reglookup-recover - Online in the Cloud

PROGRAM:

NAME

reglookup-recover - Windows NT+ registry deleted data recovery tool

SYNOPSIS

reglookup-recover [options] registry-file

DESCRIPTION

reglookup-recover attempts to scour a Windows registry hive for deleted data structures
and outputs those found in a CSV-like format.

OPTIONS

reglookup-recover accepts the following parameters:

-v Verbose output.

-h Enables the printing of a column header row. (default)

-H Disables the printing of a column header row.

-l Display cells which could not be interpreted as valid registry structures at the
end of the output.

-L Do not display cells which could not be interpreted as valid registry structures.
This is the default behavior.

-r Display raw cell contents for cells which were interpreted as intact data
structures. This additional output will appear on the same line as the interpreted
data.

-R Do not display raw cell contents for cells which were interpreted as intact data
structures. This is the default behavior.

registry-file
Required argument. Specifies the location of the registry file to read. The system
registry files should be found under: %SystemRoot%/system32/config.

OUTPUT

reglookup-recover generates a comma-separated values (CSV) like output and writes it to
stdout. For more information on the syntax of the general format, see reglookup(1).

This tool is new and the output format, particularly the included columns, may change in
future revisions. When this format stablizes, additional documentation will be included
here.

EXAMPLES

To dump the recoverable contents of a system registry hive:

reglookup-recover /mnt/win/c/WINDOWS/system32/config/system

Extract all available unallocated data, including unparsable unallocated space and the raw
data associated with parsed cells in a user-specific registry:

reglookup-recover -r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'

Use reglookup-recover online using onworks.net services