source: trunk/doc/reglookup.1.docbook@ 93

Last change on this file since 93 was 87, checked in by tim, 18 years ago

added minor documentation on ACE flags to regfi.c

vastly expanded output documentation in reglookup man page.
  • Property svn:keywords set to Id
File size: 11.3 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<refentry id='reglookup.1'>
3 <!-- $Id: reglookup.1.docbook 87 2007-02-04 01:55:18Z tim $ -->
4 <refmeta>
5 <refentrytitle>reglookup</refentrytitle>
6 <manvolnum>1</manvolnum>
7 <refmiscinfo class="sectdesc">File Conversion Utilities</refmiscinfo>
8 </refmeta>
9 <refnamediv id='name'>
10 <refname>reglookup</refname>
11 <refpurpose>windows NT+ registry reader/lookup tool</refpurpose>
12 </refnamediv>
13
14 <refsect1 id='synopsis'>
15 <title>SYNOPSIS</title>
16 <para>
17 <command>
18 reglookup [options] <replaceable>registry-file</replaceable>
19 </command>
20 </para>
21 </refsect1>
22
23 <refsect1 id='description'>
24 <title>DESCRIPTION</title>
25 <para>
26 reglookup is designed to read windows registry elements and
27 print them out to stdout in a CSV-like format. It has filtering
28 options to narrow the focus of the output. This tool is
29 designed to work with on windows NT/2K/XP/2K3 registries, though
30 your mileage may vary.
31 </para>
32 </refsect1>
33
34 <refsect1 id='options'>
35 <title>OPTIONS</title>
36 <para>
37 <command>reglookup</command> accepts the following parameters:
38 </para>
39
40 <variablelist remap='IP'>
41 <varlistentry>
42 <term>
43 <option>-p <replaceable>prefix-filter</replaceable></option>
44 </term>
45 <listitem>
46 <para>
47 Specify a path prefix filter. Only keys/values under
48 this registry path will be output.
49 </para>
50 </listitem>
51 </varlistentry>
52 </variablelist>
53
54 <variablelist remap='IP'>
55 <varlistentry>
56 <term>
57 <option>-t <replaceable>type-filter</replaceable></option>
58 </term>
59 <listitem>
60 <para>
61 Specify a type filter. Only elements which match this
62 registry data type will be printed. Acceptable values
63 are:
64 <command>
65 NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE,
66 LINK, MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD
67 </command>
68 and
69 <command>
70 KEY
71 </command>
72 </para>
73 </listitem>
74 </varlistentry>
75 </variablelist>
76
77 <variablelist remap='IP'>
78 <varlistentry>
79 <term>
80 <option>-h</option>
81 </term>
82 <listitem>
83 <para>
84 Enables the printing of a column header row. (default)
85 </para>
86 </listitem>
87 </varlistentry>
88 </variablelist>
89
90 <variablelist remap='IP'>
91 <varlistentry>
92 <term>
93 <option>-H</option>
94 </term>
95 <listitem>
96 <para>
97 Disables the printing of a column header row.
98 </para>
99 </listitem>
100 </varlistentry>
101 </variablelist>
102
103 <variablelist remap='IP'>
104 <varlistentry>
105 <term>
106 <option>-s</option>
107 </term>
108 <listitem>
109 <para>
110 Adds four additional columns to output containing
111 information from key security descriptors. The columns
112 are: owner, group, sacl, dacl.
113 (This feature's output probably contains bugs right now.)
