Introduction
I've written an application that indexes the registry and another application that searches this index.
This results in near instant results while you type, this allows you to quickly search several things.
See this video demonstration, shows how quick results are, three different searches and two registry jumps.
The Index
For indexing purposes, I'm using Lucene.net, doesn't that sound familiar?
This allows me to index data straight out of the registry, without using a SQL database to store the data in. Furthermore, Lucene.net has a lot of indexing options and search related features which come in handy!
This index will be stored in %LOCALAPPDATA%\RegistryIndex
, and has a size of around 160 MB.
Application 1: RegistryIndex.exe
This will dump the whole registry to the above mentioned index folder,
please note that HKEY_CLASSES_ROOT
and HKEY_CURRENT_USER
are shortcut hives and thus not indexed.
Although it does work without you might want to configure it to automatically run as administrator.
Once the application shows that it is done, you can close the window and thus the index has been made.
Application 2: RegistrySearch.exe
This one is simple, type something to search in the text box above and results will flow in.
Typing incorrect syntax will result in a yellow text box and the error in the status bar at the bottom.
Special search features like wildcard and boolean operations are supported, see Query Syntax for more information. Please note that specifying fields will not work in the current setting, the system searches in a concatenation of tokenized path and value. So A\B\C with value D E F becomes A B C D E F.
Example of searching an exact path: "HKEY_LOCAL_MACHINE SOFTWARE"
The search is limited to 1000 results.
Double click an entry to jump to it in the registry, this uses regjump.exe from SysInternals.
You need to run the search program as an administrator for the jump to work, accept EULA the first time.
Future features
See the current version as a Technical Preview, it does work but could use refactoring and make-up.
- Application icon & version
- Configuration
- Highlighting results
- Installer package
- Monitor service (Tracks registry changes using a hook and update the index)
Changes
- 21/03: Now stores in
%LOCALAPPDATA%
, asks for Administrators
permission.
Download
Click here to download, unzip all files to a preferred location, create shortcuts to RegistryIndex/Search.exe.
Source
It's non-obfuscated, so to inspect the IL you can use Reflector if you want to.
I might release source when it is refactored with a bit more features, perhaps I can put it on CodePlex.
possible duplicate of Registry Search & Replace Tool
– Mehper C. Palavuzlar – 2011-02-26T11:45:38.910have a look here: http://majorgeeks.com/downloads15.html
– bubu – 2011-02-26T12:43:14.073@Mehper C. Palavuzlar: I would say this is not a duplicate. Search and replace tools are not indexation tools. Usually the first will scan the registry linearly every time a new search is performed. – Benoit – 2011-02-26T15:33:39.790
@bubu: seems there is no single indexation tool here! All search tools seem to search in a linear way for each new search! – Benoit – 2011-02-26T15:37:44.033
Not an indexer but makes it much easier to search the registry...http://www.nirsoft.net/utils/regscanner.html
– Moab – 2011-02-26T15:39:47.383@Moab: I know Nirsoft utilities (and particularly HashMyFiles). Thank you for pointing to this one. It is interesting, but still not what I am looking for! – Benoit – 2011-02-26T16:18:27.680
A Registry Indexer is an interesting idea. – Moab – 2011-02-26T16:37:17.340
2@Benoit: This bothers me a lot, I'm going to try to write such application today. – Tamara Wijsman – 2011-03-17T08:24:55.577
1@TomWij: Will it be commercial? Open-source? Could I beta-test it please :-) ? This is a great project, and I back it. – Benoit – 2011-03-17T08:27:30.510
@Benoit: Free, I don't know if it really needs to be OS or Beta. I'm planning on solely writing an Indexer and perhaps an optional Monitor to update the Index on-the-fly, it will take you to the right path in the existing Registry Editor if you double click on a result. I've already found the resources I need, expect it to released by the weekend as I might not have enough time today. – Tamara Wijsman – 2011-03-17T08:55:01.963
@Benoit: Okay, got recursively enumerating the registry working, in reasonable time my registry is dumped to a ~160 MB file (just for testing purposes); the next step which I will do tomorrow is to get it in a Full-Text Search Index which I've already got a plan for. – Tamara Wijsman – 2011-03-17T20:13:59.957
@Benoit: Indexing part has been finished, shows progress bar and current path during indexing. Indexing takes ~2 minutes here, the searches should be instant. It has to be run every time you want to work with the newest data. I'm going to write the Search part soon, I might not finish this weekend but there is no hurry... – Tamara Wijsman – 2011-03-19T18:43:23.670
@TomWij: thank you for reporting your progress! – Benoit – 2011-03-19T18:54:06.017
@TomWij: perhaps awarding a bounty woud be useful when you're done or if someone find another tool before you've finished! – Benoit – 2011-03-21T10:02:46.630
Got it working, gonna eat, do some more testing and then create a post. :-) – Tamara Wijsman – 2011-03-21T16:53:44.230
Whatever you do, make sure to avoid searching duplicate keys. I suggest you use the native NT API to avoid re-searching keys that are huge duplicates (like
HKLM\SOFTWARE\Classes
andHKCR
). – user541686 – 2011-03-21T19:31:18.093@Mehrdad: That's already handled from the start, the NT API won't avoid that as you specify what you want to enumerate and that would be all the hives. So I specified to only use the three hives instead of all five hives. Further improvements could probably be made, feel free to suggest them but would only make a minor difference as far as I could see... – Tamara Wijsman – 2011-03-21T21:13:35.160
@TomWij: Well I meant that there's also symbolic links like
CurrentControlSet
that you can only open with the Native API (otherwise, it'll open the target not the link), but as you mention, those are really minor compared toHKCR
, so it would only probably save a second or so. – user541686 – 2011-03-21T21:22:24.753@MehrDad: I'm using .NET functions, it works fine. Maybe I try to figure out things that are useless to be indexed in the future...
– Tamara Wijsman – 2011-03-21T22:40:29.5631
@TomWij: I'm not sure what you meant by the "it works fine", but notice that you've actually opened the key
– user541686 – 2011-03-21T22:51:26.117ControlSet001
(or maybeControlSet002
or some other one), notCurrentControlSet
.CurrentControlSet
is actually a link to those keys, and it's not possible to view the link itself using the regular .NET functions; you need a function likeNtOpenKey
to open the actual symbolic link instead of the target. Take a look here and here.I see, indeed, the .NET method I use doesn't pass information about whether it is symbolic or not. But this shouldn't be neecessary for indexing... Yes, it indexes the control set twice now which I could solve by not indexing the ControlSets (loss of the non-current control set data) or not indexing the CurrentControlSet (loss of knowing what's current), but well, as the difference is minor it's not really necessary now... :-) – Tamara Wijsman – 2011-03-22T00:11:13.350