Provided by: reglookup_0.11.0-2_i386 bug

NAME

       reglookup - Windows NT+ registry reader/lookup tool

SYNOPSIS

       reglookup [options] registry-file

DESCRIPTION

       reglookup  is designed to read windows registry elements and print them
       out to stdout in a CSV-like format. It has filtering options to  narrow
       the  focus of the output. This tool is designed to work with on Windows
       NT-based registries.

OPTIONS

       reglookup accepts the following parameters:

       -p prefix-filter
              Specify a  path  prefix  filter.  Only  keys/values  under  this
              registry path will be output.

       -t type-filter
              Specify  a  type filter. Only elements which match this registry
              data type will be printed.  Acceptable  values  are:  NONE,  SZ,
              EXPAND_SZ,  BINARY,  DWORD, DWORD_BE, LINK, MULTI_SZ, RSRC_LIST,
              RSRC_DESC, RSRC_REQ_LIST, QWORD  and  KEY  .TP  -h  Enables  the
              printing of a column header row. (default)

       -H     Disables the printing of a column header row.

       -s     Adds  five  additional  columns to output containing information
              from key  security  descriptors  and  rarely  used  fields.  The
              columns  are:  owner, group, sacl, dacl, class.  (This feature’s
              output has not been extensively tested.)

       -S     Disables  the  printing  of  security  descriptor   information.
              (default)

       -v     Verbose output.

       registry-file
              Required  argument.  Specifies the location of the registry file
              to read. The  system  registry  files  should  be  found  under:
              %SystemRoot%/system32/config.

OUTPUT

       reglookup  generates  comma-separated  values  (CSV) and writes them to
       stdout. The format is designed to simplify parsing algorithms of  other
       tools  by  quoting  CSV  special  characters using a common hexadecimal
       format.  Specifically,  special  characters  or  non-ascii  bytes   are
       converted to "\xQQ" where QQ is the hexadecimal value for the byte.

       The  number  of columns or fields in each line is fixed for a given run
       of the program,  but  may  vary  based  on  the  command  line  options
       provided.   See  the  header  line  for information on which fields are
       available and what they contain.

       Some  fields  in  some  lines  may  contain  sub-fields  which  require
       additional  delimiters.  If  these  sub-delimiters  occur in these sub-
       fields, they are also encoded in  the  same  way  as  commas  or  other
       special characters are.  Currently, the second, third, and fourth level
       delimiters are "|", ":", and " ", respectively. These are  particularly
       important  to take note of when security attributes are printed. Please
       note that these delimiters may  occur  in  fields  that  are  not  sub-
       delimited, and should not be interpreted as special.

       Security  attributes of registry keys have a complex structure which is
       outlined here. Each key will generally have an associated  ACL  (Access
       Control  List), which is made up of ACEs (Access Control Entries). Each
       ACE is delimited by the secondary delimiter mentioned above,  "|".  The
       fields  within  an ACE are delimited by the third-level delimiter, ":",
       and consist of a SID, the ACE type (ALLOW, DENY, etc), a list of access
       rights,  and  a list of flags. The last two fields are delimited by the
       fourth-level delimiter " ". These final lists are simply human-readable
       interpretations  of  bits.  The  access rights abbreviations are listed
       below along with their Microsoft-assigned names:

             QRY_VAL       KEY_QUERY_VALUE
             SET_VAL       KEY_SET_VALUE
             CREATE_KEY    KEY_CREATE_SUB_KEY
             ENUM_KEYS          KEY_ENUMERATE_SUB_KEYS
             NOTIFY        KEY_NOTIFY
             CREATE_LNK    KEY_CREATE_LINK
             WOW64_64      KEY_WOW64_64KEY
             WOW64_32      KEY_WOW64_32KEY
             DELETE        DELETE
             R_CONT        READ_CONTROL
             W_DAC         WRITE_DAC
             W_OWNER       WRITE_OWNER
             SYNC          SYNCHRONIZE
             SYS_SEC       ACCESS_SYSTEM_SECURITY
             MAX_ALLWD          MAXIMUM_ALLOWED
             GEN_A         GENERIC_ALL
             GEN_X         GENERIC_EXECUTE
             GEN_W         GENERIC_WRITE
             GEN_R         GENERIC_READ

       And the meaning of each flag is:

             OI  Object Inherit
             CI  Container Inherit
             NP  Non-Propagate
             IO  Inherit Only
             IA  Inherited ACE

       Please see the following references for more information:

               http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
               http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
               http://msdn2.microsoft.com/en-us/library/aa772242.aspx
               http://support.microsoft.com/kb/220167

       Note that some of the bits listed above have either not been  allocated
       by  Microsoft,  or simply aren’t documented. If any bits are set in the
       above two fields that aren’t recognized, a  hexidecimal  representation
       of  all  of  these  mystery  bits  will  be included in the output. For
       instance, if the lowest bit and third lowest bit  were  not  recognized
       while  being  set,  the number "0x5" would be included as an element in
       the list.

       While the ACL/ACE output format is mostly stable at this  point,  minor
       changes may be introduced in future versions.

EXAMPLES

       To read and print the contents of an entire system registry file:

            reglookup /mnt/win/c/WINNT/system32/config/system

       To limit the output to just those entries under the Services key:

            reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system

       To limit the output to all registry values of type BINARY:

            reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system

       And to limit the output to BINARY values under the Services key:

            reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system

BUGS

       This  program has been smoke-tested against most current Windows target
       platforms, but a comprehensive test suite has not yet  been  developed.
       (Please report results to the development mailing list if you encounter
       any  bugs.  Sample  registry   files   and/or   patches   are   greatly
       appreciated.)

       The SID conversions haven’t been carefully checked for accuracy.

       The   MTIME   conversions  appear  correctly  produce  the  stored  UTC
       timestamp.  However, due to the periodicity of registry writes, and the
       complexity  of the conversion, a small amount of error (on the order of
       seconds) may be  possible.  The  documentation  available  online  from
       Microsoft on this field is very poor.

       Backslashes  are  currently  considered  special  characters,  to  make
       parsing easier for automated tools. However, this causes  paths  to  be
       difficult to read by mere mortals.

       For    more    information    on    registry   format   details,   see:
       http://sentinelchicken.com/research/registry_format/

CREDITS

       This program was initially based on editreg.c by Richard Sharpe. It has
       since  been  rewritten  to  use  a  modified version the regfio library
       written by Gerald Carter. Heavy modifications to the  library  and  the
       original command line interface have been done by Timothy D. Morgan.

       Please see source code for a full list of copyrights.

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This program is distributed in the hope that it  will  be  useful,  but
       WITHOUT   ANY   WARRANTY;   without   even   the  implied  warranty  of
       MERCHANTABILITY or FITNESS  FOR  A  PARTICULAR  PURPOSE.  See  the  GNU
       General Public License version 3 for more details.

SEE ALSO

       reglookup-timeline(1) reglookup-recover(1)