Tuesday, September 20, 2016

RegToText - Registy To Text conversion command line utility



RegtoText
 is a command line utility that converts convoluted hex values in Windows Registry file (.reg) into a human readable text (.txt) file, specifically it identifies the 12 hex formats and converts them. 


Hex values are converted into ASCII characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ASCII.

This tool target as forensic (FBI,CIA, Antivirus Co)/management/educational tool to quickly search and eyeball the entire registry file for encoded values that are suspicious. Registry keys could hold persistant malware signatures (like 
Poweliks), back-doors or simply hidden secret messages, but most commonly are defective foreign languages encodings can be spotted more efficiently with human eyes. Furthermore, once this file is decoded using RegtoText, it is searchable as a human readable text file and can be indexed in any internal forensic exploit search engine/database.

RegtoText command line usage looks like this












RegtoText takes a typical Registry exported file and converts into

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail]
"LinkTest"=hex(6):00,00,00,00,06,00,00,00,38,00,00,00,44,00,00,00,22,00,00,00,53,00,79,00,6d,00,62,00,6f,00,6c,00,69,00,63,00,4c,00,69,00,6e,00,6b,00,56,00,61,00,6c,00,75,00,65,00,00,00,5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,46,00,53,00,4c,00,6f,00,67,00
"DisabledScriptsHEX4"=hex(4):7f,ff,ff,ff
"DisabledScriptsHEX42000000010 "=hex(4):77,35,94,0A
"DisabledScriptsHEX52000000010not"=hex(5):77,35,94,0A
"DisabledScriptsHEX5"=hex(5):00
"DisabledScriptsHEX51606664150"=hex(5):D6,BF,C3,5F
"DisabledScriptsHEX41606664150"=hex(4):5F,C3,BF,D6
"DisabledScriptsHEX490AB12CD"=hex(4):90,AB,12,CD
"DisabledScriptsHEX590AB12CD"=hex(5):CD,12,AB,90
"DisabledScriptsHEX1Test"=hex(1):47,00,61,00,6c,00,6c,00,65,00,72,00,79,00,53,00,68,00,\
  65,00,65,00,74,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,\
  00,65,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,00,65,00,\
  53,00,44,00,4b,00,4c,00,6f,00,61,00,64,00,65,00,72,00,00,00,00,00
"DisabledScripts"=hex(7):47,00,61,00,6c,00,6c,00,65,00,72,00,79,00,53,00,68,00,\
  65,00,65,00,74,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,\
  00,65,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,00,65,00,\
  53,00,44,00,4b,00,4c,00,6f,00,61,00,64,00,65,00,72,00,00,00,00,00
"Store Root"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,\
  00,4c,00,45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,\
  4c,00,6f,00,63,00,61,00,6c,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,\
  00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4c,00,\
  69,00,76,00,65,00,20,00,4d,00,61,00,69,00,6c,00,5c,00,00,00
"RtlLogOutput"=dword:00000001
"Default User"=hex:
"DatabaseVersion"=dword:00000012
"Running"=dword:00000000
"First Calendar Run Done"=dword:00000001
"Migration Attempts"=dword:00000001
"VerStamp"=dword:00000000
"Settings Upgraded"=dword:00000011
"LDAP Server ID"=dword:00000003
"DatabaseCorruptTime"=hex:60,9e,80,26,8c,c4,cb,01
"V7StoreMigDone"=hex(0):01,00,00,00
"Compact Check Count"=dword:00000002
"LastBackup"=hex:dd,07,01,00,03,00,02,00,13,00,0f,00,2e,00,09,01
"Last Search Index"=dword:00000002
"SearchFolderVersion"=dword:00000012
"SearchFolderLaunchesUntilRebuild"=dword:00000004
"Default LDAP Account"="account{D8DB2A07-80D5-46F6-B417-75016BA9F207}.oeaccount"
"First Run Done"=dword:00000001
"Mail Is Ready"=dword:00000000
"First Signin Warning"=dword:00000007
"mhtml guid"="{908DF815-18C6-4AC5-980D-49110B6C5563}"
"RibbonSettingsComposeMailNews"=hex:3c,73,69,71,3a,63,75,73,74,6f,6d,55,49,20,\
  78,6d,6c,6e,73,3a,73,69,71,3d,22,68,74,74,70,3a,2f,2f,73,63,68,65,6d,61,73,\
