RegtoTextPro is a command line utility that converts convoluted hex values in Windows Registry file (.reg) into a human readable text (.txt) file, specifically it identifies the 12 hex formats and converts them.
💀 WARNING:
RegtoText is a paid utility and an old out-of-date limited demo was released to www.softpedia.com site only. Any other sites and the "cracked version" will contain malware under the hood.
Again, RegtoText is licensed product and out-of-date, and has been replaced RegtoTextPro which is licensed.
Hex values that are of unknown type are converted into ANSI characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ANSI. There was some loss of data with previous version.
Version 3 (2019) now includes two new encoding output types LIT and HTML, which preserves full fidelity of the registry input. LIT short for literary, in which uses the programs software language (C Sharp) own internal representation of a string and outputs this value. HTML option will HTML encode the output to be viewed in web browser.
Version 3 (2019) attempts to decode Darwin Descriptors (DD), those are values that look like this "w_1^VX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" in the registry.
Decoded Darwin Descriptor example.
Learn more about Darwin Descriptors's here.
This tool target as forensic (FBI,CIA, Antivirus Co)/management/educational tool to quickly search and eyeball the entire registry file for encoded values that are suspicious. Registry keys could hold persistant malware signatures (like Poweliks), back-doors or simply hidden secret messages, but most commonly are defective foreign languages encodings can be spotted more efficiently with human eyes. Furthermore, once this file is decoded using RegtoTextPro, it is searchable as a human readable text file and can be indexed in any internal forensic exploit search engine/database.
RegtoTextPro command line usage looks like this
💀 WARNING:
RegtoText is a paid utility and an old out-of-date limited demo was released to www.softpedia.com site only. Any other sites and the "cracked version" will contain malware under the hood.
Again, RegtoText is licensed product and out-of-date, and has been replaced RegtoTextPro which is licensed.
Hex values that are of unknown type are converted into ANSI characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ANSI. There was some loss of data with previous version.
Version 3 (2019) now includes two new encoding output types LIT and HTML, which preserves full fidelity of the registry input. LIT short for literary, in which uses the programs software language (C Sharp) own internal representation of a string and outputs this value. HTML option will HTML encode the output to be viewed in web browser.
Version 3 (2019) attempts to decode Darwin Descriptors (DD), those are values that look like this "w_1^VX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" in the registry.
Decoded Darwin Descriptor example.
[REG_MULTI_SZ:<DarwinDesc>]{91120000-0030-0000-0000-0000000ff1ce}EXCELFiles{0638c49d-bb8b-4cd1-b191-052e8f325736} /e
Learn more about Darwin Descriptors's here.
This tool target as forensic (FBI,CIA, Antivirus Co)/management/educational tool to quickly search and eyeball the entire registry file for encoded values that are suspicious. Registry keys could hold persistant malware signatures (like Poweliks), back-doors or simply hidden secret messages, but most commonly are defective foreign languages encodings can be spotted more efficiently with human eyes. Furthermore, once this file is decoded using RegtoTextPro, it is searchable as a human readable text file and can be indexed in any internal forensic exploit search engine/database.
