reglookup(1)reglookup(1)NAMEreglookup-recover - Windows NT+ registry deleted data recovery tool
SYNOPSISreglookup-recover [options] registry-file
DESCRIPTIONreglookup-recover attempts to scour a Windows registry hive for deleted
data structures and outputs those found in a CSV-like format.
OPTIONSreglookup-recover accepts the following parameters:
-v Verbose output.
-h Enables the printing of a column header row. (default)
-H Disables the printing of a column header row.
-l Display cells which could not be interpreted as valid registry
structures at the end of the output.
-L Do not display cells which could not be interpreted as valid
registry structures. This is the default behavior.
-r Display raw cell contents for cells which were interpreted as
intact data structures. This additional output will appear on
the same line as the interpreted data.
-R Do not display raw cell contents for cells which were inter‐
preted as intact data structures. This is the default behavior.
registry-file
Required argument. Specifies the location of the registry file
to read. The system registry files should be found under: %Sys‐
temRoot%/system32/config.
OUTPUTreglookup-recover generates a comma-separated values (CSV) like output
and writes it to stdout. For more information on the syntax of the gen‐
eral format, see reglookup(1).
This tool is new and the output format, particularly the included col‐
umns, may change in future revisions. When this format stablizes, addi‐
tional documentation will be included here.
EXAMPLES
To dump the recoverable contents of a system registry hive:
reglookup-recover /mnt/win/c/WINDOWS/system32/config/system
Extract all available unallocated data, including unparsable unallo‐
cated space and the raw data associated with parsed cells in a user-
specific registry:
reglookup-recover-r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'
BUGS
This program has been smoke-tested against most current Windows target
platforms, but a comprehensive test suite has not yet been developed.
(Please report results to the development mailing list if you encounter
any bugs. Sample registry files and/or patches are greatly appreci‐
ated.)
This program is new as of RegLookup release 0.9.0 and should be consid‐
ered unstable.
For more information on registry format details and the recovery algo‐
rithm, see:
http://sentinelchicken.com/research/registry_format/ http://sen‐
tinelchicken.com/research/registry_recovery/
CREDITS
This program was written by Timothy D. Morgan.
LICENSE
Please see the file "LICENSE" included with this software distribution.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License version 3 for more details.
SEE ALSOreglookup-timeline(1)reglookup-recover(1)File Conversion Utilities 16 December 2016reglookup(1)