  2e,6d,69,63,72,6f,73,6f,66,74,2e,63,6f,6d,2f,77,69,6e,64,6f,77,73,2f,32,30,\
  30,39,2f,72,69,62,62,6f,6e,2f,71,61,74,22,3e,3c,73,69,71,3a,72,69,62,62,6f,\
  6e,20,6d,69,6e,69,6d,69,7a,65,64,3d,22,66,61,6c,73,65,22,3e,3c,73,69,71,3a,\
  71,61,74,20,70,6f,73,69,74,69,6f,6e,3d,22,30,22,3e,3c,73,69,71,3a,73,68,61,\
  72,65,64,43,6f,6e,74,72,6f,6c,73,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,\
  69,64,51,3d,22,73,69,71,3a,31,30,37,30,34,22,20,76,69,73,69,62,6c,65,3d,22,\
  74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,\
  63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,34,38,38,22,20,76,\
  69,73,69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,\
  30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,\
  3a,31,33,36,37,32,22,20,76,69,73,69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,\
  72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,\
  20,69,64,51,3d,22,73,69,71,3a,31,30,34,33,22,20,76,69,73,69,62,6c,65,3d,22,\
  74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,\
  63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,34,34,22,20,76,69,\
  73,69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,\
  2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,\
  33,36,32,34,22,20,76,69,73,69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,\
  6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,\
  51,3d,22,73,69,71,3a,31,33,36,35,36,22,20,76,69,73,69,62,6c,65,3d,22,74,72,\
  75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,\
  6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,33,36,36,30,22,20,76,69,73,\
  69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,\
  3e,3c,2f,73,69,71,3a,73,68,61,72,65,64,43,6f,6e,74,72,6f,6c,73,3e,3c,2f,73,\
  69,71,3a,71,61,74,3e,3c,2f,73,69,71,3a,72,69,62,62,6f,6e,3e,3c,2f,73,69,71,\
  3a,63,75,73,74,6f,6d,55,49,3e,0d,0a
"SpoolerDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff,ff,ff,ff,ff,ff,ff,4f,02,00,00,33,01,00,00,41,04,00,00,ce,01,00,00
"SpoolerTack"=dword:00000000
"LastRun"=hex:5d,79,cd,4b,25,e9,cd,01
"TotalUpTime"=dword:00001240
"RibbonSettingsReadNote"=hex:3c,73,69,71,3a,63,75,73,74,6f,6d,55,49,20,78,6d,\
  6c,6e,73,3a,73,69,71,3d,22,68,74,74,70,3a,2f,2f,73,63,68,65,6d,61,73,2e,6d,\
  69,63,72,6f,73,6f,66,74,2e,63,6f,6d,2f,77,69,6e,64,6f,77,73,2f,32,30,30,39,\
  2f,72,69,62,62,6f,6e,2f,71,61,74,22,3e,3c,73,69,71,3a,72,69,62,62,6f,6e,20,\
  6d,69,6e,69,6d,69,7a,65,64,3d,22,66,61,6c,73,65,22,3e,3c,73,69,71,3a,71,61,\
  74,20,70,6f,73,69,74,69,6f,6e,3d,22,30,22,3e,3c,73,69,71,3a,73,68,61,72,65,\
  64,43,6f,6e,74,72,6f,6c,73,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,\
  51,3d,22,73,69,71,3a,31,30,34,38,38,22,20,76,69,73,69,62,6c,65,3d,22,74,72,\
  75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,\
  6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,36,30,30,22,20,76,69,73,\
  69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,\
  3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,\
  36,30,38,22,20,76,69,73,69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,\
  65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,\
  3d,22,73,69,71,3a,31,30,34,39,36,22,20,76,69,73,69,62,6c,65,3d,22,66,61,6c,\
  73,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,\
  6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,39,38,30,34,22,20,76,69,73,\
  69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,\
  2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,\
  39,38,30,38,22,20,76,69,73,69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,72,67,\
  75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,2f,73,69,71,3a,73,68,61,72,65,64,43,6f,\
  6e,74,72,6f,6c,73,3e,3c,2f,73,69,71,3a,71,61,74,3e,3c,2f,73,69,71,3a,72,69,\
  62,62,6f,6e,3e,3c,2f,73,69,71,3a,63,75,73,74,6f,6d,55,49,3e,0d,0a


