a command-line utility with which you can search the Windows NT Registry for arbitrary data, key names,
or value names and optionally replace any of these with new values.
usage: REGFIND \[-h hivefile hiveroot | -w Win95 Directory | -m \\machinename\] \[-i n\] \[-o outputWidth\] \[-p RegistryKeyPath\] \[-z | -t DataType\] \[-b | -B\] \[-y\] \[-n\] \[searchString \[-r ReplacementString\]\] where: -h specifies a specify local hive to manipulate. -w specifies the paths to a Windows 95 system.dat and user.dat files -m specifies a remote Windows NT machine whose registry is to be manipulated. -i n specifies the display indentation multiple. Default is 4 -o outputWidth specifies how wide the output is to be. By default the outputWidth is set to the width of the console window if standard output has not been redirected to a file. In the latter case, an outputWidth of 240 is used. -p registryPath specifies where to start searching Valid prefix names for easy access to well known parts of the registry are: HKEY_LOCAL_MACHINE -> \Registry\Machine HKEY_USERS -> \Registry\Users HKEY_CURRENT_USER -> \Registry\Users\... USER: -> HKEY_CURRENT_USER -t specifies which registry types to look at: REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ REG_DWORD, REG_BINARY, REG_NONE Default is any of the _SZ types -b only valid with _SZ searches, and specifies that REGFIND should look for occurrences of the searchString inside of REG_BINARY data. May not be specified with a replacementString that is not the same length as the searchString -B same as -b but also looks for ANSI version of string within REG_BINARY values. -y only valid with _SZ searches, and specifies that REGFIND should ignore case when searching. -n specifies to include key and value names in the search. May not specify -n with -t -z specifies to search for REG_SZ and REG_EXPAND_SZ values that are missing a trailing null character and/or have a length that is not a multiple of the size of a Unicode character. If -r is also specified then any replacement string is ignored, and REGFIND will add the missing null character and/or adjust the length up to an even multiple of the size of a Unicode character. searchString is the value to search for. Use quotes if it contains any spaces. If searchString is not specified, just searches based on type. -r replacementString is an optional replacement string to replace any matches with. searchString and replacementString must be of the same type as specified to the -t switch. For any of the _SZ types, it is just a string For REG_DWORD, it is a single number (i.e. 0x1000 or 4096) For REG_BINARY, it is a number specifing #bytes, optionally followed by the actual bytes, with a separate number for each DWORD (e.g. 0x06 0x12345678 0x1234) If just the byte count is specified, then REGFIND will search for all REG_BINARY values that have that length. May not search for length and specify -r When doing replacements, REGFIND displays the value AFTER the replacement has been. It is usually best to run REGFIND once without the -r switch to see what will be change before it is changed.To search for NOTEPAD in the SOFTWARE key of a users unloaded registry hive, use the following syntax:
REGFIND -h "c:\winnt\Profiles\UserName\ntuser.dat" KEYR -p KEYR\Software NOTEPAD
The above will list all SOFTWARE sub-keys that contain the NOTEPAD string. The KEYR argument specifies the registry key name for the root key of this hive.