regedit - dump or edit a binary windows 9x registry file
regedit [-f file] [-e file] [-i file] [-o file] [-t topkey] [-N] [-q] [-V] [-v]
regedit reads a windows 9x registry file (e.g., a system.dat
or user.dat file) and either does an ascii dump of the contents of the file, or
modifies (imports changes) the registry and writes it back out again.
Note that this regedit program only deals with a single registry file and presents it as it really
is. In particular, it does not attempt to provide a single view of the user
and system registry files, nor does it attempt to provide multiple views of
a single registry hierarchy (e.g., HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, etc.). If this paragraph doesn't make sense to you, you're fortunate.
Since the format of windows 9x registries is not well documented, this program may or may not be interpreting registry contents correctly. This means its output (ascii dumps and binary registries) are suspect and that you use it at your own risk. It does at least partly work however, since several labs of diskless machines boot windows 95 and operate fairly normally using registries generated by this program.
Indicates that an ascii dump of the registry is to be written to file. File may be ``-'', indicating standard output.
Specifies the file containing the binary windows 9x file that is to be read
instead of the default file, system.dat; a file of ``-'' means read from standard input. Note that, if the -i option is used and neither of the -e nor -o
options are used, the file specified here will be overwritten with the
modified registry.
Tells regedit to read registry changes from file and apply them to the registry. See Registry Patch File Format below.
When used with the -i option, the modified (binary) registry is written to file.
Use topkey as the top level key in the registry dump. Typical values are HKEY_USERS or HKEY_LOCAL_MACHINE. If not specified, and the basename of the file being dumped starts with user., then HKEY_USERS is used, otherwise it is HKEY_LOCAL_MACHINE.
Do not generated `extended' data types. The windows version of regedit
generates three types of data types: string, dword and hex dumps. Any entry
that has another data type is reported with the type hex(num) (where num indicates the type). Some programs (e.g., corel office suite) seem to use different type numbers for things like
null terminated unicode strings or null terminated ascii strings - this
version of regedit knows (some of) these types and prints them as ``ustringz'', ``stringz'', etc.. The -N option disables the generation (but not the parsing) of these extra types.
Quite mode - do not generate any warnings when unexpected things are encountered while reading the registry.
Turns on verbose mode: prints out sections of the registry as they are being read. Primarily for debugging purposes.
Prints the version number - the program then exits immediately.
Registry dump files are plain text dumps of a (binary) registry file. The
registry is arranged something like a file system: it has directories
(keys) and files (entries). Being from the DOS world, the key separator
character is a backslash. A key is dumped by printing the key name in
brackets on one line, then following the line with the entries in that key.
This is then followed by the subkeys of the key. Entries consist of the
entry name (in double quotes), and equals sign and then the entry value.
The value is either a double quoted (ascii) string, a double word (dword: followed by 8 hex digits), or a hex dump (hex:) followed by any number of 2 digit hex numbers separated by commas. For
example,
[HKEY_USER\Network]
"RestoreDiskChecked"=dword:00000000
"RestorePrinterChecked"=dword:00000001
"FictitiousName"=hex:23,a3,f4
[HKEY_USER\Network\Persistent]
@="a key value"
[HKEY_USER\Network\Persistent\LPT1]
"ProviderName"="Microsoft Network"
"RemotePath"="\\\\aserver\\thePrinter"
"UserName"="someUser"
[HKEY_USER\Network\Persistent\LPT2]
"ProviderName"="Microsoft Network"
"RemotePath"="\\\\aserver\\thePrinter"
"UserName"="someUser"
Long hex dumps can be broken into several lines by placing a backslash after a comma. Inside double quoted strings, a backslash is used to escape either a double quote or another backslash.
A special entry name, called @ (really a 0 length name) is used to provide a value for the key itself (wrt regedit, all that matters is
@ is a valid entry name). Although there are only three data types mentioned
above (string, double word and hex), internally as a 32 bit number is used
to store the type. If one of the remaining 4294967293 data types is used in
the registry, it is printed as
"someKey"=hex(3a9):01,b8
(the number in parenthesis is the data type number in hex). regedit actually knows about a couple of other data types (used by corel office suite) - these are:
"anotherEntry"=stringz:"some null terminated ascii string"
"anEntry"=ustringz:"some null terminated unicode string"
(types 0x80000006 and 0x80000008, respectively). If you only want to see the `normal' data types, use the -N option.
A registry patch file (typically generated by regdiff) is a registry dump file with a few extensions:
a minus immediately after the closing bracket of a key name means the key is to be deleted. Anyone know if the windows' regedit scripts can be used to delete a key or an entry? If so, what syntax to they use?
a minus immediately after a entry name means the entry is to be deleted.
Registry dumps may be `marked up' to indicate that something is new or to
indicate its previous value (regdiff output typically has such annotations). A key or entry is marked as new by
putting (new)
after the key name or after the entry's value. Similarly, an entry's old
value is indicated by putting it in parenthesis after the new value.
At the moment, regedit only works properly on little endian machines (known to work on DEC Alpha's and Intel x86 boxes).
regedit doesn't know everything about the registry file format; it seems to work fairly well anyway, but it may generate warnings when it happens across input it things odd. At the moment, it generates lots of warnings for windows 98 registries.
Parsing of import files is rather lose at the moment - it accepts anything and only uses what it parses; other lines are discarded silently.
When you modify the registry, regedit re-writes the whole file, always. It should only re-write those sections of the file that were changed.