into a human readable text file either UTF-8 or ASCII.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
RegtoText Windows Registry Conversion Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail]
"LinkTest"=[REG_LINK]     8 D " SymbolicLinkValue \Registry\Machine\Software\FSLog
"DisabledScriptsHEX4"=[REG_DWORD] 2147483647
"DisabledScriptsHEX42000000010 "=[REG_DWORD] 2000000010
"DisabledScriptsHEX52000000010not"=[REG_DWORD_BIG_ENDIAN] 177485175
"DisabledScriptsHEX5"=[REG_DWORD_BIG_ENDIAN] 0
"DisabledScriptsHEX51606664150"=[REG_DWORD_BIG_ENDIAN] 1606664150
"DisabledScriptsHEX41606664150"=[REG_DWORD] 1606664150
"DisabledScriptsHEX490AB12CD"=[REG_DWORD] 2427130573
"DisabledScriptsHEX590AB12CD"=[REG_DWORD_BIG_ENDIAN] 2427130573
"DisabledScriptsHEX1Test"=[REG_SZ] GallerySheet VersionCue VersionCueSDKLoader  
"DisabledScripts"=[REG_MULTI_SZ] GallerySheet VersionCue VersionCueSDKLoader  
"Store Root"=[REG_EXPAND_SZ] %USERPROFILE%\AppData\Local\Microsoft\Windows Live Mail\ 
"RtlLogOutput"=[REG_DWORD] 1
"Default User"=[REG_BINARY] 
"DatabaseVersion"=[REG_DWORD] 18
"Running"=[REG_DWORD] 0
"First Calendar Run Done"=[REG_DWORD] 1
"Migration Attempts"=[REG_DWORD] 1
"VerStamp"=[REG_DWORD] 0
"Settings Upgraded"=[REG_DWORD] 17
"LDAP Server ID"=[REG_DWORD] 3
"DatabaseCorruptTime"=[REG_BINARY:<ANSI,1-byte>] `??&??? 
"V7StoreMigDone"=[REG_NONE] 01,00,00,00
"Compact Check Count"=[REG_DWORD] 2
"LastBackup"=[REG_BINARY:<UTF16-LE,2-byte>] ?     .c
"Last Search Index"=[REG_DWORD] 2
"SearchFolderVersion"=[REG_DWORD] 18
"SearchFolderLaunchesUntilRebuild"=[REG_DWORD] 4
"Default LDAP Account"="account{D8DB2A07-80D5-46F6-B417-75016BA9F207}.oeaccount"
"First Run Done"=[REG_DWORD] 1
"Mail Is Ready"=[REG_DWORD] 0
"First Signin Warning"=[REG_DWORD] 7
"mhtml guid"="{908DF815-18C6-4AC5-980D-49110B6C5563}"
"RibbonSettingsComposeMailNews"=[REG_BINARY:<ASCII,1-byte>] <siq:customUI xmlns:siq="http://schemas.microsoft.com/windows/2009/ribbon/qat"><siq:ribbon minimized="false"><siq:qat position="0"><siq:sharedControls><siq:control idQ="siq:10704" visible="true" argument="0"/><siq:control idQ="siq:10488" visible="false" argument="0"/><siq:control idQ="siq:13672" visible="false" argument="0"/><siq:control idQ="siq:1043" visible="true" argument="0"/><siq:control idQ="siq:1044" visible="true" argument="0"/><siq:control idQ="siq:13624" visible="true" argument="0"/><siq:control idQ="siq:13656" visible="true" argument="0"/><siq:control idQ="siq:13660" visible="true" argument="0"/></siq:sharedControls></siq:qat></siq:ribbon></siq:customUI>


Yeah, that's right all in one tool.
Here's what it can do, and can't do.

