9.9 reg: The One-Size-Fits-All Registry Tool

I have been heard to describe the reg.exe utility as "RegEdt32 in a can." It does almost everything RegEdt32 can do, but it allows you to do it from a command line. Not only is this a boon when you want to quickly make a change without firing up RegEdt32 ; it also allows you to embed Registry operations in logon scripts and batch files. (Of course, you learned how to use the Registry from within Perl in Chapter 8, but for the non-Perl-hackers among us, reg is a welcome substitute.)

If you've ever used the net command, you'll immediately recognize how reg works. Like net, you use reg by giving it a command from a short list of options (query, add, delete, copy, save, load, unload, restore, compare, export, and import), followed by one or more optional parameters that the command you specify interprets. Here's a short example in which reg gets the query command for a specified subkey of HKLM:

C:\reskit>reg query HKLM\Software\Qualcomm /s

Listing of [Software\Qualcomm]

[Eudora]
[Eudora\3.0.1]

Here's the problem with reg: the Windows 2000 and NT versions have different command-line parameters and switches. In an effort to do away with the clutter of multiple tools, Microsoft revamped the interface for the Windows 2000 reg tool, making it more functional and more consistent, not to mention unlike its older brother.

9.9.1 Using the Windows 2000 Version of reg

The Windows 2000 version of reg.exe offers 11 separate functions, ranging from querying for the existence of a key or value to recursively deleting everything beneath a specific key. Each mode has its own mnemonic, which you specify after the reg command itself.

9.9.1.1 Querying keys

The reg query command allows you to query a single key for a single value or a range of keys for all their values. This provides you with a quick way to check whether a key has the value you think it does, or in fact whether it has any values associated with it at all.

REG QUERY [rootKey\]key [\\machine] [/S] [/V value] [/VE]

rootKey: Optional; specifies which root key to use as base of query. May be HKLM, HKCU, HKCR, or HKCC. Defaults to HKLM if omitted.
key: Specifies the full name of a key under the specified rootKey.
value: Specifies a value under key to query. If omitted, all keys and values under key are displayed.
machine: Specifies the name of a remote machine to query; if omitted, defaults to local machine. You can only query HKLM and HKU on remote machines.
/S: Queries all subkeys of key.
/V value: Queries the specified value and print its contents.
/VE: Queries the default, or empty, value.

9.9.1.2 Adding keys and values

The reg add command adds new keys and values to the Registry. You can add a value to an existing key, add a new key with no values, or create a new key and a value beneath it. If you try to add a key or value that exists, reg warns you.

REG ADD [\\machine\]key [/V value | /VE] [/T dataType] [/D data] 
	[/S separator] [/F]

machine: Name of a remote machine to add the key on; if omitted, defaults to local machine. You can only add to HKLM and HKU on remote machines.
key: Full path to key you want to add (if you're adding a key) or to key where the new value should be added (if you're adding a value). Must include a root key (HKLM, HKCU, HKCR, HKU, or HKCC) and a full path to the target subkey.
/V value: Specifies the full name of the value to add. Don't use this switch if you want to add a key; instead, just specify the new key as the last component of key.
/VE: Specifies that you want to add the empty or untitled value to the specified key.
/T dataType: Type of the new value to be added. Can be REG_NONE, REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, REG_DWORD_BIG_ENDIAN, or REG_DWORD_LITTLE_ENDIAN. If omitted, REG_SZ is the default. If you specify REG_DWORD, you must specify newValue as a decimal number.
/D data: Contents of newly created value. String values may contain spaces and special characters, but must be enclosed in double quotes if they do. REG_MULTI_SZ variables must be separated by whatever separator you want to use: either \0 or whatever you specify with the /S switch.
/S separator: When adding a REG_MULTI_SZ value, specifies which character to use as the separator. If omitted, \0 is assumed to be the separator.
/F: Forces reg to make the change without prompting you for confirmation.

For example, let's say you wanted to create a registry key as part of a configuration script, adding a necessary REG_EXPAND_SZ value along the way. Here's one way to do it:

reg add HKLM\Software\RA\ExchangePlus\DLMaster /F
reg add HKLM\Software\RA\ExchangePlus\DLMaster /v SystemPath 
	/t REG_EXPAND_SZ /d "%SYSTEMROOT%" /F

These commands forcibly add the required key, then add the required value with the correct data type and contents.

9.9.1.3 Deleting keys and values

The reg delete command removes a key or value. When you remove a key, reg delete removes all subkeys and values beneath that key; however, it asks you to confirm your intentions before it actually deletes anything unless you use the /F switch. That notwithstanding, be careful when using this command. As with reg update, you can delete only keys where the ACLs (and/or the remote Registry settings) allow you access.

