<HTML>
<HEAD>
<TITLE>NT RegFind</TITLE>
</HEAD>

<BODY bgcolor=FFFFFF>
<H1>NT RegFind - a Win32 registry search utility</H1>
<h2>This document was written by the author and is presented here without
modification. No Warranties of any kind are made.</h2>

<UL>
<LI><A HREF="#1">1. Introduction</A>
<LI><A HREF="#2">2. Usage</A>
<LI><A HREF="#3">3. Examples</A>
<LI><A HREF="#4">4. Contacting the Author</A>
<LI><A HREF="#5">5. Future Enhancement</A>
<LI><A HREF="#6">6. Legalease</A>
</UL>

<A NAME="1">
<H1>1. Introduction</H1>

Regfind is a utility for searching through a win32 registry. This is
the first version of the program and is meant for use with NT. It
has been tested with NT 3.5 beta 2. It started off as a perl utility
for Windows NT but has been rewritten in C. It has not undergone
exhaustive testing and hence I would welcome any bug-reports you might
have. This utility does not write to the registry and should, hence,
not cause any damage to it. Microsoft has stated over and over again
that modifications to the registry can render the system unusable.
Regfind does not modify the registry in any way.
<P>
Regfind is a console application: you can run it from a dos box just
like the old command line programs. I intend to put a GUI front-end
on it sometime but I cannot promise when that will be. Regfind accepts
various parameters and they are explained in the section below.
<P>
Thanks to this program I have been able to unearth vestiges of
obsolete data. After I had changed network names on a few nodes I
noticed that my machine was extremely slow when certain programs were
started. I searched for old machine names, deleted them from the
registry and speed was restored. Those applications were waiting for
the old hosts to respond and only after a timeout error was reported
did they continue. Thus removing those names from the registry caused
the application to start faster.

 
<A Name="2">
<H1>2. Usage</H1>

The command line syntax for executing regfind is:
<LISTING>
  Regfind {&ltcontrol argument&gt} [pattern]
</LISTING>
Regfind may be followed by zero or more control arguments which, in
turn, may be followed by a pattern to be searched for. Omitting pattern
and control arguments will result in all data in the registry to be
shown. This can be quite large and you can restrict it by turning on
various filter by means of control arguments. Control arguments start
with a "-" or a "/" character; in this document we will use "-".
<P>
The generated output is displayed in the form:
<LISTING>
  Full\key\path\separated\by\slashes
    value1 = data1
    value2 = data2
    ...
</LISTING>
<control argument> may one of the following:

<UL>
<LI><B>-key &ltkey pattern&gt</B><BR>
    the keyname specifies a pattern to search for in the registry
    keys. All subtrees which contain <key pattern> will displayed.
<LI><B>-value &ltvalue pattern&gt</B><BR>
    the value pattern specifies a pattern to search for in values.
    All value names which contain <value pattern> will be displayed.
<LI><B>-data &ltdata pattern&gt</B><BR>
    the data pattern specifies a pattern to search for in data.
    All string data which contain <data pattern> will be
    displayed.
<LI><B>-any &ltpattern&gt</B><BR>
    this is the same as typing <pattern> on its own; in other
    words, "regfind -any xxx" is equivalent to "regfind xxx". This
    will cause the program to display all value/data pairs and keys
    which contain <pattern>.
<LI><B>-hive &lthive name&gt</B><BR>
    hive name must be one of the 4 predefined hives:
      HKEY_LOCAL_MACHINE
      HKEY_CURRENT_USER
      HKEY_USERS
      HKEY_CLASSES_ROOT

<LI><B>-before 19yy/mm/dd [hh:mm]</B><BR>
    this will show all keys and its associated value/data
    pairs which were modified before the specified time 
<LI><B>-after  19yy/mm/dd [hh:mm]</B><BR>
    this will show all keys and its associated value/data
    pairs which were modified after the specified time 
    