RegtoTextPro command line usage looks like this
RegtoTextPro takes a typical Registry exported file and converts into
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 | Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail] "LinkTest"=hex(6):00,00,00,00,06,00,00,00,38,00,00,00,44,00,00,00,22,00,00,00,53,00,79,00,6d,00,62,00,6f,00,6c,00,69,00,63,00,4c,00,69,00,6e,00,6b,00,56,00,61,00,6c,00,75,00,65,00,00,00,5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,46,00,53,00,4c,00,6f,00,67,00 "DisabledScriptsHEX4"=hex(4):7f,ff,ff,ff "DisabledScriptsHEX42000000010 "=hex(4):77,35,94,0A "DisabledScriptsHEX52000000010not"=hex(5):77,35,94,0A "DisabledScriptsHEX5"=hex(5):00 "DisabledScriptsHEX51606664150"=hex(5):D6,BF,C3,5F "DisabledScriptsHEX41606664150"=hex(4):5F,C3,BF,D6 "DisabledScriptsHEX490AB12CD"=hex(4):90,AB,12,CD "DisabledScriptsHEX590AB12CD"=hex(5):CD,12,AB,90 "DisabledScriptsHEX1Test"=hex(1):47,00,61,00,6c,00,6c,00,65,00,72,00,79,00,53,00,68,00,\ 65,00,65,00,74,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,\ 00,65,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,00,65,00,\ 53,00,44,00,4b,00,4c,00,6f,00,61,00,64,00,65,00,72,00,00,00,00,00 "DisabledScripts"=hex(7):47,00,61,00,6c,00,6c,00,65,00,72,00,79,00,53,00,68,00,\ 65,00,65,00,74,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,\ 00,65,00,00,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,43,00,75,00,65,00,\ 53,00,44,00,4b,00,4c,00,6f,00,61,00,64,00,65,00,72,00,00,00,00,00 "Store Root"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,\ 00,4c,00,45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,\ 4c,00,6f,00,63,00,61,00,6c,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,\ 00,66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4c,00,\ 69,00,76,00,65,00,20,00,4d,00,61,00,69,00,6c,00,5c,00,00,00 "RtlLogOutput"=dword:00000001 "Default User"=hex: "DatabaseVersion"=dword:00000012 "Running"=dword:00000000 "First Calendar Run Done"=dword:00000001 "Migration Attempts"=dword:00000001 "VerStamp"=dword:00000000 "Settings Upgraded"=dword:00000011 "LDAP Server ID"=dword:00000003 "DatabaseCorruptTime"=hex:60,9e,80,26,8c,c4,cb,01 "V7StoreMigDone"=hex(0):01,00,00,00 "Compact Check Count"=dword:00000002 "LastBackup"=hex:dd,07,01,00,03,00,02,00,13,00,0f,00,2e,00,09,01 "Last Search Index"=dword:00000002 "SearchFolderVersion"=dword:00000012 "SearchFolderLaunchesUntilRebuild"=dword:00000004 "Default LDAP Account"="account{D8DB2A07-80D5-46F6-B417-75016BA9F207}.oeaccount" "First Run Done"=dword:00000001 "Mail Is Ready"=dword:00000000 "First Signin Warning"=dword:00000007 "mhtml guid"="{908DF815-18C6-4AC5-980D-49110B6C5563}" "RibbonSettingsComposeMailNews"=hex:3c,73,69,71,3a,63,75,73,74,6f,6d,55,49,20,\ 78,6d,6c,6e,73,3a,73,69,71,3d,22,68,74,74,70,3a,2f,2f,73,63,68,65,6d,61,73,\ 2e,6d,69,63,72,6f,73,6f,66,74,2e,63,6f,6d,2f,77,69,6e,64,6f,77,73,2f,32,30,\ 30,39,2f,72,69,62,62,6f,6e,2f,71,61,74,22,3e,3c,73,69,71,3a,72,69,62,62,6f,\ 6e,20,6d,69,6e,69,6d,69,7a,65,64,3d,22,66,61,6c,73,65,22,3e,3c,73,69,71,3a,\ 71,61,74,20,70,6f,73,69,74,69,6f,6e,3d,22,30,22,3e,3c,73,69,71,3a,73,68,61,\ 72,65,64,43,6f,6e,74,72,6f,6c,73,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,\ 69,64,51,3d,22,73,69,71,3a,31,30,37,30,34,22,20,76,69,73,69,62,6c,65,3d,22,\ 74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,\ 63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,34,38,38,22,20,76,\ 69,73,69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,\ 30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,\ 