source: trunk/doc/reglookup.1.docbook @ 139

Last change on this file since 139 was 138, checked in by tim, 16 years ago

extended error message logging to allow for message type filtering

fine tuned message verbosity to more reasonable default levels for reglookup and reglookup-recover

updated related documentation

  • Property svn:keywords set to Id
File size: 11.0 KB
RevLine 
[63]1<?xml version="1.0" encoding="UTF-8"?>
2<refentry id='reglookup.1'>
[64]3  <!--  $Id: reglookup.1.docbook 138 2009-02-08 19:53:48Z tim $ -->
[63]4  <refmeta>
5    <refentrytitle>reglookup</refentrytitle>
6    <manvolnum>1</manvolnum>
7    <refmiscinfo class="sectdesc">File Conversion Utilities</refmiscinfo>
8  </refmeta>
9  <refnamediv id='name'>
10    <refname>reglookup</refname>
[119]11    <refpurpose>Windows NT+ registry reader/lookup tool</refpurpose>
[63]12  </refnamediv>
13
[64]14  <refsect1 id='synopsis'>
[63]15    <title>SYNOPSIS</title>
16    <para>
[64]17      <command>
18        reglookup [options] <replaceable>registry-file</replaceable>
19      </command>
[63]20    </para>
21  </refsect1>
22
23  <refsect1 id='description'>
24    <title>DESCRIPTION</title>
25    <para>
26        reglookup is designed to read windows registry elements and
27        print them out to stdout in a CSV-like format.  It has filtering
28        options to narrow the focus of the output.  This tool is
[125]29        designed to work with on Windows NT-based registries.
[63]30    </para>
31  </refsect1>
32
[64]33  <refsect1 id='options'>
[63]34    <title>OPTIONS</title>
35    <para>
36      <command>reglookup</command> accepts the following parameters:
37    </para>
38
39    <variablelist remap='IP'>
40      <varlistentry>
41        <term>
42          <option>-p <replaceable>prefix-filter</replaceable></option>
43        </term>
44        <listitem>
45          <para>
46            Specify a path prefix filter.  Only keys/values under
47            this registry path will be output.
48          </para>
49        </listitem>
50      </varlistentry>
51    </variablelist>
52
53    <variablelist remap='IP'>
54      <varlistentry>
55        <term>
56          <option>-t <replaceable>type-filter</replaceable></option>
57        </term>
58        <listitem>
59          <para>
60            Specify a type filter.  Only elements which match this
61            registry data type will be printed.  Acceptable values
[119]62            are:
[63]63            <command>
64              NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE,
[72]65              LINK, MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD
[63]66            </command>
67            and
68            <command>
69              KEY
70            </command>
71          </para>
72        </listitem>
73      </varlistentry>
74    </variablelist>
75
76    <variablelist remap='IP'>
77      <varlistentry>
78        <term>
79          <option>-h</option>
80        </term>
81        <listitem>
82          <para>
83            Enables the printing of a column header row. (default)
84          </para>
85        </listitem>
86      </varlistentry>
87    </variablelist>
88
89    <variablelist remap='IP'>
90      <varlistentry>
91        <term>
92          <option>-H</option>
93        </term>
94        <listitem>
95          <para>
96            Disables the printing of a column header row.
97          </para>
98        </listitem>
99      </varlistentry>
100    </variablelist>
101
102    <variablelist remap='IP'>
103      <varlistentry>
104        <term>
105          <option>-s</option>
106        </term>
107        <listitem>
108          <para>
[125]109            Adds five additional columns to output containing
110            information from key security descriptors and rarely used
111            fields.  The columns are: owner, group, sacl, dacl, class.
[119]112            (This feature's output has not been extensively tested.)
[63]113          </para>
114        </listitem>
115      </varlistentry>
116    </variablelist>
117
118    <variablelist remap='IP'>
119      <varlistentry>
120        <term>
121          <option>-S</option>
122        </term>
123        <listitem>
124          <para>
125            Disables the printing of security descriptor
126            information. (default)
127          </para>
128        </listitem>
129      </varlistentry>
130    </variablelist>
131
132    <variablelist remap='IP'>
133      <varlistentry>
