Regfind - a Win32 registry search utility 1. Introduction Regfind is a utility for searching through a win32 registry. This is the first version of the program and is meant for use with NT and other win32 platforms. It has been tested with NT 3.5 beta 2. Regfind started off as a perl utility for Windows NT but this version has rewritten in C. It has not undergone exhaustive testing and hence I would welcome any bug-reports you might have. This utility does not write to the registry and should, therefore, not cause any damage to it. Microsoft has stated over and over again that modifications to the registry can render the system unusable. Regfind does not modify the registry in any way. However, please read the disclaimer in section 6 below. Regfind is a console application: you can run it from a dos box just like the old command line programs. I intend to put a GUI front-end on it sometime but I cannot promise when that will be. Regfind accepts various parameters and they are explained in the section below. Thanks to this program I have been able to unearth vestiges of obsolete data. After I had changed network names on a few nodes I noticed that my machine was extremely slow when certain programs were started. I searched for old machine names, deleted them from the registry and speed was restored. Those applications were waiting for the old hosts to respond and only after a timeout error was reported did they continue. Thus removing those names from the registry caused the application to start faster. The current version is 0.3 dated 31-August-1994. 2. Usage The command line syntax for executing regfind is: Regfind {} [pattern] Regfind may be followed by zero or more control arguments which, in turn, may be followed by a pattern to be searched for. Omitting pattern and control arguments will result in all data in the registry to be shown. This can be quite large; you can restrict it by turning on various filter by means of control arguments. Control arguments start with a "-" or a "/" character; in this document we will use "-". The generated output is displayed in the form: Full\key\path\separated\by\slashes modification_time value1 = data1 value2 = data2 ... Modification time is only displayed on Windows NT. may one of the following: -key the keyname specifies a pattern to search for in the registry keys. All subtrees which contain will displayed. -value the value pattern specifies a pattern to search for in values. All value names which contain will be displayed. -data the data pattern specifies a pattern to search for in data. All string data which contain will be displayed. -any this is the same as typing on its own; in other words, "regfind -any xxx" is equivalent to "regfind xxx". This will cause the program to display all value/data pairs and keys which contain . -hive hive name must be one of the 4 predefined hives: HKEY_LOCAL_MACHINE HKEY_CURRENT_USER HKEY_USERS HKEY_CLASSES_ROOT -node \\nodename nodename must be running a win32 OS and must be accessible through a Microsoft supported network. -before 19yy/mm/dd [hh:mm] this will show all keys and its associated value/data pairs which were modified before the specified time. Available only on NT. -after 19yy/mm/dd [hh:mm] this will show all keys and its associated value/data pairs which were modified after the specified time Available only on NT. -hidevalues do not show value/data pairs; useful if only keys are required -depth do not go deeper than levels deep when traversing the registry tree. must be >= 1. -case makes searches case-sensitive; default is case-blind. -help shows a short help screen Pattern is a text string which specifies the data to be searched for in the registry. For example, typing "regfind blue" will show you all keys, value/data pairs which have the string "blue" in the key, value or data. This is the same as typing "regfind -any blue". My favorite is "regfind raju" which shows me where the operating system has squirrelled away my name. "Regfind -case raju" will perform a case- sensitive search. Try it out with your name. To specify a parameter with embedded blanks, enclose it in double-quotes. For example 'regfind -key "Control Panel"' will display the control panel subtree in all 4 hives. The -key, -value, -data and -hive control arguments may be used to restrict the amount of information displayed. They are like filters; specifying more than one will cause the filters to restrict the displayed information even more. Thus, "regfind -key xxx" will show all keys, values and data which are under a key which has xxx in it. "regfind -key xxx -value yyy" will only show those keys values and data which have xxx in the keys and yyy in the value names. Similarly, "regfind -key xxx -value yyy -data zzz" will only show those which have xxx in the keys, yyy in the values and zzz in the data. The search can be restricted even more by turning on the -hive control argument. Currently, there are only 4 hives predefined in the Win32 registry (refer to the win32 documentation for details). The -any control argument cannot be used with -key, -value or -data. Case-sensitivity can be turned on with the -case control argument. This affects the items specified by the -key, -value, -data, -any and -hive. The value/data line is shortened so that it fits into a normal window with 80 columns. 3. Examples Typing "regfind" on its own will display the whole registry: everything under all the four hives. Typing "regfind blue" (which is incidentally the same as typing "regfind -any blue") will show you - all subtrees where blue occurs in the full key name - all value/data pairs where blue occurs in the value name - all value/data pairs where blue occurs in the data field If you are looking for a certain string in the key, value or data you could use the appropriate control argument. To see all subtrees of the control panel type "regfind -key panel". This will not show value/data pairs where the word control is in the data or value name. To turn on case-sensitivity use -case. I prefer the default case-blind searches. To hide value-data pairs use the -hidevalues control argument. To see everything under the HKEY_LOCAL_USER hive, type "regfind -hive local_user". For just the keys under the same hive type "regfind -hive local_us -hidevalues". For remote registry access on node humbug type "regfind -node \\humbug". Note that only two of the four pre-defined hives (HKEY_LOCAL_MACHINE, HKEY_USERS) are accessible over a network. The command above will display everything in those two hives. Typing "regfind -node \\humbug humbug" will reveal where the machine stores the machine name. 4. Contacting me I would welcome any constructive criticism regarding the program, its usefulness to you and any assorted ideas you have which might improve it. However, I cannot guarantee a response and, further, I cannot guarantee that I will fix bugs and/or incorporate your ideas into a future version. Mail address: Raju Varghese Intellisoft Inc. Stoeckmattstr. 3 CH-5316 Leuggern Switzerland Fax: +41 56 455 140 email: raju@inso.pr.net.ch compuserve: 100116,1001 5. Future enhancement This version is admitedly quite spartan. It is satisfactory for simple searches. However, I intend to expand it. A Windows GUI will be added at some point. The patterns are simple text strings; I intend to implement full regular expressions in future. 6. Legalese Regfind is supplied "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of mechantability and fitness for a particular purpose. The entire risk as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair or correction. Copyright (c) 1994 Raju Varghese, Intellisoft Inc., Switzerland All Rights Reserved