3a,31,33,36,37,32,22,20,76,69,73,69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,\ 72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,\ 20,69,64,51,3d,22,73,69,71,3a,31,30,34,33,22,20,76,69,73,69,62,6c,65,3d,22,\ 74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,\ 63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,34,34,22,20,76,69,\ 73,69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,\ 2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,\ 33,36,32,34,22,20,76,69,73,69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,\ 6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,\ 51,3d,22,73,69,71,3a,31,33,36,35,36,22,20,76,69,73,69,62,6c,65,3d,22,74,72,\ 75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,\ 6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,33,36,36,30,22,20,76,69,73,\ 69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,\ 3e,3c,2f,73,69,71,3a,73,68,61,72,65,64,43,6f,6e,74,72,6f,6c,73,3e,3c,2f,73,\ 69,71,3a,71,61,74,3e,3c,2f,73,69,71,3a,72,69,62,62,6f,6e,3e,3c,2f,73,69,71,\ 3a,63,75,73,74,6f,6d,55,49,3e,0d,0a "SpoolerDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,4f,02,00,00,33,01,00,00,41,04,00,00,ce,01,00,00 "SpoolerTack"=dword:00000000 "LastRun"=hex:5d,79,cd,4b,25,e9,cd,01 "TotalUpTime"=dword:00001240 "RibbonSettingsReadNote"=hex:3c,73,69,71,3a,63,75,73,74,6f,6d,55,49,20,78,6d,\ 6c,6e,73,3a,73,69,71,3d,22,68,74,74,70,3a,2f,2f,73,63,68,65,6d,61,73,2e,6d,\ 69,63,72,6f,73,6f,66,74,2e,63,6f,6d,2f,77,69,6e,64,6f,77,73,2f,32,30,30,39,\ 2f,72,69,62,62,6f,6e,2f,71,61,74,22,3e,3c,73,69,71,3a,72,69,62,62,6f,6e,20,\ 6d,69,6e,69,6d,69,7a,65,64,3d,22,66,61,6c,73,65,22,3e,3c,73,69,71,3a,71,61,\ 74,20,70,6f,73,69,74,69,6f,6e,3d,22,30,22,3e,3c,73,69,71,3a,73,68,61,72,65,\ 64,43,6f,6e,74,72,6f,6c,73,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,\ 51,3d,22,73,69,71,3a,31,30,34,38,38,22,20,76,69,73,69,62,6c,65,3d,22,74,72,\ 75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,\ 6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,36,30,30,22,20,76,69,73,\ 69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,\ 3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,30,\ 36,30,38,22,20,76,69,73,69,62,6c,65,3d,22,74,72,75,65,22,20,61,72,67,75,6d,\ 65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,\ 3d,22,73,69,71,3a,31,30,34,39,36,22,20,76,69,73,69,62,6c,65,3d,22,66,61,6c,\ 73,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,73,69,71,3a,63,6f,\ 6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,39,38,30,34,22,20,76,69,73,\ 69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,72,67,75,6d,65,6e,74,3d,22,30,22,\ 2f,3e,3c,73,69,71,3a,63,6f,6e,74,72,6f,6c,20,69,64,51,3d,22,73,69,71,3a,31,\ 39,38,30,38,22,20,76,69,73,69,62,6c,65,3d,22,66,61,6c,73,65,22,20,61,72,67,\ 75,6d,65,6e,74,3d,22,30,22,2f,3e,3c,2f,73,69,71,3a,73,68,61,72,65,64,43,6f,\ 6e,74,72,6f,6c,73,3e,3c,2f,73,69,71,3a,71,61,74,3e,3c,2f,73,69,71,3a,72,69,\ 62,62,6f,6e,3e,3c,2f,73,69,71,3a,63,75,73,74,6f,6d,55,49,3e,0d,0a |
into a human readable text file either UTF-8, ANSI, LIT or HTML.