REGTOTEXT HELP



.FILENAME
RegToText.exe  - demo returns only a few rows 

.VERSION

Version 2.2018.1804.388 (Update Jan, 2018)

.SYNOPSIS 
Parses a valid Windows registry exported file (.reg) and translates indecipherable hex and decimal values into a human readable text file.

.PURPOSE
The aim of this command-line executable is to make a human readable registry file. This greatly aids in searching and understanding the Windows Registry, key for developers.

.DESCRIPTION 
RegToText windows console application deciphers unreadable portions of registry file to text. Firstly, it checks for a valid Windows registry file ending with file extension (.reg). Then it validates file header for ""Windows Registry Editor Version 5.00"" for Windows 2000, ME, XP,7, Vista, 8, 8.1, 10+, Server 2003+ or ""REGEDIT4"" for Windows 98, NT 4.0 and Server 2000-. Passing this, the process will begin to translates all the hexadecimal and decimal values into output Unicode text file. Output is written out in 250 line chunks. Upon premature or cancellation, output file will contain up-to the last chunk written out. Output encoding can be UTF-8 or ASCII. Output encoding can be UTF-8 or ASCII. All non-printable characters are cleansed for ASCII, read ENCODING notes for details. Encoding choice can drastically affect file output size. 

The following common registry types are translated denoted by “->”;

dword:(DWORD value)  -> [REG_DWORD] textvalue
hex(2):(expandable string value) -> [REG_EXPAND_SZ] textvalue

(Update Sept 20, 2016) Version 2 - variable byte UTF8 encoding

hex:(binary value)   -> [REG_BINARY] textvalue

                        
                        (binary value) can be a variable byte UTF8 encoded value from 1 to 4 bytes indicated by
                        VariableByteUTF8EncodingType has values:

                            ASCII,1-byte
                            ANSI,1-byte   
                            UTF16-LE,2-byte - little endian encoded 
                            UTF16-BE,2-byte - big endian encoded
                            UTF8,3-byte
                            UTF8,4-byte

hex(7):(multistring value) -> [REG_MULTI_SZ] textvalue
etc...

These are all the windows registry types that appear in .reg file are translated; 

"value"
alias hex(1)
Default or blank String value data with escape characters
hex
alias hex(3)
REG_BINARY Binary data (any arbitrary data)
dword
alias hex(4)
REG_DWORD
A 32-bit unsigned integer coded in little-endian format
hex(0) REG_NONE No type (the stored value, if any)
hex(1) REG_SZ A string value, normally stored and exposed in UTF-16LE (when using the Unicode version of Win32 API functions), usually terminated by a NUL character
hex(2) EXPAND_SZ An “expandable” string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character
hex(3) REG_BINARY Binary data (any arbitrary data) including variable byte encoded UTF8 values
hex(4)
REG_DWORD_LITTLE_ENDIAN
equivalent to
 REG_DWORD 
A 32-bit unsigned integer coded in little-endian format
hex(5) REG_DWORD_BIG_ENDIAN A 32-bit unsigned integer coded in big-endian format
hex(6) REG_LINK A symbolic link (UNICODE) to another Registry key, specifying a root key and the path to the target key
hex(7) REG_MULTI_SZ A multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in UTF-16LE, each one terminated by a NUL character, the list being normally terminated by a second NUL character.
hex(8) REG_RESOURCE_LIST A resource list
hex(9) REG_FULL_RESOURCE_DESCRIPTOR A resource descriptor
hex(a) REG_RESOURCE_REQUIREMENTS_LIST A resource requirements list
hex(b) REG_QWORD_LITTLE_ENDIAN
equivalent to
REG_QWORD 
A 64-bit integer little-endian (introduced in Windows XP)


Distribution of these values is listed in my article on this here.