134        <term>
135          <option>-v</option>
136        </term>
137        <listitem>
138          <para>
[138]139            Verbose output.
[63]140          </para>
141        </listitem>
142      </varlistentry>
143    </variablelist>
144
145    <variablelist remap='IP'>
146      <varlistentry>
147        <term>
148          <option><replaceable>registry-file</replaceable></option>
149        </term>
150        <listitem>
151          <para>
152            Required argument.  Specifies the location of the
[119]153            registry file to read.  The system registry files should be
154            found under:
[63]155            <command>%SystemRoot%/system32/config</command>.
156          </para>
157        </listitem>
158      </varlistentry>
159    </variablelist>
160  </refsect1>
161
162  <refsect1 id='output'>
163    <title>OUTPUT</title>
164    <para>
165      <!-- XXX: this should be a bit more formal -->
[87]166      <command>reglookup</command> generates comma-separated values (CSV)
167      and writes them to stdout.  The format is designed to simplify parsing
[63]168      algorithms of other tools by quoting CSV special characters using a
169      common hexadecimal format.  Specifically, special characters or non-ascii
170      bytes are converted to "\xQQ" where QQ is the hexadecimal value for
171      the byte.
172    </para>
[87]173    <para>
174      The number of columns or fields in each line is fixed for a given run
175      of the program, but may vary based on the command line options provided.
176      See the header line for information on which fields are available and
177      what they contain.
178    </para>
179    <para>
180      Some fields in some lines may contain sub-fields which require additional
181      delimiters.  If these sub-delimiters occur in these sub-fields, they are
182      also encoded in the same way as commas or other special characters are. 
183      Currently, the second, third, and fourth level delimiters are "|", ":",
184      and " ", respectively.  These are particularly important to take note of
185      when security attributes are printed.  Please note that these delimiters
186      may occur in fields that are not sub-delimited, and should not be
187      interpreted as special.
188    </para>
189    <para>
190      Security attributes of registry keys have a complex structure which is
191      outlined here.  Each key will generally have an associated ACL (Access
192      Control List), which is made up of ACEs (Access Control Entries).  Each
193      ACE is delimited by the secondary delimiter mentioned above, "|".  The
194      fields within an ACE are delimited by the third-level delimiter, ":",
195      and consist of a SID, the ACE type (ALLOW, DENY, etc), a list of access
196      rights, and a list of flags.  The last two fields are delimited by the
197      fourth-level delimiter " ".  These final lists are simply human-readable
198      interpretations of bits.  The access rights abbreviations are listed
199      below along with their Microsoft-assigned names:
200      <screen>
201      QRY_VAL           KEY_QUERY_VALUE
202      SET_VAL           KEY_SET_VALUE
203      CREATE_KEY        KEY_CREATE_SUB_KEY
204      ENUM_KEYS         KEY_ENUMERATE_SUB_KEYS
205      NOTIFY            KEY_NOTIFY
206      CREATE_LNK        KEY_CREATE_LINK
207      WOW64_64          KEY_WOW64_64KEY
208      WOW64_32          KEY_WOW64_32KEY
209      DELETE            DELETE
210      R_CONT            READ_CONTROL
211      W_DAC             WRITE_DAC
212      W_OWNER           WRITE_OWNER
213      SYNC              SYNCHRONIZE
214      SYS_SEC           ACCESS_SYSTEM_SECURITY
215      MAX_ALLWD         MAXIMUM_ALLOWED
216      GEN_A             GENERIC_ALL
217      GEN_X             GENERIC_EXECUTE
218      GEN_W             GENERIC_WRITE
219      GEN_R             GENERIC_READ
220      </screen>
221
222      And the meaning of each flag is:
223      <screen>
224      OI        Object Inherit
225      CI        Container Inherit
226      NP        Non-Propagate
227      IO        Inherit Only
228      IA        Inherited ACE
229      </screen>
230
231      Please see the following references for more information:
232      <screen>
233        http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
234        http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
235        http://msdn2.microsoft.com/en-us/library/aa772242.aspx
