Analyzing Windows Registry Keys on OSX

I’ll be reviewing how to analyze a .reg file for unique values on OSX

Prerequisite

dos2unix will be required

brew install dos2unix

Instructions

In this example we will assume you have dumped all of HKEY_CURRENT_USER\Software\ in to a file named software-all.reg

Converting the .reg file to UTF-8

The .reg file must be converted to a UTF-8 file in order for things like awk to work properly on it.

$ file software-all.reg
software-all.reg: Windows Registry little-endian text (Win2K or above)

dos2unix software-all.reg
dos2unix: converting UTF-16LE file software-all.reg to UTF-8 Unix format...

file software-all.reg
software-all.reg: UTF-8 Unicode text, with very long lines

place only lines with “HKEY” in to a new file

Pull out only the lines that contain “HKEY”

grep "HKEY" software-all.reg > software-all-hkey.txt

Finding the Unique Key Counts per Level

Next you will probably want a report of how many times specific key fields appear

Print third field of each key, pull the unique count of each, sort the output

awk -F\\ '{ print $3 }' software-all-hkey.txt | sort | uniq -c | sort > software-all-hkey-3.txt

Print fourth field of each key, pull the unique count of each, sort the output

awk -F\\ '{ print $4 }' software-all-hkey.txt | sort | uniq -c | sort > software-all-hkey-4.txt

Print fifth field of each key, pull the unique count of each, sort the output

awk -F\\ '{ print $5 }' software-all-hkey.txt | sort | uniq -c | sort > software-all-hkey-5.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.