114 </para>
115 </listitem>
116 </varlistentry>
117 </variablelist>
118
119 <variablelist remap='IP'>
120 <varlistentry>
121 <term>
122 <option>-S</option>
123 </term>
124 <listitem>
125 <para>
126 Disables the printing of security descriptor
127 information. (default)
128 </para>
129 </listitem>
130 </varlistentry>
131 </variablelist>
132
133 <variablelist remap='IP'>
134 <varlistentry>
135 <term>
136 <option>-v</option>
137 </term>
138 <listitem>
139 <para>
140 Verbose output. (Currently does little to nothing.)
141 </para>
142 </listitem>
143 </varlistentry>
144 </variablelist>
145
146 <variablelist remap='IP'>
147 <varlistentry>
148 <term>
149 <option><replaceable>registry-file</replaceable></option>
150 </term>
151 <listitem>
152 <para>
153 Required argument. Specifies the location of the
154 registry file to read. Typically, these files will be
155 found on a NTFS partition under
156 <command>%SystemRoot%/system32/config</command>.
157 </para>
158 </listitem>
159 </varlistentry>
160 </variablelist>
161 </refsect1>
162
163 <refsect1 id='output'>
164 <title>OUTPUT</title>
165 <para>
166 <!-- XXX: this should be a bit more formal -->
167 <command>reglookup</command> generates comma-separated values (CSV)
168 and writes them to stdout. The format is designed to simplify parsing
169 algorithms of other tools by quoting CSV special characters using a
170 common hexadecimal format. Specifically, special characters or non-ascii
171 bytes are converted to "\xQQ" where QQ is the hexadecimal value for
172 the byte.
173 </para>
174 <para>
175 The number of columns or fields in each line is fixed for a given run
176 of the program, but may vary based on the command line options provided.
177 See the header line for information on which fields are available and
178 what they contain.
179 </para>
180 <para>
181 Some fields in some lines may contain sub-fields which require additional
182 delimiters. If these sub-delimiters occur in these sub-fields, they are
183 also encoded in the same way as commas or other special characters are.
184 Currently, the second, third, and fourth level delimiters are "|", ":",
185 and " ", respectively. These are particularly important to take note of
186 when security attributes are printed. Please note that these delimiters
187 may occur in fields that are not sub-delimited, and should not be
188 interpreted as special.
189 </para>
190 <para>
191 Security attributes of registry keys have a complex structure which is
192 outlined here. Each key will generally have an associated ACL (Access
193 Control List), which is made up of ACEs (Access Control Entries). Each
194 ACE is delimited by the secondary delimiter mentioned above, "|". The
195 fields within an ACE are delimited by the third-level delimiter, ":",
196 and consist of a SID, the ACE type (ALLOW, DENY, etc), a list of access
197 rights, and a list of flags. The last two fields are delimited by the
198 fourth-level delimiter " ". These final lists are simply human-readable
199 interpretations of bits. The access rights abbreviations are listed
200 below along with their Microsoft-assigned names:
201 <screen>
202 QRY_VAL KEY_QUERY_VALUE
203 SET_VAL KEY_SET_VALUE
204 CREATE_KEY KEY_CREATE_SUB_KEY
205 ENUM_KEYS KEY_ENUMERATE_SUB_KEYS
206 NOTIFY KEY_NOTIFY
207 CREATE_LNK KEY_CREATE_LINK
208 WOW64_64 KEY_WOW64_64KEY
209 WOW64_32 KEY_WOW64_32KEY
210 DELETE DELETE
211 R_CONT READ_CONTROL
212 W_DAC WRITE_DAC
213 W_OWNER WRITE_OWNER
214 SYNC SYNCHRONIZE
215 SYS_SEC ACCESS_SYSTEM_SECURITY
216 MAX_ALLWD MAXIMUM_ALLOWED
217 GEN_A GENERIC_ALL
218 GEN_X GENERIC_EXECUTE
219 GEN_W GENERIC_WRITE
220 GEN_R GENERIC_READ
221 </screen>
222
223 And the meaning of each flag is:
224 <screen>
225 OI Object Inherit
226 CI Container Inherit
227 NP Non-Propagate
228 IO Inherit Only
229 IA Inherited ACE
230 </screen>
231
232 Please see the following references for more information:
233 <screen>
234 http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
235 http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
236 http://msdn2.microsoft.com/en-us/library/aa772242.aspx
237 http://support.microsoft.com/kb/220167
238 </screen>
239 </para>
240 <para>
241 Note that some of the bits listed above have either not been allocated by
242 Microsoft, or simply aren't documented. If any bits are set in the above
243 two fields that aren't recognized, a hexidecimal representation of all of
244 these mystery bits will be included in the output. For instance, if the
245 lowest bit and third lowest bit were not recognized while being set,
246 the number "0x5" would be included as an element in the list.
