookup tool</refpurpose>
12  </refnamediv>
13
14  <refsect1 id='synopsis'>
15    <title>SYNOPSIS</title>
16    <para>
17      <command>
18        reglookup [options] <replaceable>registry-file</replaceable>
19      </command>
20    </para>
21  </refsect1>
22
23  <refsect1 id='description'>
24    <title>DESCRIPTION</title>
25    <para>
26        reglookup is designed to read windows registry elements and
27        print them out to stdout in a CSV-like format.  It has filtering
28        options to narrow the focus of the output.  This tool is
29        designed to work with on windows NT/2K/XP/2K3 registries, though
30        your mileage may vary.
31    </para>
32  </refsect1>
33
34  <refsect1 id='options'>
35    <title>OPTIONS</title>
36    <para>
37      <command>reglookup</command> accepts the following parameters:
38    </para>
39
40    <variablelist remap='IP'>
41      <varlistentry>
42        <term>
43          <option>-p <replaceable>prefix-filter</replaceable></option>
44        </term>
45        <listitem>
46          <para>
47            Specify a path prefix filter.  Only keys/values under
48            this registry path will be output.
49          </para>
50        </listitem>
51      </varlistentry>
52    </variablelist>
53
54    <variablelist remap='IP'>
55      <varlistentry>
56        <term>
57          <option>-t <replaceable>type-filter</replaceable></option>
58        </term>
59        <listitem>
60          <para>
61            Specify a type filter.  Only elements which match this
62            registry data type will be printed.  Acceptable values
63            are:
64            <command>
65              NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE,
66              LINK, MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD
67            </command>
68            and
69            <command>
70              KEY
71            </command>
72          </para>
73        </listitem>
74      </varlistentry>
75    </variablelist>
76
77    <variablelist remap='IP'>
78      <varlistentry>
79        <term>
80          <option>-h</option>
81        </term>
82        <listitem>
83          <para>
84            Enables the printing of a column header row. (default)
85          </para>
86        </listitem>
87      </varlistentry>
88    </variablelist>
89
90    <variablelist remap='IP'>
91      <varlistentry>
92        <term>
93          <option>-H</option>
94        </term>
95        <listitem>
96          <para>
97            Disables the printing of a column header row.
98          </para>
99        </listitem>
100      </varlistentry>
101    </variablelist>
102
103    <variablelist remap='IP'>
104      <varlistentry>
105        <term>
106          <option>-s</option>
107        </term>
108        <listitem>
109          <para>
110            Adds four additional columns to output containing
111            information from key security descriptors.  The columns
112            are: owner, group, sacl, dacl.
113            (This feature's output probably contains bugs right now.)
114          </para>
115        </listitem>
116      </varlistentry>
117    </variablelist>
118
119    <variablelist remap='IP'>
120      <varlistentry>
121        <term>
122          <option>-S</option>
123        </term>
124        <listitem>
125          <para>
126            Disables the printing of security descriptor
127            information. (default)
128          </para>
129        </listitem>
130      </varlistentry>
131    </variablelist>
132
133    <variablelist remap='IP'>
134      <varlistentry>
135        <term>
136          <option>-v</option>
137        </term>
138        <listitem>
139          <para>
140            Verbose output. (Currently does little to nothing.)
141          </para>
142        </listitem>
143      </varlistentry>
144    </variablelist>
145
146    <variablelist remap='IP'>
147      <varlistentry>
148        <term>
149          <option><replaceable>registry-file</replaceable></option>
150        </term>
151        <listitem>
152          <para>
153            Required argument.  Specifies the location of the
154            registry file to read.  Typically, these files will be
155            found on a NTFS partition under
156            <command>%SystemRoot%/system32/config</command>.
157          </para>
158        </listitem>
159      </varlistentry>
160    </variablelist>
161  </refsect1>
162
163  <refsect1 id='output'>
164    <title>OUTPUT</title>
165    <para>
166      <!-- XXX: this should be a bit more formal -->
167      <command>reglookup</command> generates a comma-separated values (CSV)
168      compatible format to stdout.  The format is designed to simplify parsing
169      algorithms of other tools by quoting CSV special characters using a
170      common hexadecimal format.  Specifically, special characters or non-ascii
171      bytes are converted to "\xQQ" where QQ is the hexadecimal value for
172      the byte.
173    </para>
174  </refsect1>
175
176  <refsect1 id='examples'>
177    <title>EXAMPLES</title>
178    <para>
179      To read and print the contents of an entire system registry
180      file:
181    </para>
182    <para>
183      <screen>
184        reglookup /mnt/win/c/WINNT/system32/config/system
185      </screen>
186    </para>
187    <para>
188      To limit the output to just those entries under the Services
189      key:
190    </para>
191    <para>
192      <screen>
193        reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
194      </screen>
195    </para>
196    <para>
197      To limit the output to all registry values of type BINARY:
198    </para>
199    <para>
200      <screen>
201        reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system
202      </screen>
203    </para>
204    <para>
205      And to limit the output to BINARY values under the Services key:
206    </para>
207    <para>
208      <screen>
209        reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
210      </screen>
211    </para>
212  </refsect1>
213
214  <refsect1 id='bugs'>
215    <title>BUGS</title>
216    <para>
217      This program has only been tested on a few different systems.
218      (Please report results to the development list if you test it
219      on Windows NT 4.0, 2003, or Vista registries.  Also, if you
220      test on any 64-bit architecture, please contact us.)
221    </para>
222    <para>
223      Verbose output is not working.
224    </para>
225    <para>
226      The SID conversions haven't been carefully checked for accuracy.
227    </para>
228    <para>
229      The MTIME conversions appear correctly produce the stored UTC timestamp.
230      However, due to the periodicity of registry writes, and the complexity
231      of the conversion, a small amount of error (on the order of seconds) may
232      be possible.  The documentation available online from Microsoft on
233      this field is very poor.
234    </para>
235    <para>
236      Backslashes are currently considered special characters, to make
237      parsing easier for automated tools.  However, this causes paths
238      to be difficult to read.
239    </para>
240    <para>
241      You'll notice that registry paths aren't all the same as the
242      equivalents you see in the windows registry editor.  Don't ask me why
243      that is.  I just work here.
244    </para>
245    <para>
246      This software should be considered unstable at this time.
247    </para>
248  </refsect1>
249
250  <refsect1 id='credits'>
251    <title>CREDITS</title>
252    <para>
253      This program was initially based on editreg.c by
254      Richard Sharpe.  It has since been rewritten to use a modified
255      version the regfio library written by Gerald Carter.  Heavy
256      modifications to the library and the original command line
257      interface have been done by Timothy D. Morgan.
258    </para>
259    <para>
260      Please see source code for a full list of copyrights.
261    </para>
262  </refsect1>
263
264  <refsect1 id='license'>
265    <title>LICENSE</title>
266    <para>
267      Please see the file "LICENSE" included with this software
268      distribution.
269    </para>
270    <para>     
271      This program is distributed in the hope that it will be useful,
272      but WITHOUT ANY WARRANTY; without even the implied warranty of
273      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
274      GNU General Public License version 2 for more details.
275    </para>
276  </refsect1>
277
278  <refsect1 id='seealso'>
279    <title>SEE ALSO</title>
280    <para>
281      reglookup-timeline(1)
282    </para>
283  </refsect1>
284</refentry>
Note: See TracBrowser for help on using the repository browser.