RegFind Syntax

regfind [{-m \\ComputerName | -h HiveFile HiveRoot | -w Win95Directory}] [-i n] [-o OutputWidth] [-p RegistryKeyPath] [{-z | -t DataType}] [{-b | -B}] [-y] [-n] [SearchString [-r ReplacementString]]

Where:

-m \\ComputerName: specifies a remote Windows 2000 computer (machine) whose registry is to be manipulated.
-h HiveFile HiveRoot: specifies a local hive to manipulate.
-w Win95Directory: specifies the paths to Windows 95 system.dat and user.dat files.
-i n: specifies the display indentation multiple. Default is 4.
-o OutputWidth: specifies how wide the output is to be. By default OutputWidth is set to the width of the console window, if standard output (STDOUT) has not been redirected to a file. In the latter case, an OutputWidth of 240 is used.
-p RegistryKeyPath: specifies where in the registry to start searching. All entries below this point in the registry hierarchy are also searched. If no path is specified, RegFind searches the entire registry, which can be time consuming.
If the path contains spaces, it must be surrounded by quotations marks:
"Registry Key Path With Spaces"
-z: specifies to search for REG_SZ and REG_EXPAND_SZ values that are missing a trailing null character and/or have a length that is not a multiple of the size of a Unicode character. If -r is also specified, any replacement string is ignored and RegFind adds the missing null character and/or adjusts the length up to an even multiple of the size of a Unicode character.
-t DataType: specifies which registry types to search. DataType can be REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, or REG_NONE. Default is any of the _SZ types.
-b: only valid with _SZ searches. Specifies that RegFind should look for occurrences of the SearchString inside of REG_BINARY data. May not be specified with a ReplacementString that is not the same length as the SearchString.
-B: same as -b but also looks for ANSI version of string within REG_BINARY values.
-y: only valid with _SZ searches. Specifies that RegFind should ignore case when searching.
-n: specifies to include key and value names in the search; -n may not specified with -t.
SearchString: is the value to search for. If SearchString is not specified, RegFind searches based on type.
If SearchString contains spaces, it must be surrounded by quotations marks:
"Search String With Spaces"
-r ReplacementString: specifies an optional replacement string to replace any matches with.
SearchString and ReplacementString must be of the same type as specified by the -t switch. For any of the _SZ types, it is just a string. For REG_DWORD, it is a single number (for example: 0x1000 or 4096). For REG_BINARY, it is a number specifing #bytes, optionally followed by the actual bytes, with a separate number for each DWORD (for example, 0x06 0x12345678 0x1234). If just the byte count is specified, RegFind searches for all REG_BINARY values that have that length. May not search for length and specify -r.
When doing replacements, RegFind displays the value after the replacement has been. It is usually best to run RegFind once without the -r switch to see what will be changed before it is actually changed.
Whenever specifying a registry path, either on the command line or in an input file, the following prefix strings can be used:
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
USER:
Each of these strings can stand alone as the key name or be followed a BACKSLASH (\) and a subkey path.