source: trunk/doc/reglookup-recover.1.docbook @ 143

Last change on this file since 143 was 138, checked in by tim, 16 years ago

extended error message logging to allow for message type filtering

fine tuned message verbosity to more reasonable default levels for reglookup and reglookup-recover

updated related documentation

  • Property svn:keywords set to Id
File size: 6.3 KB
RevLine 
[119]1<?xml version="1.0" encoding="UTF-8"?>
2<refentry id='reglookup-recover.1'>
3  <!--  $Id: reglookup-recover.1.docbook 138 2009-02-08 19:53:48Z tim $ -->
4  <refmeta>
5    <refentrytitle>reglookup</refentrytitle>
6    <manvolnum>1</manvolnum>
7    <refmiscinfo class="sectdesc">File Conversion Utilities</refmiscinfo>
8  </refmeta>
9  <refnamediv id='name'>
10    <refname>reglookup-recover</refname>
11    <refpurpose>Windows NT+ registry deleted data recovery tool</refpurpose>
12  </refnamediv>
13
14  <refsect1 id='synopsis'>
15    <title>SYNOPSIS</title>
16    <para>
17      <command>
18        reglookup-recover [options] <replaceable>registry-file</replaceable>
19      </command>
20    </para>
21  </refsect1>
22
23  <refsect1 id='description'>
24    <title>DESCRIPTION</title>
25    <para>
26        reglookup-recover attempts to scour a Windows registry hive for
27        deleted data structures and outputs those found in a CSV-like format.
28    </para>
29  </refsect1>
30
31  <refsect1 id='options'>
32    <title>OPTIONS</title>
33    <para>
34      <command>reglookup-recover</command> accepts the following parameters:
35    </para>
36
37    <variablelist remap='IP'>
38      <varlistentry>
39        <term>
40          <option>-v</option>
41        </term>
42        <listitem>
43          <para>
[138]44            Verbose output.
[119]45          </para>
46        </listitem>
47      </varlistentry>
48    </variablelist>
49
50    <variablelist remap='IP'>
51      <varlistentry>
52        <term>
53          <option>-h</option>
54        </term>
55        <listitem>
56          <para>
57            Enables the printing of a column header row. (default)
58          </para>
59        </listitem>
60      </varlistentry>
61    </variablelist>
62
63    <variablelist remap='IP'>
64      <varlistentry>
65        <term>
66          <option>-H</option>
67        </term>
68        <listitem>
69          <para>
70            Disables the printing of a column header row.
71          </para>
72        </listitem>
73      </varlistentry>
74    </variablelist>
75
76    <variablelist remap='IP'>
77      <varlistentry>
78        <term>
79          <option>-l</option>
80        </term>
81        <listitem>
82          <para>
83            Display cells which could not be interpreted as valid
84            registry structures at the end of the output.
85          </para>
86        </listitem>
87      </varlistentry>
88    </variablelist>
89
90    <variablelist remap='IP'>
91      <varlistentry>
92        <term>
93          <option>-L</option>
94        </term>
95        <listitem>
96          <para>
97            Do not display cells which could not be interpreted as valid
98            registry structures.  This is the default behavior.
99          </para>
100        </listitem>
101      </varlistentry>
102    </variablelist>
103
104    <variablelist remap='IP'>
105      <varlistentry>
106        <term>
107          <option>-r</option>
108        </term>
109        <listitem>
110          <para>
111            Display raw cell contents for cells which were interpreted as intact
112            data structures.  This additional output will appear on the same
113            line as the interpreted data.
114          </para>
115        </listitem>
116      </varlistentry>
117    </variablelist>
118
119    <variablelist remap='IP'>
120      <varlistentry>
121        <term>
122          <option>-R</option>
123        </term>
124        <listitem>
125          <para>
126            Do not display raw cell contents for cells which were interpreted
127            as intact data structures.  This is the default behavior.
128          </para>
129        </listitem>
130      </varlistentry>
131    </variablelist>
132
133    <variablelist remap='IP'>
134      <varlistentry>
135        <term>
136          <option><replaceable>registry-file</replaceable></option>
137        </term>
138        <listitem>
139          <para>
140            Required argument.  Specifies the location of the
141            registry file to read.  The system registry files should be
142            found under:
143            <command>%SystemRoot%/system32/config</command>.
144          </para>
145        </listitem>
146      </varlistentry>
147    </variablelist>
148  </refsect1>
149
150  <refsect1 id='output'>
151    <title>OUTPUT</title>
152    <para>
153      <!-- XXX: this should be a bit more formal -->
154      <command>reglookup-recover</command> generates a comma-separated values (CSV)
155      like output and writes it to stdout. For more information on the syntax of
156      the general format, see <command>reglookup(1)</command>.
157    </para>
158    <para>
159      This tool is new and the output format, particularly the included columns,
160      may change in future revisions.  When this format stablizes, additional
161      documentation will be included here.
162    </para>
163  </refsect1>
164
165  <refsect1 id='examples'>
166    <title>EXAMPLES</title>
167    <para>
168      To dump the recoverable contents of a system registry hive:
169    </para>
170    <para>
171      <screen>
172        reglookup-recover /mnt/win/c/WINDOWS/system32/config/system
173      </screen>
174    </para>
175    <para>
176      Extract all available unallocated data, including unparsable unallocated
177      space and the raw data associated with parsed cells in a user-specific
178      registry:
179    </para>
180    <para>
181      <screen>
182        reglookup-recover -r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'
183      </screen>
184    </para>
185  </refsect1>
186
187  <refsect1 id='bugs'>
188    <title>BUGS</title>
189    <para>
190      This program has been smoke-tested against most current Windows target
191      platforms, but a comprehensive test suite has not yet been developed.
192      (Please report results to the development mailing list if you encounter
193       any bugs.  Sample registry files and/or patches are greatly appreciated.)
194    </para>
195    <para>
196      This program is new as of RegLookup release 0.9.0 and should be considered
197      unstable.
198    </para>
199    <para>
200      For more information on registry format details and the recovery
201      algorithm, see:
202        http://sentinelchicken.com/research/registry_format/
203        http://sentinelchicken.com/research/registry_recovery/
204    </para>
205  </refsect1>
206
207  <refsect1 id='credits'>
208    <title>CREDITS</title>
209    <para>
210      This program was written by Timothy D. Morgan.
211    </para>
212  </refsect1>
213
214  <refsect1 id='license'>
215    <title>LICENSE</title>
216    <para>
217      Please see the file "LICENSE" included with this software
218      distribution.
219    </para>
220    <para>     
221      This program is distributed in the hope that it will be useful,
222      but WITHOUT ANY WARRANTY; without even the implied warranty of
223      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
224      GNU General Public License version 3 for more details.
225    </para>
226  </refsect1>
227
228  <refsect1 id='seealso'>
229    <title>SEE ALSO</title>
230    <para>
231      reglookup-timeline(1) reglookup-recover(1)
232    </para>
233  </refsect1>
234</refentry>
Note: See TracBrowser for help on using the repository browser.