REG DELETE [\\machine\]key [/V value | /VE | /VA] [/F]

machine: Name of a remote machine from which you want to remove the value; if omitted, defaults to local machine. You can only remove keys from HKLM and HKU on remote machines.
key: Full path to key you want to remove (if you're removing the key itself) or to key where the target value lives. Must include a root key (HKLM, HKCU, HKCR, HKU, or HKCC) and a full path to the target subkey.
/V value: Specifies the full name of the value to remove. Don't use this switch if you want to remove an entire key; instead, just specify the key name and use the /VA switch.
/VE: Specifies that you want to remove the empty or untitled value from the specified key.
/VA: Specifies that you want to remove all values from the target key without touching its subkeys.
/F: Forces reg to remove the targeted keys or values without prompting you for confirmation.

9.9.1.4 Copying keys and values

reg copy might be my favorite of all reg 's commands, if only because it greatly eases the process of copying settings from one place to another. You can use the command to copy a single key or an entire hive from its original location to another; the target location can be on the same machine as the source or on any other machine on the network. This command makes short work of tasks like copying a standard set of file associations to new machines or tweaking one machine so its configuration matches another.

REG COPY [\\srcMachine\]srcKey [\\destMachine\]destKey [/S] [/F]

srcMachine and destMachine: Specifices names of source and destination machines. Either or both may be remote machines; if either is omitted, the local machine is assumed. You can copy keys into and out of HKLM and HKU only on remote machines.
srcKey: Specifies the full name of the source key, including the root key. You can copy from any root key, provided you have access to the source key. All values beneath the source key are copied to the destination key.
destKey: Specifies the full name of the destination key. This may be different from the source key if you wish, as long as you have access to the area where you're trying to graft the copied key.
/S: Specifies that you want to recursively copy all subkeys and values from srcKey to destKey. If you don't specify this switch, only the specified key and its values are copied.
/F: This switch is documented but doesn't seem to do anything, since reg copy never prompts you for a confirmation.

9.9.1.5 Saving and restoring keys

Sometimes having a quick way to make a backup copy of a key and its values, or restore a key from such a backup, can be very useful indeed. You can back up the entire Registry using the strategies outlined in Chapter 3; however, if that's overkill consider using the reg save and reg load commands instead.

To save a key and its values to a new hive file on disk, you can use either reg save or reg backup (they're synonyms):

REG SAVE [\\machine\]srcKey fileName

machine: Name of a remote machine to query; if you omit it, the local machine is used. As usual, you can only manipulate keys in HKLM and HKU on remote machines.
srcKey: The full name of the source key, including the root key, you want to back up. All of the source key's values and subkeys are recursively copied to the file you specify.
fileName: Names the file that will hold the saved data. You can specify any valid full or partial path to receive the file; if you leave one off, local keys are backed up to the current directory, and remote keys go in %systemroot%\system32.

To quickly store a copy of all of your current settings, use this command:

reg save HKCU my-profile

then use it anywhere you can use a hive file, including RegEdt32 and the reg load and reg restore commands.

You may restore a saved hive with the reg restore command. This command overwrites an existing key with a new set of values, so you must be cautious when using it (reg asks you to confirm your command before it overwrites anything, though).

REG RESTORE  [\\machine\]targetKey fileName

machine: Specifies which machine you want to restore the hive file to. You can restore from a local file to a remote machine if you wish, but (as usual) you only have access to HKLM and HKU on the remote machine.
targetKey: Specifies which key to overwrite with the contents of the saved hive.
fileName: Specifies the path and name of the saved hive file. You can restore only hive files that were created with RegEdt32 or the reg save command.

9.9.1.6 Loading and unloading hives

Section 5.6 in Chapter 5 explains how you can use RegEdt32 to load and unload saved keys as hives immediately beneath HKLM or HKU. The reg utility gives you the same ability, albeit with the same limitations.

To load a hive, use the reg load command. Unlike reg restore, reg load loads the hive by adding it with the key name you specify instead of overwriting the key you specify. This makes it possible for you to use reg load to load a saved hive, edit it, and unload it again without making any changes to the rest of your Registry. (If you're wondering why you might want to do so, go back and reread Section 9.1 at the beginning of the chapter.) When you load a hive, it's not fully persistent; the hive is unloaded when the current user logs off or when the computer next reboots.

REG LOAD [\\machine\]targetKey fileName

machine: Specifies the name of a remote machine to load the hive on; if omitted, assumes the local machine. As with the other commands, you can load hives in HKU or HKLM only on the remote box.
targetKey: Specifies the name of the key to receive the new hive. This key is created and must not already exist. key must be an immediate subkey of HKLM or HKU.
fileName: Specifies the name of the hive file to load, with no extension. You may specify a full local or UNC path here.

For example, to load the ntuser.dat hive as suggested in Section 9.1, just copy ntuser.dat to ntuser-default, then use this command:

reg load ntuser-default DefaultProfile

and modify the hive as needed.

Once you've finished working with a loaded hive, you may unload it with reg unload. Its command syntax is pretty simple.

REG UNLOAD [\\machine\]key

machine: Name of a remote machine on which to unload the hive; if omitted, defaults to local machine
key: Name of the key to unload. key must be an immediate subkey of HKLM or HKU, whether you're on a local or remote machine.

