More information about internal regf files format:
- https://github.com/libyal/libregf/blob/master/documentation/Windows%20NT%20Registry%20File%20(REGF)%20format.asciidoc
- https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md
This set of utils is designed primarily for analysis of the corrupted registry files.
Each utility shows file content from own point of view:
- as a container of elements of variable length, where some elements could contain links to other elements
- as as tree of keys and values with more or less detailed info about each of them
Besides of main analysis work each utility verifies data consistency by checking for orphaned cells, cells with multiple reference, required minimum cell size, cell signatures, etc.
The following OS(s) are tested/supported:
- FreeBSD
- GNU/Linux
To build utils from sources just run as regular user:
$ make
and to install them, run the following command as privileged user:
# make install
Package contains few utils:
- regfdump - dumps registry file in element by element manner independently of logical tree structure
- regfwalk - walk over the registry tree and print every portion of info about each founded element
- regftree - lite version of regfwalk: print only logical tree structure (keys hierarchy) and values
Each utils require only registry filename as command line argument. Main data printed to STDOUT, while error/warning messages printed to STDERR.
Examples:
$ regfdump WIDNOWS/system32/config/SYSTEM
or
$ regfwalk WINDOWS/system32/config/SOFTWARE
or
$ regftree WINDOWS/system32/config/SOFTWARE
- make utils more resistant to corrupted input files
- add internal help
This project is licensed under the terms of the ISC license. See the LICENSE file for license rights and limitations.