JSI Tip 1084. Undocumented 'hiveroot' parameter allows REGFIND to manipulate unloaded hives.

contains REGFIND, a command-line utility with which you can search the Windows NT Registry for arbitrary data, key names, or value names and optionally replace any of these with new values.

usage: REGFIND [-h hivefile hiveroot | -w Win95 Directory | -m \machinename]               [-i n] [-o outputWidth]               [-p RegistryKeyPath] [-z | -t DataType] [-b | -B] [-y] [-n]                   [searchString [-r ReplacementString]]where: -h specifies a specify local hive to manipulate.       -w specifies the paths to a Windows 95 system.dat and user.dat files       -m specifies a remote Windows NT machine whose registry is to be manipulated.       -i n specifies the display indentation multiple.  Default is 4       -o outputWidth specifies how wide the output is to be.  By default the          outputWidth is set to the width of the console window if standard          output has not been redirected to a file.  In the latter case, an          outputWidth of 240 is used.       -p registryPath specifies where to start searching           Valid prefix names for easy access to well known parts of the registry are:              HKEY_LOCAL_MACHINE -> RegistryMachine              HKEY_USERS -> RegistryUsers              HKEY_CURRENT_USER -> RegistryUsers...              USER:   -> HKEY_CURRENT_USER       -t specifies which registry types to look at:              REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ              REG_DWORD, REG_BINARY, REG_NONE          Default is any of the _SZ types       -b only valid with _SZ searches, and specifies that REGFIND should          look for occurrences of the searchString inside of REG_BINARY data.          May not be specified with a replacementString that is not the same length          as the searchString       -B same as -b but also looks for ANSI version of string within REG_BINARY values.       -y only valid with _SZ searches, and specifies that REGFIND should          ignore case when searching.       -n specifies to include key and value names in the search.          May not specify -n with -t       -z specifies to search for REG_SZ and REG_EXPAND_SZ values that          are missing a trailing null character and/or have a length that is          not a multiple of the size of a Unicode character.  If -r is also          specified then any replacement string is ignored, and REGFIND will          add the missing null character and/or adjust the length up to an          even multiple of the size of a Unicode character.       searchString is the value to search for.  Use quotes if it contains          any spaces.  If searchString is not specified, just searches based on type.       -r replacementString is an optional replacement string to replace any          matches with.       searchString and replacementString must be of the same type as specified       to the -t switch.  For any of the _SZ types, it is just a string       For REG_DWORD, it is a single number (i.e. 0x1000 or 4096)       For REG_BINARY, it is a number specifing #bytes, optionally followed by       the actual bytes, with a separate number for each DWORD           (e.g. 0x06 0x12345678 0x1234)       If just the byte count is specified, then REGFIND will search for all       REG_BINARY values that have that length.  May not search for length       and specify -r       When doing replacements, REGFIND displays the value AFTER the replacement       has been.  It is usually best to run REGFIND once without the -r switch       to see what will be change before it is changed.

To search for NOTEPAD in the SOFTWARE key of a users unloaded registry hive, use the following syntax:

REGFIND -h "c:winntProfilesUserNametuser.dat" KEYR -p KEYRSoftware NOTEPAD

The above will list all SOFTWARE sub-keys that contain the NOTEPAD string. The KEYR argument specifies the registry key name for the root key of this hive.