Saturday, July 30, 2016

RegtoText - NEW command-line executable converts Windows Registry file to readable text













.FILENAME
RegToText.exe

.SYNOPSIS 
Parses a valid Windows registry exported file (.reg) and translates indecipherable hex and decimal values into a human readable text file.

.PURPOSE
The aim of this command-line executable is to make a human readable registry file. This greatly aids in searching and understanding the Windows Registry, key for developers.

.DESCRIPTION 
RegToText windows console application deciphers unreadable portions of registry file to text. Firstly, it checks for a valid Windows registry file ending with file extension (.reg). Then it validates file header for ""Windows Registry Editor Version 5.00"" for Windows 2000, ME, XP,7, Vista, 8, 8.1, 10+, Server 2003+ or ""REGEDIT4"" for Windows 98, NT 4.0 and Server 2000-. Passing this, the process will begin to translates all the hexadecimal and decimal values into output Unicode text file. Output is written out in 250 line chunks. Upon premature or cancellation, output file will contain up-to the last chunk written out. Output encoding can be UTF-8 or ASCII. Some non-printable characters are cleansed, read ENCODING notes for details. Encoding can drastically affect file output size. 

The following common registry types are translated denoted by “->”;

dword:(DWORD value)  -> [REG_DWORD] textvalue
hex(b):(QWORD value) -> [REG_QWORD] textvalue
hex:(binary value)   -> [REG_BINARY] textvalue
hex(2):(expandable string value) -> [REG_EXPAND_SZ] textvalue
hex(7):(multistring value) -> [REG_MULTI_SZ] textvalue
etc...

.LIMITATIONS
Does not decode Darwin Descriptors, perhaps in future enterprise version. Vote for it.
Does not unpack packed GUIDs, perhaps in future enterprise version. Vote for it.

.REQUIREMENTS
32-bit app which requires .NET Framework 4 Client Profile.


.ENCODING
Null (\x00) characters are translated to spaces for both encodings.  Null (\x00) characters are stripped. Characters outside the ASCII or UTF8 range are stripped. NON-PRINTABLE less than decimal 30 are stripped except for line feed and carriage return for ASCII encoding. UTF8 preserves more of the original source content, but a cost of larger output file size. More importantly, UTF8 encoding will pass allot of unreadable characters and non-printable characters that may cause issues when scrolling large files in text editors. ASCII allows for maximum readability and space savings. Large files over 1G benefit tremendously when loading ACSII text editors for scrolling and searching.

.TEXT EDITORS
Notepad and Notepad++ will not load 1 G+ files. Textpad (memory lim), Notepad Light (upto 2G) and UltraEdit (claims 2^64-1G) will load file over 1G+ files.

.PERFORMANCE 
Tested on 4.25M rows in 18 mins, 24 secs. Processing 921,572 subkeys and 2,344,590 key/value pairs.

.USAGE
RegtoText.exe [/h] [/v] [/s] inputfile.reg [/o:filename.txt] [/e:{UT8F|ASCII}]

.ARGUMENTS
[drive:][path]inputfile.reg            1st argument required
                                       Input registry file. If path omitted, default to current path. 
.FLAGS
(order not important)
/h|/help                               Help
/v|/version                            Version
/s|/silent                             Silent
/l|/license                            License
/e|/encoding:{UTF8|ASCII}              Output encoding. If omitted, default value:'UTF8'.

/o|/output:[drive:][path]filename.txt  Output text file. If omitted, default value:'inputfile.txt

.INPUT
Must be valid exported registry file from REGEDIT.exe ending in .reg

.OUTPUT
Creates a Unicode text file ending in .txt extension. If exists prompt to delete ? No, creates a timestamped file. Hexadecimal and decimal values are decoded using according /e flag.


.EXAMPLE 
regtotext c:\Users\MDC\Documents\myfullregistryBCK.reg /e:ASCII

.AUTHOR 
metadataconsult@gmail.com (Metadata Consulting, ON, CDN) July 30, 2016

.LICENSE
Read Full License Agreement use /l FLAG OR pipe into a text file using 'regtotext /l > RTTLic.txt' to read in Notepad.

Download demo version. Read demo license.

For a commercial licensed version contact metadataconsult@gmail.com



Commercial version sample run on a new Windows 10 Pro install with Office 2016. 



Windows 10 Pro Registry Subkey Depth Frequency Distribution

Windows 10 Pro Registry Subkey Depth Frequency Distribution graph is determined by counting number of keys seperated by "\" backslashes. This also in including the hive key. Hive key is the first key in registry path and starts with KHEY, in example registy export below it's HKEY_LOCAL_MACHINE.

The subkey depth of the example exported registry path below is 8.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Queue Files]


The number of subkeys or registry "paths" in a new Windows 10 Pro with Office is approx. 1M. 

The average subkey depth 8.2, and largest subkey depth group of 6 at 233,583 and a standard deviation of 2.510586.


Windows Registry Value Types Distribution


Not well publicized, but here's is a Windows Registry Value Types Distribution numbers and graph for an Windows 7 Ultimate registry developer machine. To understand the registry in a detail look at registry at http://www.techsupportalert.com/content/deeper-windows-registry.htm or search this blog with "Registry"

Exported DataType Registry Data Type Counts
"value" REG_SZ 1417270
dword: REG_DWORD 531122
hex: REG_BINARY 347749
hex(2): REG_EXPAND_SZ 28945
hex(7): REG_MULTI_SZ 24957
hex(b): REG_QWORD 4561
hex(0): REG_NONE 1271
hex(8): REG_RESOURCE_LIST 259
hex(a): REG_RESOURCE_REQUIREMENTS_LIST 244
hex(9): REG_FULL_RESOURCE_DESCRIPTOR 31
hex(6): REG_LINK 0
Type Frequency 2356409