The following output is with ANSI encoding selected.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | RegtoText Windows Registry Conversion Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail] "LinkTest"=[REG_LINK] 8 D " SymbolicLinkValue \Registry\Machine\Software\FSLog "DisabledScriptsHEX4"=[REG_DWORD] 2147483647 "DisabledScriptsHEX42000000010 "=[REG_DWORD] 2000000010 "DisabledScriptsHEX52000000010not"=[REG_DWORD_BIG_ENDIAN] 177485175 "DisabledScriptsHEX5"=[REG_DWORD_BIG_ENDIAN] 0 "DisabledScriptsHEX51606664150"=[REG_DWORD_BIG_ENDIAN] 1606664150 "DisabledScriptsHEX41606664150"=[REG_DWORD] 1606664150 "DisabledScriptsHEX490AB12CD"=[REG_DWORD] 2427130573 "DisabledScriptsHEX590AB12CD"=[REG_DWORD_BIG_ENDIAN] 2427130573 "DisabledScriptsHEX1Test"=[REG_SZ] GallerySheet VersionCue VersionCueSDKLoader "DisabledScripts"=[REG_MULTI_SZ] GallerySheet VersionCue VersionCueSDKLoader "Store Root"=[REG_EXPAND_SZ] %USERPROFILE%\AppData\Local\Microsoft\Windows Live Mail\ "RtlLogOutput"=[REG_DWORD] 1 "Default User"=[REG_BINARY] "DatabaseVersion"=[REG_DWORD] 18 "Running"=[REG_DWORD] 0 "First Calendar Run Done"=[REG_DWORD] 1 "Migration Attempts"=[REG_DWORD] 1 "VerStamp"=[REG_DWORD] 0 "Settings Upgraded"=[REG_DWORD] 17 "LDAP Server ID"=[REG_DWORD] 3 "DatabaseCorruptTime"=[REG_BINARY:<ANSI,1-byte>] `??&??? "V7StoreMigDone"=[REG_NONE] 01,00,00,00 "Compact Check Count"=[REG_DWORD] 2 "LastBackup"=[REG_BINARY:<UTF16-LE,2-byte>] ? .c "Last Search Index"=[REG_DWORD] 2 "SearchFolderVersion"=[REG_DWORD] 18 "SearchFolderLaunchesUntilRebuild"=[REG_DWORD] 4 "Default LDAP Account"="account{D8DB2A07-80D5-46F6-B417-75016BA9F207}.oeaccount" "First Run Done"=[REG_DWORD] 1 "Mail Is Ready"=[REG_DWORD] 0 "First Signin Warning"=[REG_DWORD] 7 "mhtml guid"="{908DF815-18C6-4AC5-980D-49110B6C5563}" "RibbonSettingsComposeMailNews"=[REG_BINARY:<ASCII,1-byte>] <siq:customUI xmlns:siq="http://schemas.microsoft.com/windows/2009/ribbon/qat"><siq:ribbon minimized="false"><siq:qat position="0"><siq:sharedControls><siq:control idQ="siq:10704" visible="true" argument="0"/><siq:control idQ="siq:10488" visible="false" argument="0"/><siq:control idQ="siq:13672" visible="false" argument="0"/><siq:control idQ="siq:1043" visible="true" argument="0"/><siq:control idQ="siq:1044" visible="true" argument="0"/><siq:control idQ="siq:13624" visible="true" argument="0"/><siq:control idQ="siq:13656" visible="true" argument="0"/><siq:control idQ="siq:13660" visible="true" argument="0"/></siq:sharedControls></siq:qat></siq:ribbon></siq:customUI> |
The following output is with HTML encoding selected.
Now you can see the exact values in the registry, for example values "DatabaseCorruptTime" and "LastBackup".
RegtoText Windows Registry HTML Entity Encoded Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail] "LinkTest"=[REG_LINK]  8 D " SymbolicLinkValue \Registry\Machine\Software\FSLog "DisabledScriptsHEX4"=[REG_DWORD] 2147483647 "DisabledScriptsHEX42000000010 "=[REG_DWORD] 2000000010 "DisabledScriptsHEX52000000010not"=[REG_DWORD_BIG_ENDIAN] 177485175 "DisabledScriptsHEX5"=[REG_DWORD_BIG_ENDIAN] 0 "DisabledScriptsHEX51606664150"=[REG_DWORD_BIG_ENDIAN] 1606664150 "DisabledScriptsHEX41606664150"=[REG_DWORD] 1606664150 "DisabledScriptsHEX490AB12CD"=[REG_DWORD] 2427130573 "DisabledScriptsHEX590AB12CD"=[REG_DWORD_BIG_ENDIAN] 2427130573 "DisabledScriptsHEX1Test"=[REG_SZ] GallerySheet VersionCue VersionCueSDKLoader "DisabledScripts"=[REG_MULTI_SZ] GallerySheet VersionCue VersionCueSDKLoader "Store Root"=[REG_EXPAND_SZ] %USERPROFILE%\AppData\Local\Microsoft\Windows Live Mail\ "RtlLogOutput"=[REG_DWORD] 1 "Default User"=[REG_BINARY] "DatabaseVersion"=[REG_DWORD] 18 "Running"=[REG_DWORD] 0 "First Calendar Run Done"=[REG_DWORD] 1 "Migration Attempts"=[REG_DWORD] 1 "VerStamp"=[REG_DWORD] 0 "Settings Upgraded"=[REG_DWORD] 17 "LDAP Server ID"=[REG_DWORD] 3 "DatabaseCorruptTime"=[REG_BINARY:<ANSI,1-byte>] `&xFFFD;&xFFFD;&&xFFFD;&xFFFD;&xFFFD; "V7StoreMigDone"=[REG_NONE] 01,00,00,00 "Compact Check Count"=[REG_DWORD] 2 "LastBackup"=[REG_BINARY:<UTF16-LE,2-byte>] .