Skip to main content.

RegFind - a Win32 registry search utility

Introduction

Regfind is a utility for searching through a Win32 registry. This program and is meant for use with NT and other win32 platforms. It has been tested with NT 3.5x, 4.0 and Windows 2000. Regfind started off as a perl utility for Windows NT but was rewritten in C as the perl interpreter, at that time, had a bug in the registry access functions. It has undergone exhaustive testing but, nevertheless, I would welcome any bug-reports you might have. This utility does not write to the registry and should, therefore, not cause any damage to it. Microsoft has stated over and over again that modifications to the registry can render the system unusable. Regfind does not modify the registry in any way. However, please read the disclaimer in section 6 below.

Regfind is a console application: you can run it from a DOS box just like other command line programs. A GUI front-end would be nice but for simplicity that has been eschewed. In the meantime many such applications are now available. Regfind accepts various parameters and they are explained in the section below.

Thanks to this program I have been able to unearth vestiges of obsolete data. After I had changed network names on a few nodes I noticed that my machine was extremely slow when certain programs were started. I searched for old machine names, deleted them from the registry and speed was restored. Those applications were apparently waiting for the old hosts to respond and only after a time-out error was reported did they continue. Thus removing those names from the registry caused the application to start faster.

The current version is 0.7 dated 06-May-1995.

A zip file containing the distribution may be downloaded from my Web server (check http://www.intsoft.com/products/ for details).

Usage

The command line syntax for executing regfind is: "Regfind {<control argument>} [pattern]". Regfind may be followed by zero or more control arguments which, in turn, may be followed by a pattern to be searched for. Omitting pattern and control arguments will result in all data in the registry to be shown. As this can be quite large, you can restrict it by turning on various filter by means of control arguments. Control arguments start with a "-" or a "/" character; in this document we will use "-".

The generated output is displayed in the form:

Full\key\path\separated\by\slashes modification_time
value1 = data1
value2 = data2
...

Modification time is only displayed on Windows NT as the Win32 implementation on Win95 does not store the date and time.

A <control argument> may one of the following:

• -key <key pattern> the key name specifies a pattern to search for in the registry keys. All sub-trees which contain <key pattern> will displayed.
• -value <value pattern> the value pattern specifies a pattern to search for in values. All value names which contain <value pattern> will be displayed.
• -data <data pattern> the data pattern specifies a pattern to search for in data. All string data which contain <data pattern> will be displayed.
• -any <pattern> this is the same as typing <pattern> on its own; in other words, "regfind -any xxx" is equivalent to "regfind xxx". This will cause the program to display all value/data pairs and keys that contain <pattern>.
• -hive <hive name> hive name must be one of the 4 predefined hives: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USERS or HKEY_CLASSES_ROOT.
• -node \nodename nodename must be running a win32 OS and must be accessible through a Microsoft supported network.
• -before 19yy/mm/dd [hh:mm[:ss]] this will show all keys and its associated value/data pairs which were modified before the specified time. Available only on NT. If you supply time as well put the whole parameter in quotes, e.g. -before "1995/1/3 10:34". The specified time is assumed to be the local time.
• -after 19yy/mm/dd [hh:mm[:ss]] this will show all keys and its associated value/data pairs which were modified after the specified time Available only on NT. If you supply time as well put the whole parameter in quotes, e.g. -after "1994/3/4 11:35" The specified time is assumed to be the local time.
• -hidevalues do not show value/data pairs; useful if only keys are to be seen
• -depth <number> do not go deeper than <number> levels deep when traversing the registry tree. <number> must be >= 1.
• -case makes searches case-sensitive; default is case-blind.
• -showerror shows errors which are returned from the API; these usually indicate security errors or that there is more data. The latter one is due to the fact that RegFind has a buffer of approx. 1k and there are large binary data in the registry (> 8k).
• -help shows a short help screen

Pattern is a text string which specifies the data to be searched for in the registry. For example, typing regfind blue will show you all keys, value/data pairs which have the string "blue" in the key, value or data. This is the same as typing regfind -any blue. My favorite is regfind raju which shows me where the operating system has squirreled away my name. Regfind -case raju will perform a case-sensitive search. Try it out with your name.