<LI><B>-hidevalues</B><BR>
    do not show value/data pairs; useful if only keys are
    required
<LI><B>-case</b><BR>
    makes searches case-sensitive; default is case-blind.
<LI><B>-help</B><BR>
    shows a short help screen
</UL>
Pattern is a text string which specifies the data to be searched for
in the registry. For example, typing "regfind blue" will show you all
keys, value/data pairs which have the string "blue" in the key, value
or data. This is the same as typing "regfind -any blue". My favorite
is "regfind raju" which shows me where the operating system has
squirrelled away my name. "Regfind -case raju" will perform a case-
sensitive search. Try it out with your name.
<P>
To specify a parameter with embedded blanks, enclose it in
double-quotes. For example "regfind -key "Control Panel" will display
the control panel subtree in all 4 hives.
<P>
The -key, -value, -data and -hive control arguments may be used to
restrict the amount of information displayed. They are like filters;
specifying more than one will cause the filters to restrict the
displayed information even more. Thus, "regfind -key xxx" will show
all keys, values and data which are under a key which has xxx in it.
"regfind -key xxx -value yyy" will only show those keys values and
data which have xxx in the keys and yyy in the value names. Similarly,
"regfind -key xxx -value yyy -data zzz" will only show those which
have xxx in the keys, yyy in the values and zzz in the data. The search
can be restricted even more by turning on the -hive control argument.
Currently, there are only 4 hives predefined in the Win32 registry
(refer to the win32 documentation for details). The -any control
argument cannot be used with -key, -value or -data.
<P>
Case-sensitivity can be turned on with the -case control argument.
This affects the items specified by the -key, -value, -data, -any and
-hive. The value/data line is shortened so that it fits into a normal
window with 80 columns.


<A NAME="3">
<H1>3. Examples</H1>

Typing "regfind" on its own will display the whole registry:
everything under all the four hives. Typing "regfind blue" (which is
incidentally the same as typing "regfind -any blue") will show you
<UL>
<LI>all subtrees where blue occurs in the full key name
<LI>all value/data pairs where blue occurs in the value name
<LI>all value/data pairs where blue occurs in the data field
</UL>

If you are looking for a certain string in the key, value or data
you could use the appropriate control argument. To see all subtrees
of the control panel type "regfind -key panel". This will not show
value/data pairs where the word control is in the data or value
name.
<P>
To turn on case-sensitivity use -case. I prefer the default case-blind
searches. To hide value-data pairs use the -hidevalues control
argument.
<P>
To see everything under the HKEY_LOCAL_USER hive, type
"regfind -hive local_user". For just the keys under the same hive
type "regfind -hive local_us -hidevalues".


<A NAME="4">
<H1>4. Contacting the author</H1>

I would welcome any constructive criticism regarding the program, its
usefulness to you and any assorted ideas you have which might improve
it. However, I cannot guarantee a response and, further, I cannot
guarantee that I will fix bugs and/or incorporate your ideas into a
future version.
<UL>
<LI>Mail address:
  Raju Varghese
  Intellisoft Inc.
  Stoeckmattstr. 3
  CH-5316 Leuggern
  Switzerland

<LI>Fax:        +41 56 455 140
<LI>email:      raju@inso.pr.net.ch
<LI>compuserve: 100116,1001
</UL>

<A NAME="5">
<H1>5. Future enhancement</H1>

This version is admitedly quite spartan. It is satisfactory for simple
searches. However, I intend to expand it.
<P>

A parameter for maximum depth will be added so that the search can be
restricted to a certain depth. A Windows GUI will be added at some
point. The patterns are simple text strings; I intend to implement
full regular expressions in future.


<A NAME="6">
<H1>6. Legalese</H1>

Regfind is supplied "as is" without warranty of any kind, either
expressed or implied, including, but not limited to, the implied
warranties of mechantability and fitness for a particular purpose.
The entire risk as to the quality and performance of the program is
with you. Should the program prove defective, you assume the cost of
all necessary servicing, repair or correction.
<P>

Copyright (c) 1994 Raju Varghese, Intellisoft Inc., Switzerland
All Rights Reserved


<HR>
</BODY>
</HTML>