ĉ "Last Search Index"=[REG_DWORD] 2 "SearchFolderVersion"=[REG_DWORD] 18 "SearchFolderLaunchesUntilRebuild"=[REG_DWORD] 4 "Default LDAP Account"="account{D8DB2A07-80D5-46F6-B417-75016BA9F207}.oeaccount" "First Run Done"=[REG_DWORD] 1 "Mail Is Ready"=[REG_DWORD] 0 "First Signin Warning"=[REG_DWORD] 7 "mhtml guid"="{908DF815-18C6-4AC5-980D-49110B6C5563}" "RibbonSettingsComposeMailNews"=[REG_BINARY:<ASCII,1-byte>] <siq:customUI xmlns:siq="http://schemas.microsoft.com/windows/2009/ribbon/qat"><siq:ribbon minimized="false"><siq:qat position="0"><siq:sharedControls><siq:control idQ="siq:10704" visible="true" argument="0"/><siq:control idQ="siq:10488" visible="false" argument="0"/><siq:control idQ="siq:13672" visible="false" argument="0"/><siq:control idQ="siq:1043" visible="true" argument="0"/><siq:control idQ="siq:1044" visible="true" argument="0"/><siq:control idQ="siq:13624" visible="true" argument="0"/><siq:control idQ="siq:13656" visible="true" argument="0"/><siq:control idQ="siq:13660" visible="true" argument="0"/></siq:sharedControls></siq:qat></siq:ribbon></siq:customUI> "SpoolerDlgPos"=[REG_BINARY:<UTF16-LE,2-byte>] ,����&xFFFF;&xFFFF;&xFFFF;&xFFFF;&xFFFF;&xFFFF;&xFFFF;&xFFFF;ɏ�ij�с�ǎ� "SpoolerTack"=[REG_DWORD] 0 "LastRun"=[REG_BINARY:<ANSI,1-byte>] ]y&xFFFD;K%&xFFFD;&xFFFD; "TotalUpTime"=[REG_DWORD] 4672 "RibbonSettingsReadNote"=[REG_BINARY:<ASCII,1-byte>] <siq:customUI xmlns:siq="http://schemas.microsoft.com/windows/2009/ribbon/qat"><siq:ribbon minimized="false"><siq:qat position="0"><siq:sharedControls><siq:control idQ="siq:10488" visible="true" argument="0"/><siq:control idQ="siq:10600" visible="true" argument="0"/><siq:control idQ="siq:10608" visible="true" argument="0"/><siq:control idQ="siq:10496" visible="false" argument="0"/><siq:control idQ="siq:19804" visible="false" argument="0"/><siq:control idQ="siq:19808" visible="false" argument="0"/></siq:sharedControls></siq:qat></siq:ribbon></siq:customUI>
Yeah, that's right all in one tool.
Here's what it can do, and can't do.
RegtoTextPro Help
.FILENAME
RegToTextPro.exe - demo returns only a few rows
.VERSION
Version 3.2019.4003.488+ (Update Jan, 2018)
.SYNOPSIS
Parses a valid Windows registry exported file (.reg) and translates indecipherable hex and decimal values into a human readable text file.
.PURPOSE
The aim of this command-line executable is to make a human readable registry file. This greatly aids in searching and understanding the Windows Registry, key for developers.
.DESCRIPTION
RegToTextPro windows console application deciphers unreadable portions of registry file to text. Firstly, it checks for a valid Windows registry file ending with file extension (.reg). Then it validates file header for "Windows Registry Editor Version 5.00" for Windows 2000, ME, XP,7, Vista, 8, 8.1, 10+, Server 2003+ or "REGEDIT4" for Windows 98, NT 4.0 and Server
2000-. Passing this, the process will begin to translates all the hexadecimal and decimal values into output Unicode text file. Output is written out in 250 line chunks. Upon premature or cancellation, output file will contain up-to the last chunk written out. Output encoding can be ANSI, UTF-8, HTML or LIT. LIT is short for literal, where Unicode control characters are escaped and appear as verbatim C-Sharp string in memory. HTML is short for HTML Encoding, in which most non-printable characters are HTML encoded (no loss of fidelity). Most non-printable characters are cleansed for ANSI, read ENCODING notes for details. Encoding choice can drastically affect file output size and scroll-ability in text programs.
