Provided by: reglookup_1.0.1+svn287-8_amd64 bug

NAME
       reglookup-recover - Windows NT+ registry deleted data recovery tool


SYNOPSIS
       reglookup-recover [options] registry-file


DESCRIPTION
       reglookup-recover attempts to scour a Windows registry hive for deleted data structures and outputs those
       found in a CSV-like format.


OPTIONS
       reglookup-recover accepts the following parameters:

       -v     Verbose output.

       -h     Enables the printing of a column header row. (default)

       -H     Disables the printing of a column header row.

       -l     Display cells which could not be interpreted as valid  registry  structures  at  the  end  of  the
              output.

       -L     Do  not  display  cells  which  could not be interpreted as valid registry structures. This is the
              default behavior.

       -r     Display raw cell contents for cells  which  were  interpreted  as  intact  data  structures.  This
              additional output will appear on the same line as the interpreted data.

       -R     Do  not display raw cell contents for cells which were interpreted as intact data structures. This
              is the default behavior.

       registry-file
              Required argument. Specifies the location of the registry file to read. The system registry  files
              should be found under: %SystemRoot%/system32/config.


OUTPUT
       reglookup-recover  generates a comma-separated values (CSV) like output and writes it to stdout. For more
       information on the syntax of the general format, see reglookup(1).

       This tool is new and the  output  format,  particularly  the  included  columns,  may  change  in  future
       revisions. When this format stablizes, additional documentation will be included here.


EXAMPLES
       To dump the recoverable contents of a system registry hive:

            reglookup-recover /mnt/win/c/WINDOWS/system32/config/system

       Extract  all  available  unallocated  data,  including  unparsable  unallocated  space  and  the raw data
       associated with parsed cells in a user-specific registry:

            reglookup-recover -r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'


BUGS
       This program has been smoke-tested against most current Windows target  platforms,  but  a  comprehensive
       test  suite  has  not  yet been developed.  (Please report results to the development mailing list if you
       encounter any bugs. Sample registry files and/or patches are greatly appreciated.)

       This program is new as of RegLookup release 0.9.0 and should be considered unstable.

       For more information on registry format details and the recovery algorithm, see:

       http://sentinelchicken.com/research/registry_format/
       http://sentinelchicken.com/research/registry_recovery/


CREDITS
       This program was written by Timothy D. Morgan.


LICENSE
       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
       the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU  General  Public
       License version 3 for more details.


SEE ALSO
       reglookup-timeline(1) reglookup-recover(1)