247 </para>
248 <para>
249 While the ACL/ACE output format is mostly stable at this point, minor
250 changes may be introduced in future versions.
251 </para>
252 </refsect1>
253
254 <refsect1 id='examples'>
255 <title>EXAMPLES</title>
256 <para>
257 To read and print the contents of an entire system registry
258 file:
259 </para>
260 <para>
261 <screen>
262 reglookup /mnt/win/c/WINNT/system32/config/system
263 </screen>
264 </para>
265 <para>
266 To limit the output to just those entries under the Services
267 key:
268 </para>
269 <para>
270 <screen>
271 reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
272 </screen>
273 </para>
274 <para>
275 To limit the output to all registry values of type BINARY:
276 </para>
277 <para>
278 <screen>
279 reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system
280 </screen>
281 </para>
282 <para>
283 And to limit the output to BINARY values under the Services key:
284 </para>
285 <para>
286 <screen>
287 reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
288 </screen>
289 </para>
290 </refsect1>
291
292 <refsect1 id='bugs'>
293 <title>BUGS</title>
294 <para>
295 This program has only been tested on a few different systems.
296 (Please report results to the development list if you test it
297 on Windows NT 4.0, 2003, or Vista registries. Also, if you
298 test on any 64-bit architecture, please contact us.)
299 </para>
300 <para>
301 Verbose output is not working.
302 </para>
303 <para>
304 The SID conversions haven't been carefully checked for accuracy.
305 </para>
306 <para>
307 The MTIME conversions appear correctly produce the stored UTC timestamp.
308 However, due to the periodicity of registry writes, and the complexity
309 of the conversion, a small amount of error (on the order of seconds) may
310 be possible. The documentation available online from Microsoft on
311 this field is very poor.
312 </para>
313 <para>
314 Backslashes are currently considered special characters, to make
315 parsing easier for automated tools. However, this causes paths
316 to be difficult to read.
317 </para>
318 <para>
319 You'll notice that registry paths aren't all the same as the
320 equivalents you see in the windows registry editor. This is because
321 Windows constructs the registry view from multiple registry files,
322 each with their own roots. This utility merely shows what exists
323 under a single root. This isn't really a bug, but one should be
324 aware of the differences in path.
325 </para>
326 </refsect1>
327
328 <refsect1 id='credits'>
329 <title>CREDITS</title>
330 <para>
331 This program was initially based on editreg.c by
332 Richard Sharpe. It has since been rewritten to use a modified
333 version the regfio library written by Gerald Carter. Heavy
334 modifications to the library and the original command line
335 interface have been done by Timothy D. Morgan.
336 </para>
337 <para>
338 Please see source code for a full list of copyrights.
339 </para>
340 </refsect1>
341
342 <refsect1 id='license'>
343 <title>LICENSE</title>
344 <para>
345 Please see the file "LICENSE" included with this software
346 distribution.
347 </para>
348 <para>
349 This program is distributed in the hope that it will be useful,
350 but WITHOUT ANY WARRANTY; without even the implied warranty of
351 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
352 GNU General Public License version 2 for more details.
353 </para>
354 </refsect1>
355
356 <refsect1 id='seealso'>
357 <title>SEE ALSO</title>
358 <para>
359 reglookup-timeline(1)
360 </para>
361 </refsect1>
362</refentry>
Note: See TracBrowser for help on using the repository browser.