regfilter - filter a windows 9x registry dump by making substitutions and deletions to keys and entries
regfilter [-f regdump] [-V] filter-file ...
regfilter is used to modify a windows 9x registry dump (or a registry patch) by
applying to it the substitutions and deletions specified in one or more filter files. Such filtering is useful when one needs to do common transformations
(such as changing where the windows system directory is, where the `Program
Files' directory is, etc.) to a number of registry dumps. It is also useful for filtering out common
ignorable changes (e.g.,
Explorer\StreamMRU, Explorer\Streams and other such keys) from a registry diff, so only important changes
remain.
The filter files that control what regfilter does consist of a number of registry key patterns (enclosed in brackets). Each key pattern contains lines indicating which entries in matching keys are to be modified (entries can be matched based on their name or their value). Finally, actions can be specified for each matching entry: an entry's name or value can be changed or it may be deleted entirely. Key patterns and entry name or value patterns are specified as case insensitive perl regular expressions, while name and value changes are specified perl substitution commands.
Comments are indicated by lines beginning with a # character (a # in the middle of a line does not introduce a comment).
The following example demonstrates the syntax of filter files:
# Read contents of another filter file:
include "anotherFile"
# Check for matching entries in everything under the HKEY_USERS key
# (actually, under any key - see below)
[HKEY_USERS\\.*]
# Change C:\PROGRA~1\ to F:\Program files\ in entries whose
# values containing the former
value .*C:\\\\PROGRA~1\\\\.*
subst value s/C:\\\\PROGRA~1\\\\/F:\\\\Program Files\\\\/gi
# Do the same for entry names (paths sometimes appear there...)
name .*C:\\\\PROGRA~1\\\\.*
subst name s/C:\\\\PROGRA~1\\\\/F:\\\\Program Files\\\\/gi
# Delete any changes under Explorer\Streams
# (- at end of line means delete any keys matching the pattern)
[HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\.*] -
# Delete a particular entry by name
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Description\\Microsoft\\Rpc\\UuidPersistentData]
name LastTimeAllocated
delete
# Change both the name of value of some key
[HKLM\\foo\\bar]
name something
subst name s/X/Y/gi
subst value s/A/B/gi
Some things to note about these files: you need lots of backslashes in the
key names (since backslash is used as a path separator in registries, and
since it is special to perl); the leading part of the key name (e.g.,
HKEY_USERS, HKEY_LOCAL_MACHINE) is ignored when comparing keys; the key, name and value patterns are
always anchored, so don't forget to put an explicit .* in front of or after patterns where you want a substring match.
The include command is used to read filter commands from another file. The file is
first looked for relative to the same directory as the file that included
it, then in the process's current directory.
Read the registry dump from the specified file (instead of from standard input).
Prints the version number - the program then exits immediately.
the regedit manpage, the regdiff manpage, perl.
Michael Rendell, Memorial University of Newfoundland (michael@cs.mun.ca)