contains
REGFIND,
a command-line utility with which you can search the Windows NT Registry for arbitrary data, key names,
or value names and optionally replace any of these with new values.
usage: REGFIND [-h hivefile hiveroot | -w Win95 Directory | -m \\machinename]
[-i n] [-o outputWidth]
[-p RegistryKeyPath] [-z | -t DataType] [-b | -B] [-y] [-n]
[searchString [-r ReplacementString]]
where: -h specifies a specify local hive to manipulate.
-w specifies the paths to a Windows 95 system.dat and user.dat files
-m specifies a remote Windows NT machine whose registry is to be manipulated.
-i n specifies the display indentation multiple. Default is 4
-o outputWidth specifies how wide the output is to be. By default the
outputWidth is set to the width of the console window if standard
output has not been redirected to a file. In the latter case, an
outputWidth of 240 is used.
-p registryPath specifies where to start searching
Valid prefix names for easy access to well known parts of the registry are:
HKEY_LOCAL_MACHINE -> \Registry\Machine
HKEY_USERS -> \Registry\Users
HKEY_CURRENT_USER -> \Registry\Users\...
USER: -> HKEY_CURRENT_USER
-t specifies which registry types to look at:
REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ
REG_DWORD, REG_BINARY, REG_NONE
Default is any of the _SZ types
-b only valid with _SZ searches, and specifies that REGFIND should
look for occurrences of the searchString inside of REG_BINARY data.
May not be specified with a replacementString that is not the same length
as the searchString
-B same as -b but also looks for ANSI version of string within REG_BINARY values.
-y only valid with _SZ searches, and specifies that REGFIND should
ignore case when searching.
-n specifies to include key and value names in the search.
May not specify -n with -t
-z specifies to search for REG_SZ and REG_EXPAND_SZ values that
are missing a trailing null character and/or have a length that is
not a multiple of the size of a Unicode character. If -r is also
specified then any replacement string is ignored, and REGFIND will
add the missing null character and/or adjust the length up to an
even multiple of the size of a Unicode character.
searchString is the value to search for. Use quotes if it contains
any spaces. If searchString is not specified, just searches based on type.
-r replacementString is an optional replacement string to replace any
matches with.
searchString and replacementString must be of the same type as specified
to the -t switch. For any of the _SZ types, it is just a string
For REG_DWORD, it is a single number (i.e. 0x1000 or 4096)
For REG_BINARY, it is a number specifing #bytes, optionally followed by
the actual bytes, with a separate number for each DWORD
(e.g. 0x06 0x12345678 0x1234)
If just the byte count is specified, then REGFIND will search for all
REG_BINARY values that have that length. May not search for length
and specify -r
When doing replacements, REGFIND displays the value AFTER the replacement
has been. It is usually best to run REGFIND once without the -r switch
to see what will be change before it is changed.To search
for
NOTEPAD in the
SOFTWARE key of a users unloaded registry hive, use the following syntax:
REGFIND -h "c:\winnt\Profiles\UserName\ntuser.dat" KEYR -p KEYR\Software NOTEPAD
The above will list all SOFTWARE sub-keys that contain the NOTEPAD string.
The KEYR argument specifies the registry key name for the root key of this hive.