The following common registry types are translated denoted by “->”;
dword:(DWORD value) -> [REG_DWORD] textvalue
hex(2):(expandable string value) -> [REG_EXPAND_SZ] textvalue
hex:(binary value) -> [REG_BINARY
(binary value) can be a variable byte UTF8 encoded value from 1 to 4 bytes indicated by
VariableByteUTF8EncodingType has values:
ASCII,1-byte
ANSI,1-byte
UTF16-LE,2-byte - little endian encoded
UTF16-BE,2-byte - big endian encoded
UTF8,3-byte
UTF8,4-byte
(Update Nov 20, 2019) Version 3
hex(7):(multistring value) -> [REG_MULTI_SZ] textvalue, this usually contains Darwin Descriptors and will be attempted to be decoded.
etc...
These are all the windows registry types that appear in .reg file are translated;
"value" alias hex(1) | Default or blank | String value data with escape characters |
hex alias hex(3) | REG_BINARY | Binary data (any arbitrary data) |
dword alias hex(4) |
REG_DWORD
| A 32-bit unsigned integer coded in little-endian format |
hex(0) | REG_NONE | No type (the stored value, if any) |
hex(1) | REG_SZ | A string value, normally stored and exposed in UTF-16LE (when using the Unicode version of Win32 API functions), usually terminated by a NUL character |
hex(2) | EXPAND_SZ | An “expandable” string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character |
hex(3) | REG_BINARY | Binary data (any arbitrary data) including variable byte encoded UTF8 values |
hex(4)
|
REG_DWORD_LITTLE_ENDIAN
equivalent to REG_DWORD | A 32-bit unsigned integer coded in little-endian format |
hex(5) | REG_DWORD_BIG_ENDIAN | A 32-bit unsigned integer coded in big-endian format |
hex(6) | REG_LINK | A symbolic link (UNICODE) to another Registry key, specifying a root key and the path to the target key |
hex(7) | REG_MULTI_SZ | A multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in UTF-16LE, each one terminated by a NUL character, the list being normally terminated by a second NUL character. |
hex(8) | REG_RESOURCE_LIST | A resource list |
hex(9) | REG_FULL_RESOURCE_DESCRIPTOR | A resource descriptor |
hex(a) | REG_RESOURCE_REQUIREMENTS_LIST | A resource requirements list |
hex(b) | REG_QWORD_LITTLE_ENDIAN equivalent to REG_QWORD |
A 64-bit integer little-endian (introduced in Windows XP)
|
Distribution of these values is listed in my article on this here.
.LIMITATIONS
Translation for REG_BINARY is on done on best-effort statistical basis, because this value type can any arbitrary data. RegtoTextPro does a best fit analysis to decode the text, but it could be anything.
Does not decode hex(9): REG_FULL_RESOURCE_DESCRIPTOR - A resource descriptor
Does not decode hex(a): REG_RESOURCE_REQUIREMENTS_LIST - A resource requirements list
Does not decode Darwin Descriptors some of the time, use this tool in those cases.
Does not unpack packed GUIDs, perhaps in future enterprise version (separate tool available).
Does not ROT-13 decode the UserAssist key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist (separate tool
available).
DOES NOT DECODE THESE values
hex(9) | REG_FULL_RESOURCE_DESCRIPTOR | A series of nested arrays. It stores a resource list that is used by a hardware device. The system writes detected data to the \HardwareDescription tree. In the editor, this data is displayed as a binary value in a hexadecimal format. |
hex(a) | REG_RESOURCE_REQUIREMENTS_LIST | A series of nested arrays. It is used to store a list of hardware drivers which can be used by a particular device driver or a hardware device controlled by that driver. The system writes part of the list to the \ResourceMap tree. Data is defined by the system. In the editor, data is displayed as a binary parameter in a hexadecimal format |
New to 2019 Release
Have tool to decode this properly, as a separate tool available for an additional fee.
hex(8) | REG_RESOURCE_LIST | A resource list |
.REQUIREMENTS
32-bit app which requires .NET Framework 4 Client Profile.