.LIMITATIONS

Translation for REG_BINARY is on done on best-effort statistical basis, because this value type can any arbitrary data. RegtoText does a best fit analysis to decode the text, but it could be anything. 

Does not decode Darwin Descriptors, perhaps in future enterprise version. Vote for it in comments section.
(a very basic tool is available for download here)

Does not unpack packed GUIDs, perhaps in future enterprise version. Vote for it in comments section.
(here's a Powershell script to available for download here)
Does not ROT-13 decode the UserAssist key (HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist). Vote for it in comments section.
(decode at http://rot13.com/)

.REQUIREMENTS
32-bit app which requires .NET Framework 4 Client Profile.


.64 BIT REGISTRY KEYS
The registry in 64-bit versions of Windows is divided into 32-bit and 64-bit keys. Many of the 32-bit keys have the same names as their 64-bit counterparts, and vice versa.
To open registry 64bit version run %systemroot%\syswow64\regedit from CMD as Admin.

Refer to https://support.microsoft.com/en-ca/kb/305097 to extract 64-bit keys to .reg file. RegtoText decodes 64-bit keys as 32-bit keys. There is no difference.

.HIDDEN REGISTRY KEYS - SECURITY & SAM
Some of the security and core system related keys are hidden from user even when part of an administrator group cannot see these special keys.

Here are some of the such hidden registry keys

HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SAM

SECURITY registry key stores all the system policy and LSA secrets related information.  SAM registry key has details for user accounts along with LM/NTLM password hashes for each user.

There are many ways we can view these hidden registry keys. We can use psexec.exe tool (part of pstools package from sysinternals) to launch the regedit.exe as system account as shown below.
psexec.exe -s -i regedit.exe

.ENCODING
Characters outside the ASCII or UTF8 range are stripped. NON-PRINTABLE less than decimal 31 are stripped for ASCII encoding. UTF8 preserves more of the original source content, but a cost of larger output file size. More importantly, UTF8 encoding will pass allot of unreadable characters and non-printable characters that may cause issues when scrolling large files in text editors. ASCII allows for maximum readability with intention of one line per registry key and side benifit of space savings. Large files over 1G benefit tremendously when loading ACSII text editors for scrolling and searching.

.TEXT EDITORS

Notepad and Notepad++ will not load 1 G+ files. Textpad (memory lim), Notepad Light (upto 2G) and UltraEdit (claims 2^64-1G) will load file over 1G+ files.

.PERFORMANCE 
Tested on 4.25M rows in 18 mins, 24 secs. Processing 921,572 subkeys and 2,344,590 key/value pairs.

.USAGE
RegtoText.exe [/h] [/v] [/s] inputfile.reg [/o:filename.txt] [/e:{UT8F|ASCII}]

.ARGUMENTS
[drive:][path]inputfile.reg            1st argument required
                                       Input registry file. If path omitted, default to current path. 
.FLAGS
(order not important)
/h|/help                               Help
/v|/version                            Version
/s|/silent                             Silent
/l|/license                            License
/e|/encoding:{UTF8|ASCII}              Output encoding. If omitted, default value:'UTF8'.

/o|/output:[drive:][path]filename.txt  Output text file. If omitted, default value:'inputfile.txt

.INPUT
Must be valid exported registry file from REGEDIT.exe ending in .reg

.OUTPUT
Creates a Unicode text file ending in .txt extension. If exists prompt to delete ? No, creates a timestamped file. Hexadecimal and decimal values are decoded using according /e flag.

.EXAMPLE 
regtotext c:\Users\MDC\Documents\myfullregistryBCK.reg /e:ASCII

.AUTHOR 
metadataconsult@gmail.com (Metadata Consulting, ON, CDN) July 30, 2016

.LICENSE
Read Full License Agreement use /l FLAG OR pipe into a text file using 'regtotext /l > RTTLic.txt' to read in Notepad.

Download REGTOTEXT demo version 2 (update Jan 2018). Read demo license.

For a commercial licensed version, use form below or metadataconsult a_t gmail.com



Commercial version sample run on a new Windows 10 Pro install with Office 2016. 


License & Inquiry Form

Name

Email *

Message *