EnglishFrenchSpanish

OnWorks favicon

reglookup - Online in the Cloud

Run reglookup in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command reglookup that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


reglookup - Windows NT+ registry reader/lookup tool

SYNOPSIS


reglookup [options] registry-file

DESCRIPTION


reglookup is designed to read windows registry elements and print them out to stdout in a
CSV-like format. It has filtering options to narrow the focus of the output. This tool is
designed to work with on Windows NT-based registries.

OPTIONS


reglookup accepts the following parameters:

-p prefix-filter
Specify a path prefix filter. Only keys/values under this registry path will be
output.

-t type-filter
Specify a type filter. Only elements which match this registry data type will be
printed. Acceptable values are: NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE, LINK,
MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD and KEY .TP -h Enables the
printing of a column header row. (default)

-i Printed values inherit the timestamp of their parent key, which is printed along
with them. Note that this timestamp is not necessarily meaningful for any given
value values because timestamps are saved on keys only and you cannot tell which
value has been modified since a change to any value of a given key would update the
time stamp.

-H Disables the printing of a column header row.

-s Adds five additional columns to output containing information from key security
descriptors and rarely used fields. The columns are: owner, group, sacl, dacl,
class. (This feature's output has not been extensively tested.)

-S Disables the printing of security descriptor information. (default)

-v Verbose output.

registry-file
Required argument. Specifies the location of the registry file to read. The system
registry files should be found under: %SystemRoot%/system32/config.

OUTPUT


reglookup generates comma-separated values (CSV) and writes them to stdout. The format is
designed to simplify parsing algorithms of other tools by quoting CSV special characters
using a common hexadecimal format. Specifically, special characters or non-ascii bytes are
converted to "\xQQ" where QQ is the hexadecimal value for the byte.

The number of columns or fields in each line is fixed for a given run of the program, but
may vary based on the command line options provided. See the header line for information
on which fields are available and what they contain.

Some fields in some lines may contain sub-fields which require additional delimiters. If
these sub-delimiters occur in these sub-fields, they are also encoded in the same way as
commas or other special characters are. Currently, the second, third, and fourth level
delimiters are "|", ":", and " ", respectively. These are particularly important to take
note of when security attributes are printed. Please note that these delimiters may occur
in fields that are not sub-delimited, and should not be interpreted as special.

Security attributes of registry keys have a complex structure which is outlined here. Each
key will generally have an associated ACL (Access Control List), which is made up of ACEs
(Access Control Entries). Each ACE is delimited by the secondary delimiter mentioned
above, "|". The fields within an ACE are delimited by the third-level delimiter, ":", and
consist of a SID, the ACE type (ALLOW, DENY, etc), a list of access rights, and a list of
flags. The last two fields are delimited by the fourth-level delimiter " ". These final
lists are simply human-readable interpretations of bits. The access rights abbreviations
are listed below along with their Microsoft-assigned names:

QRY_VAL KEY_QUERY_VALUE
SET_VAL KEY_SET_VALUE
CREATE_KEY KEY_CREATE_SUB_KEY
ENUM_KEYS KEY_ENUMERATE_SUB_KEYS
NOTIFY KEY_NOTIFY
CREATE_LNK KEY_CREATE_LINK
WOW64_64 KEY_WOW64_64KEY
WOW64_32 KEY_WOW64_32KEY
DELETE DELETE
R_CONT READ_CONTROL
W_DAC WRITE_DAC
W_OWNER WRITE_OWNER
SYNC SYNCHRONIZE
SYS_SEC ACCESS_SYSTEM_SECURITY
MAX_ALLWD MAXIMUM_ALLOWED
GEN_A GENERIC_ALL
GEN_X GENERIC_EXECUTE
GEN_W GENERIC_WRITE
GEN_R GENERIC_READ

And the meaning of each flag is:

OI Object Inherit
CI Container Inherit
NP Non-Propagate
IO Inherit Only
IA Inherited ACE

Please see the following references for more information:

http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
http://msdn2.microsoft.com/en-us/library/aa772242.aspx
http://support.microsoft.com/kb/220167

Note that some of the bits listed above have either not been allocated by Microsoft, or
simply aren't documented. If any bits are set in the above two fields that aren't
recognized, a hexidecimal representation of all of these mystery bits will be included in
the output. For instance, if the lowest bit and third lowest bit were not recognized while
being set, the number "0x5" would be included as an element in the list.

While the ACL/ACE output format is mostly stable at this point, minor changes may be
introduced in future versions.

EXAMPLES


To read and print the contents of an entire system registry file:

reglookup /mnt/win/c/WINNT/system32/config/system

To limit the output to just those entries under the Services key:

reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system

To limit the output to all registry values of type BINARY:

reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system

And to limit the output to BINARY values under the Services key:

reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system

Use reglookup online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

  • 1
    strace
    strace
    The strace project has been moved to
    https://strace.io. strace is a
    diagnostic, debugging and instructional
    userspace tracer for Linux. It is used
    to monitor a...
    Download strace
  • 2
    gMKVExtractGUI
    gMKVExtractGUI
    A GUI for mkvextract utility (part of
    MKVToolNix) which incorporates most (if
    not all) functionality of mkvextract and
    mkvinfo utilities. Written in C#NET 4.0,...
    Download gMKVExtractGUI
  • 3
    JasperReports Library
    JasperReports Library
    JasperReports Library is the
    world's most popular open source
    business intelligence and reporting
    engine. It is entirely written in Java
    and it is able to ...
    Download JasperReports Library
  • 4
    Frappe Books
    Frappe Books
    Frappe Books is a free and open source
    desktop book-keeping software that's
    simple and well-designed to be used by
    small businesses and freelancers. It'...
    Download Frappe Books
  • 5
    Numerical Python
    Numerical Python
    NEWS: NumPy 1.11.2 is the last release
    that will be made on sourceforge. Wheels
    for Windows, Mac, and Linux as well as
    archived source distributions can be fou...
    Download Numerical Python
  • 6
    CMU Sphinx
    CMU Sphinx
    CMUSphinx is a speaker-independent large
    vocabulary continuous speech recognizer
    released under BSD style license. It is
    also a collection of open source tools ...
    Download CMU Sphinx
  • More »

Linux commands

Ad