Windows NT Server Resource Kit includes ScanReg.exe
which can scan the local or remote registries for strings in key names,
value names, or data. This can be very helpful. As a commandline utility, it has
potential in login scripts – for example, to scan for the telltale sign of virus
scanning or unapproved hacks. The help from ScanReg :
usage:
scanreg 1.05 <[-s] string> < [-k] [-v] [-d] > [[-r] key] [-c] [-e] [-n]
-s string to search for
-r root key to start search from (default = HKEY_CURRENT_USER)
root key can be abbreviated as follows :
HKEY_LOCAL_MACHINE – lm
HKEY_CURRENT_USER – cu
HKEY_CLASSES_ROOT – cr
HKEY_USERS – us
-k search keynames (NB : must specify at least one of -k -v or -d)
-v search valuenames
-d search data
-c search case sensitive (default : case INsensitive)
-e return only exact match (default : return all matches)
-n no color in output (default : keys red, values green, data yellow)
Examples: SCANREG -s Windows -k -v -d
SCANREG -s Windows -kvd
SCANREG /s Windows /r \lm\software /kvde
SCANREG Windows \lm -kd -n
SCANREG Windows \\MOON\HKEY_LOCAL_MACHINE -d
SCANREG Windows HKEY_CURRENT_USER\software -kvd
Experiment with scanreg. It has great potential. Use the above help syntax as
a starting point.