236        http://support.microsoft.com/kb/220167
237      </screen>
238    </para>
239    <para>
240      Note that some of the bits listed above have either not been allocated by
241      Microsoft, or simply aren't documented.  If any bits are set in the above
242      two fields that aren't recognized, a hexidecimal representation of all of
243      these mystery bits will be included in the output.  For instance, if the
244      lowest bit and third lowest bit were not recognized while being set,
245      the number "0x5" would be included as an element in the list.
246    </para>
247    <para>
248      While the ACL/ACE output format is mostly stable at this point, minor
249      changes may be introduced in future versions.
250    </para>
[63]251  </refsect1>
252
253  <refsect1 id='examples'>
254    <title>EXAMPLES</title>
255    <para>
256      To read and print the contents of an entire system registry
257      file:
258    </para>
259    <para>
260      <screen>
261        reglookup /mnt/win/c/WINNT/system32/config/system
262      </screen>
263    </para>
264    <para>
265      To limit the output to just those entries under the Services
266      key:
267    </para>
268    <para>
269      <screen>
270        reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
271      </screen>
272    </para>
273    <para>
274      To limit the output to all registry values of type BINARY:
275    </para>
276    <para>
277      <screen>
278        reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system
279      </screen>
280    </para>
281    <para>
282      And to limit the output to BINARY values under the Services key:
283    </para>
284    <para>
285      <screen>
286        reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
287      </screen>
288    </para>
289  </refsect1>
290
291  <refsect1 id='bugs'>
292    <title>BUGS</title>
293    <para>
[119]294      This program has been smoke-tested against most current Windows target
295      platforms, but a comprehensive test suite has not yet been developed.
296      (Please report results to the development mailing list if you encounter
297       any bugs.  Sample registry files and/or patches are greatly appreciated.)
[63]298    </para>
299    <para>
[64]300      The SID conversions haven't been carefully checked for accuracy.
[63]301    </para>
302    <para>
[64]303      The MTIME conversions appear correctly produce the stored UTC timestamp.
304      However, due to the periodicity of registry writes, and the complexity
305      of the conversion, a small amount of error (on the order of seconds) may
306      be possible.  The documentation available online from Microsoft on
307      this field is very poor.
308    </para>
309    <para>
[63]310      Backslashes are currently considered special characters, to make
311      parsing easier for automated tools.  However, this causes paths
[119]312      to be difficult to read by mere mortals.
[63]313    </para>
314    <para>
[119]315      For more information on registry format details, see:
316        http://sentinelchicken.com/research/registry_format/
[63]317    </para>
318  </refsect1>
319
320  <refsect1 id='credits'>
321    <title>CREDITS</title>
322    <para>
323      This program was initially based on editreg.c by
324      Richard Sharpe.  It has since been rewritten to use a modified
325      version the regfio library written by Gerald Carter.  Heavy
326      modifications to the library and the original command line
327      interface have been done by Timothy D. Morgan.
328    </para>
329    <para>
330      Please see source code for a full list of copyrights.
331    </para>
332  </refsect1>
333
334  <refsect1 id='license'>
335    <title>LICENSE</title>
336    <para>
337      Please see the file "LICENSE" included with this software
338      distribution.
339    </para>
340    <para>     
341      This program is distributed in the hope that it will be useful,
342      but WITHOUT ANY WARRANTY; without even the implied warranty of
343      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
[119]344      GNU General Public License version 3 for more details.
[63]345    </para>
346  </refsect1>
[64]347
348  <refsect1 id='seealso'>
349    <title>SEE ALSO</title>
350    <para>
[119]351      reglookup-timeline(1) reglookup-recover(1)
[64]352    </para>
353  </refsect1>
[63]354</refentry>
Note: See TracBrowser for help on using the repository browser.