reglookup 1 File Conversion Utilities reglookup windows NT+ registry reader/lookup tool reglookup [options] registry-file reglookup is designed to read windows registry elements and print them out to stdout in a CSV-like format. It has filtering options to narrow the focus of the output. This tool is designed to work with on windows NT/2K/XP/2K3 registries, though your mileage may vary. reglookup accepts the following parameters: -p prefix-filter Specify a path prefix filter. Only keys/values under this registry path will be output. -t type-filter Specify a type filter. Only elements which match this registry data type will be printed. Acceptable values are: NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE, LINK, MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD and KEY -h Enables the printing of a column header row. (default) -H Disables the printing of a column header row. -s Adds four additional columns to output containing information from key security descriptors. The columns are: owner, group, sacl, dacl. (This feature's output probably contains bugs right now.) -S Disables the printing of security descriptor information. (default) -v Verbose output. (Currently does little to nothing.) registry-file Required argument. Specifies the location of the registry file to read. Typically, these files will be found on a NTFS partition under %SystemRoot%/system32/config. reglookup generates a comma-separated values (CSV) compatible format to stdout. The format is designed to simplify parsing algorithms of other tools by quoting CSV special characters using a common hexadecimal format. Specifically, special characters or non-ascii bytes are converted to "\xQQ" where QQ is the hexadecimal value for the byte. To read and print the contents of an entire system registry file: reglookup /mnt/win/c/WINNT/system32/config/system To limit the output to just those entries under the Services key: reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system To limit the output to all registry values of type BINARY: reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system And to limit the output to BINARY values under the Services key: reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system This program has only been tested on a few different systems. (Please report results to the development list if you test it on Windows NT 4.0, 2003, or Vista registries. Also, if you test on any 64-bit architecture, please contact us.) Verbose output is not working. The SID conversions haven't been carefully checked for accuracy. The MTIME conversions appear correctly produce the stored UTC timestamp. However, due to the periodicity of registry writes, and the complexity of the conversion, a small amount of error (on the order of seconds) may be possible. The documentation available online from Microsoft on this field is very poor. Backslashes are currently considered special characters, to make parsing easier for automated tools. However, this causes paths to be difficult to read. You'll notice that registry paths aren't all the same as the equivalents you see in the windows registry editor. Don't ask me why that is. I just work here. This software should be considered unstable at this time. This program was initially based on editreg.c by Richard Sharpe. It has since been rewritten to use a modified version the regfio library written by Gerald Carter. Heavy modifications to the library and the original command line interface have been done by Timothy D. Morgan. Please see source code for a full list of copyrights. Please see the file "LICENSE" included with this software distribution. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more details. reglookup-timeline(1)