.64 BIT REGISTRY KEYS
The registry in 64-bit versions of Windows is divided into 32-bit and 64-bit keys. Many of the 32-bit keys have the same names as their 64-bit counterparts, and vice versa.
To open registry 64bit version run %systemroot%\syswow64\regedit from CMD as Admin.
Refer to https://support.microsoft.com/en-ca/kb/305097 to extract 64-bit keys to .reg file. RegtoText decodes 64-bit keys as 32-bit keys. There is no difference.
.HIDDEN REGISTRY KEYS - SECURITY & SAM
Some of the security and core system related keys are hidden from user even when part of an administrator group cannot see these special keys.
Here are some of the such hidden registry keys
HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SAM
SECURITY registry key stores all the system policy and LSA secrets related information. SAM registry key has details for user accounts along with LM/NTLM password hashes for each user.
There are many ways we can view these hidden registry keys. We can use psexec.exe tool (part of pstools package from sysinternals) to launch the regedit.exe as system account as shown below.
psexec.exe -s -i regedit.exe
.ENCODING
There are 4 output encoding options ANSI, UTF8, LIT and HTML. NON-PRINTABLE less than decimal 31 are stripped for ANSI encoding and characters outside this ANSI range are stripped. For UTF8 all control characters are preserved, but note, string terminator character '\0' is used frequently for other purposes in registry. This has the unintended consequence of prematurely shortening the output of the string, to this intermediate '\0' value instead of true end of string position. In other-words, information is lost. Hence, two new output encoding types in Pro Edition. LIT short for literary, in which escapes Unicode control characters are preserved and encoded. It uses the programs software language own internal representation of a string and outputs this value. This program is written in C Sharp 'C#' language. HTML is short for HTML Encoding option. When this option is used all non-printable characters (except CR, LF and tab)are HTML Encoded preserving the fidelity of the original registry value. Moreover, if specify a '.html' extension for your output file name, <br> are added to easily read this web page in a browser. This also has added benifit that is quite fast to render, load and scroll for very large files (>1G).
.TEXT EDITORS
Notepad and Notepad++ will not load 1 G+ files. Textpad (memory lim), Notepad Light (upto 2G) and UltraEdit (claims 2^64-1G) will load file over 1G+ files.
.PERFORMANCE
Tested on 4.25M rows in 18 mins, 24 secs. Processing 921,572 subkeys and 2,344,590 key/value pairs.
.USAGE
RegToTextPro [/h] [/v] [/s] inputfile.reg [/o:filename.txt] [/e:{ANSI|UTF8|LIT|HTML}]
.ARGUMENTS
[drive:][path]inputfile.reg 1st argument required
Input registry file. If path omitted, default to current path.
.FLAGS
(order not important)
/h|/help Help
/v|/version Version
/s|/silent Silent
/l|/license License
/e|/encoding:{ANSI|UTF8|LIT|HTML} Output encoding. If omitted, default value:'UTF8'.
/o|/output:[drive:][path]filename.txt Output text file. If omitted, default value:'inputfile.txt
.INPUT
Must be valid exported registry file from REGEDIT.exe ending in .reg
.OUTPUT
If output file is not specified, a Unicode text file ending in .txt extension will be created. If exists prompt to delete ? No, creates a timestamped file. Hexadecimal and decimal values are decoded using according /e flag.
If output file ends with .html, a '<br>' tag will be added to the end of each line, when using encoding /e:HTML.
regtotextpro c:\Users\MDC\Documents\myfullregistryBCK.reg /e:ANSI
.AUTHOR
metadataconsult@gmail.com (Metadata Consulting, ON, CDN) July 30, 2016
.LICENSE
Read Full License Agreement use /l FLAG OR pipe into a text file using 'regtotext /l > RTTLic.txt' to read in Notepad.
Download REGTOTEXTPRO Demo Version 3 (update Nov 2019). Read demo license.
For a commercial licensed version, use form below or metadataconsult a_t gmail.com
ADDITIONAL TOOLS
List Registry Links Tool will list all REG_LINK value types in a better way get it here.
Decoding Darwin Descriptors, get tool here.
Commercial version sample run on a new Windows 10 Pro install with Office 2016.