To specify a parameter with embedded blanks, enclose it in double-quotes. For example regfind -key "Control Panel" will display the control panel sub-trees in all 4 hives.

The -key, -value, -data and -hive control arguments may be used to restrict the amount of information displayed. They are like filters; specifying more than one will cause the filters to restrict the displayed information even more. Thus, regfind -key xxx will show all keys, values and data that are under a key which has xxx in it. Regfind -key xxx -value yyy will only show those keys values and data that have xxx in the keys and yyy in the value names. Similarly, regfind -key xxx -value yyy -data zzz will only show those which have xxx in the keys, yyy in the values and zzz in the data. The search can be restricted even more by turning on the -hive control argument. Currently, there are only 4 hives predefined in the Win32 registry (refer to the win32 documentation for details). The -any control argument cannot be used together with -key, -value or -data.

Case-sensitivity can be turned on with the -case control argument. This affects the items specified by the -key, -value, -data, -any and -hive. The value/data line is shortened so that it fits into a normal window with 80 columns.

Examples

Typing regfind on its own will display the whole registry: everything under all the four hives will get spewed on your screen. Typing regfind blue (which is incidentally the same as typing regfind -any blue) will show you

1. all sub-trees where blue occurs in the full key name
2. all value/data pairs where blue occurs in the value name
3. all value/data pairs where blue occurs in the data field

If you are looking for a certain string in the key, value or data you could use the appropriate control argument. To see all sub-trees of the control panel type regfind -key panel. This will not show value/data pairs where the word control is in the data or value name.

To see everything under the HKEY_LOCAL_USER hive, type regfind -hive local_user. For just the keys under the same hive type regfind -hive local_us -hidevalues. Note that an incomplete hive name may be specified: it will match all hives that contain the specified string.

For remote registry access on node humbug type regfind -node \humbug. Note that only two of the four pre-defined hives - HKEY_LOCAL_MACHINE and HKEY_USERS - are accessible over a network. The command above will display everything in those two hives. Actually, the data of the two missing keys are in here as well; the missing hives are just links to subkeys within HKEY_LOCAL_MACHINE and HKEY_USERS. Typing regfind -node \humbug humbug will reveal where the machine stores the machine name.

Contacting me

I would welcome any constructive criticism regarding the program, its usefulness to you and any assorted ideas you have which might improve it. However, I cannot guarantee a response and, further, I cannot guarantee that I will fix bugs and/or incorporate your ideas into a future version.

Please use the feedback form to contact me as the scourge of spam has forced me to take off my email address form my site.

Revisions

0.3 to 0.4	check all types; not just REG_SZ. Other types are considered as strings. Convert non-printable data to '.'
0.4 to 0.5	added error display with "-showerror". Check if running on Win32s and if so, abort. DWORD binary data are converted to printable hex form so that simple numerical searches can be performed.
0.5 to 0.6	made a stupid error with checking if running on win32s.
0.6 to 0.7	the time in before and after can have seconds and is now in local time and not GMT. Fixed bug that prevented empty keys from showing up in the output.

Legalese

Please read our license before using RegFind.

Miscellaneous

I was informed by a user that use of Regfind on a Win32s system can cause it to hang. I have confirmed this but do not have a solution for it now. In the mean time, I have added code which will stop Regfind if it running on a Win32s system. Note: is there anyone actually using Win32s. For that matter, RegFind can also be considered old.

Copyright © 1994-2004 Intellisoft AG, Switzerland • Last updated on 2006-10-17 08:56
Comments or questions? Contact the Webmaster • Privacy policy • Disclaimer