Provided by: reglookup_0.4.0-1_i386
reglookup - windows NT+ registry reader/lookup tool
reglookup [options] registry-file
reglookup is designed to read windows registry elements and print them
out to stdout in a CSV-like format. It has filtering options to narrow
the focus of the output. This tool is designed to work with on windows
NT/2K/XP/2K3 registries, though your mileage may vary.
reglookup accepts the following parameters:
Specify a path prefix filter. Only keys/values under this
registry path will be output.
Specify a type filter. Only elements which match this registry
data type will be printed. Acceptable values are: NONE, SZ,
EXPAND_SZ, BINARY, DWORD, DWORD_BE, LINK, MULTI_SZ, RSRC_LIST,
RSRC_DESC, RSRC_REQ_LIST, QWORD and KEY
-h Enables the printing of a column header row. (default)
-H Disables the printing of a column header row.
-s Adds four additional columns to output containing information
from key security descriptors. The columns are: owner, group,
sacl, dacl. (This feature’s output probably contains bugs right
-S Disables the printing of security descriptor information.
-v Verbose output. (Currently does little to nothing.)
Required argument. Specifies the location of the registry file
to read. Typically, these files will be found on a NTFS
partition under %SystemRoot%/system32/config.
reglookup generates comma-separated values (CSV) and writes them to
stdout. The format is designed to simplify parsing algorithms of other
tools by quoting CSV special characters using a common hexadecimal
format. Specifically, special characters or non-ascii bytes are
converted to "\xQQ" where QQ is the hexadecimal value for the byte.
The number of columns or fields in each line is fixed for a given run
of the program, but may vary based on the command line options
provided. See the header line for information on which fields are
available and what they contain.
Some fields in some lines may contain sub-fields which require
additional delimiters. If these sub-delimiters occur in these
sub-fields, they are also encoded in the same way as commas or other
special characters are. Currently, the second, third, and fourth level
delimiters are "|", ":", and " ", respectively. These are particularly
important to take note of when security attributes are printed. Please
note that these delimiters may occur in fields that are not
sub-delimited, and should not be interpreted as special.
Security attributes of registry keys have a complex structure which is
outlined here. Each key will generally have an associated ACL (Access
Control List), which is made up of ACEs (Access Control Entries). Each
ACE is delimited by the secondary delimiter mentioned above, "|". The
fields within an ACE are delimited by the third-level delimiter, ":",
and consist of a SID, the ACE type (ALLOW, DENY, etc), a list of access
rights, and a list of flags. The last two fields are delimited by the
fourth-level delimiter " ". These final lists are simply human-readable
interpretations of bits. The access rights abbreviations are listed
below along with their Microsoft-assigned names:
And the meaning of each flag is:
OI Object Inherit
CI Container Inherit
IO Inherit Only
IA Inherited ACE
Please see the following references for more information:
Note that some of the bits listed above have either not been allocated
by Microsoft, or simply aren’t documented. If any bits are set in the
above two fields that aren’t recognized, a hexidecimal representation
of all of these mystery bits will be included in the output. For
instance, if the lowest bit and third lowest bit were not recognized
while being set, the number "0x5" would be included as an element in
While the ACL/ACE output format is mostly stable at this point, minor
changes may be introduced in future versions.
To read and print the contents of an entire system registry file:
To limit the output to just those entries under the Services key:
reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
To limit the output to all registry values of type BINARY:
reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system
And to limit the output to BINARY values under the Services key:
reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
This program has only been tested on a few different systems. (Please
report results to the development list if you test it on Windows NT
4.0, 2003, or Vista registries. Also, if you test on any 64-bit
architecture, please contact us.)
Verbose output is not working.
The SID conversions haven’t been carefully checked for accuracy.
The MTIME conversions appear correctly produce the stored UTC
timestamp. However, due to the periodicity of registry writes, and the
complexity of the conversion, a small amount of error (on the order of
seconds) may be possible. The documentation available online from
Microsoft on this field is very poor.
Backslashes are currently considered special characters, to make
parsing easier for automated tools. However, this causes paths to be
difficult to read.
You’ll notice that registry paths aren’t all the same as the
equivalents you see in the windows registry editor. This is because
Windows constructs the registry view from multiple registry files, each
with their own roots. This utility merely shows what exists under a
single root. This isn’t really a bug, but one should be aware of the
differences in path.
This program was initially based on editreg.c by Richard Sharpe. It has
since been rewritten to use a modified version the regfio library
written by Gerald Carter. Heavy modifications to the library and the
original command line interface have been done by Timothy D. Morgan.
Please see source code for a full list of copyrights.
Please see the file "LICENSE" included with this software distribution.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License version 2 for more details.
File Conversion Utilities reglookup(1)