Provided by: reglookup_1.0.1+svn287-10_amd64 bug

NAME
       reglookup-recover - Windows NT+ registry deleted data recovery tool


SYNOPSIS
       reglookup-recover [options] registry-file


DESCRIPTION
       reglookup-recover attempts to scour a Windows registry hive for deleted data structures and outputs those
       found in a CSV-like format.


OPTIONS
       reglookup-recover accepts the following parameters:

       -v     Verbose output.

       -h     Enables the printing of a column header row. (default)

       -H     Disables the printing of a column header row.

       -l     Display  cells  which  could  not  be  interpreted  as valid registry structures at the end of the
              output.

       -L     Do not display cells which could not be interpreted as valid  registry  structures.  This  is  the
              default behavior.

       -r     Display  raw  cell  contents  for  cells  which  were  interpreted as intact data structures. This
              additional output will appear on the same line as the interpreted data.

       -R     Do not display raw cell contents for cells which were interpreted as intact data structures.  This
              is the default behavior.

       registry-file
              Required  argument. Specifies the location of the registry file to read. The system registry files
              should be found under: %SystemRoot%/system32/config.


OUTPUT
       reglookup-recover generates a comma-separated values (CSV) like output and writes it to stdout. For  more
       information on the syntax of the general format, see reglookup(1).

       This  tool  is  new  and  the  output  format,  particularly  the  included columns, may change in future
       revisions. When this format stablizes, additional documentation will be included here.


EXAMPLES
       To dump the recoverable contents of a system registry hive:

            reglookup-recover /mnt/win/c/WINDOWS/system32/config/system

       Extract all available  unallocated  data,  including  unparsable  unallocated  space  and  the  raw  data
       associated with parsed cells in a user-specific registry:

            reglookup-recover -r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'


BUGS
       This  program  has  been  smoke-tested against most current Windows target platforms, but a comprehensive
       test suite has not yet been developed.  (Please report results to the development  mailing  list  if  you
       encounter any bugs. Sample registry files and/or patches are greatly appreciated.)

       This program is new as of RegLookup release 0.9.0 and should be considered unstable.

       For more information on registry format details and the recovery algorithm, see:

       http://sentinelchicken.com/research/registry_format/
       http://sentinelchicken.com/research/registry_recovery/


CREDITS
       This program was written by Timothy D. Morgan.


LICENSE
       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
       the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU  General  Public
       License version 3 for more details.


SEE ALSO
       reglookup-timeline(1) reglookup-recover(1)

File Conversion Utilities                        20 August 2024                                     reglookup(1)