SYNOPSIS

reglookup [options] registry-file

DESCRIPTION

reglookup is designed to read windows registry elements and print them out to stdout in a CSV-like format. It has filtering options to narrow the focus of the output. This tool is designed to work with on Windows NT-based registries.

OPTIONS

reglookup accepts the following parameters:

\*(T<-p \*(T>prefix-filter

Specify a path prefix filter. Only keys/values under this registry path will be output.

\*(T<-t \*(T>type-filter

Specify a type filter. Only elements which match this registry data type will be printed. Acceptable values are: NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE, LINK, MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD and KEY .TP \*(T<-h\*(T> Enables the printing of a column header row. (default)

\*(T<-i\*(T>

Printed values inherit the timestamp of their parent key, which is printed along with them. Note that this timestamp is not necessarily meaningful for any given value values because timestamps are saved on keys only and you cannot tell which value has been modified since a change to any value of a given key would update the time stamp.

\*(T<-H\*(T>

Disables the printing of a column header row.

\*(T<-s\*(T>

Adds five additional columns to output containing information from key security descriptors and rarely used fields. The columns are: owner, group, sacl, dacl, class. (This feature's output has not been extensively tested.)

\*(T<-S\*(T>

Disables the printing of security descriptor information. (default)

\*(T<-v\*(T>

Verbose output.

registry-file

Required argument. Specifies the location of the registry file to read. The system registry files should be found under: %SystemRoot%/system32/config.

OUTPUT

reglookup generates comma-separated values (CSV) and writes them to stdout. The format is designed to simplify parsing algorithms of other tools by quoting CSV special characters using a common hexadecimal format. Specifically, special characters or non-ascii bytes are converted to "\xQQ" where QQ is the hexadecimal value for the byte.

The number of columns or fields in each line is fixed for a given run of the program, but may vary based on the command line options provided. See the header line for information on which fields are available and what they contain.

Some fields in some lines may contain sub-fields which require additional delimiters. If these sub-delimiters occur in these sub-fields, they are also encoded in the same way as commas or other special characters are. Currently, the second, third, and fourth level delimiters are "|", ":", and " ", respectively. These are particularly important to take note of when security attributes are printed. Please note that these delimiters may occur in fields that are not sub-delimited, and should not be interpreted as special.

Security attributes of registry keys have a complex structure which is outlined here. Each key will generally have an associated ACL (Access Control List), which is made up of ACEs (Access Control Entries). Each ACE is delimited by the secondary delimiter mentioned above, "|". The fields within an ACE are delimited by the third-level delimiter, ":", and consist of a SID, the ACE type (ALLOW, DENY, etc), a list of access rights, and a list of flags. The last two fields are delimited by the fourth-level delimiter " ". These final lists are simply human-readable interpretations of bits. The access rights abbreviations are listed below along with their Microsoft-assigned names:

\*(T<
      QRY_VAL		KEY_QUERY_VALUE
      SET_VAL		KEY_SET_VALUE
      CREATE_KEY	KEY_CREATE_SUB_KEY
      ENUM_KEYS		KEY_ENUMERATE_SUB_KEYS
      NOTIFY		KEY_NOTIFY
      CREATE_LNK	KEY_CREATE_LINK
      WOW64_64		KEY_WOW64_64KEY
      WOW64_32		KEY_WOW64_32KEY
      DELETE		DELETE
      R_CONT		READ_CONTROL
      W_DAC		WRITE_DAC
      W_OWNER		WRITE_OWNER
      SYNC		SYNCHRONIZE
      SYS_SEC		ACCESS_SYSTEM_SECURITY
      MAX_ALLWD		MAXIMUM_ALLOWED
      GEN_A		GENERIC_ALL
      GEN_X		GENERIC_EXECUTE
      GEN_W		GENERIC_WRITE
      GEN_R		GENERIC_READ
      \*(T>

And the meaning of each flag is:

\*(T<
      OI	Object Inherit
      CI	Container Inherit
      NP	Non-Propagate
      IO	Inherit Only
      IA	Inherited ACE
      \*(T>

Please see the following references for more information:

\*(T<
        http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
        http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
        http://msdn2.microsoft.com/en-us/library/aa772242.aspx
        http://support.microsoft.com/kb/220167
      \*(T>

Note that some of the bits listed above have either not been allocated by Microsoft, or simply aren't documented. If any bits are set in the above two fields that aren't recognized, a hexidecimal representation of all of these mystery bits will be included in the output. For instance, if the lowest bit and third lowest bit were not recognized while being set, the number "0x5" would be included as an element in the list.

While the ACL/ACE output format is mostly stable at this point, minor changes may be introduced in future versions.

EXAMPLES

To read and print the contents of an entire system registry file:

\*(T<
	reglookup /mnt/win/c/WINNT/system32/config/system
      \*(T>

To limit the output to just those entries under the Services key:

\*(T<
	reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
      \*(T>

To limit the output to all registry values of type BINARY:

\*(T<
	reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system
      \*(T>

And to limit the output to BINARY values under the Services key:

\*(T<
	reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
      \*(T>

BUGS

This program has been smoke-tested against most current Windows target platforms, but a comprehensive test suite has not yet been developed. (Please report results to the development mailing list if you encounter any bugs. Sample registry files and/or patches are greatly appreciated.)

The SID conversions haven't been carefully checked for accuracy.

The MTIME conversions appear correctly produce the stored UTC timestamp. However, due to the periodicity of registry writes, and the complexity of the conversion, a small amount of error (on the order of seconds) may be possible. The documentation available online from Microsoft on this field is very poor.

Backslashes are currently considered special characters, to make parsing easier for automated tools. However, this causes paths to be difficult to read by mere mortals.

For more information on registry format details, see: http://sentinelchicken.com/research/registry_format/

CREDITS

This program was initially based on editreg.c by Richard Sharpe. It has since been rewritten to use a modified version the regfio library written by Gerald Carter. Heavy modifications to the library and the original command line interface have been done by Timothy D. Morgan.

Please see source code for a full list of copyrights.

LICENSE

Please see the file "LICENSE" included with this software distribution.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for more details.

RELATED TO reglookup…