9.9.1.7 Comparing keys and values

Instead of using a separate comparison tool such as NT 4, the Windows 2000 toolset allows you to use reg itself to compare the contents of two keys or values. There are a number of new bells and whistles in this revision of the tool, although for heavy-duty comparison, I still prefer using a visual comparison tool such as windiff.

The reg compare command does have some nifty features that give you some extra flexibility. One is that it returns a status code: means the comparison was successful, and the two items were identical; 1 means the comparison failed; 2 means the comparison succeeded, but the target items were different. This makes it easy to use reg compare in Windows Scripting Host scripts. Another is that you can control what output it produces, meaning that you're freed from seeing tons of irrelevant results when you're comparing things.

REG COMPARE [\\machine1\]keyName1 [\\machine2\]keyName2 [/V valueName | /VE]

[ /OA | /OD | /OS | /ON ] [/S]

machine1 and machine2: Specifies names of remote machines to compare keys on. If you omit either or both remote names, the local machine is used instead. You can compare only remote machine keys that reside in HKU or HKLM.
keyName1 and keyName2: Specifies the full paths (including a root key) of the keys to compare. When comparing keys on different machines, these paths may be the same, but they don't have to be.
/V valueName: By default, compares all the values beneath the specified keys. If you want to limit comparison to a single value, use the /V switch. Annoyingly, you can't specify two different value names to compare.
/VE: Specifies that you want to compare the empty default value in the target keys.
/OA: Forces output of both differences and matches between the target keys. This is the most verbose output setting.
/OD: Shows only items that are different between the two keys.
/OS: Shows only items that are the same (e.g., those that match) between the two keys. This is a quick way to test how similar two keys are.
/ON: Suppresses all output. This switch is commonly used in conjunction with the status code as a simple way to get a yes-or-no result of a comparison.
/S: Recursively descends the keys being compared and compares their subkeys and values too.

9.9.1.8 Exporting and importing Registry data

If you need to save the contents of a Registry key for later--perhaps to back up and restore it--you can do it with RegEdt32 or using the reg export and reg import commands: reg export takes the key you specify and saves it to a text file, and reg import reads a file in the correct format and loads it back into the Registry. The Windows 2000 version of reg uses a different format from the Win95 and NT 4.0 version, but there's a command-line switch you can use to tell reg to recognize the old format. Exporting is straightforward.

REG EXPORT keyName fileName [/NT4]

keyName: Specifies name of the key you want to export. The name must include the root key, and you can only export keys on the local machine.
fileName: Specifies name of the file you want the exported data in.
/NT4: Forces reg to write a file in the older format used by the Windows NT resource kit version of reg.

When you want to reload the exported file (which you can do after copying, mailing, or editing the text-format .REG file to your heart's content), you use the extremely simple reg import command.

REG IMPORT fileName

fileName: Specifies the name of the exported key file to load. You may specify a full local or UNC path here.

Since the .REG file contains the full name of the key that was exported, importing the file automatically puts the loaded data into the right place. You can certainly edit the file to take a block of data exported from one key and load it into another; bear in mind that if you do, reg import silently overwrites whatever exists there. You've been forewarned.

9.9.2 Using the Windows NT Version of reg

The older Windows NT resource kit version of reg.exe works fine under Windows 2000, but its functionality is quite limited by comparison.

9.9.2.1 Querying keys

reg query works the same way as the Windows 2000 version, with a few differences in syntax and semantics:

REG QUERY [rootKey\]key [\value] [machine] [/S]

rootKey: Optional; specifies which root key to use as base of query. May be HKLM, HKCU, HKCR, HKU, or HKCC. Defaults to HKLM if omitted.
key: Specifies the full name of a key under the specified rootKey.
value: Specifies a value under key to query. If omitted, all keys and values under key will be displayed.
machine: Specifies name of a remote machine to query; if omitted, defaults to local machine. You can only query HKLM and HKU on remote machines.
/s: Queries all subkeys of key.

9.9.2.2 Adding new keys

reg add adds new keys and values to the Registry. You can add a value to an existing key, add a new key with no values, or create a new key and a value beneath it. If you try to add a key or value that already exists, reg warns you.

REG ADD [rootKey\]key [\value=newValue] [machine] [dataType]

rootKey: Optional; specifies which root key to add new key under. May be HKLM, HKCU, HKCR, HKU, or HKCC. Defaults to HKLM if omitted.
key: Specifies the full name of the key to add under the specified rootKey.
value: Optionally specifies the name of a value to add under key. If omitted, the key is created with no value.
newValue: Specifies contents of newly created value. String values may contain spaces and special characters, but must be enclosed in double quotes if they do.
machine: Specifies name of a remote machine to add the key on; if omitted, defaults to local machine. You can add keys to HKLM and HKU only on remote machines.
dataType: Specfies type of the new value to be added. May be REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, or REG_DWORD. If omitted, REG_SZ is the default. If you specify REG_DWORD, you must specify newValue as a decimal number.

For example, to add the value that disables Dial-Up Networking's "save password" checkbox, you could use this command:

reg add SYSTEM\CurrentControlSet\Services\
RasMan\Parameters\DisableSavePasswordValue=1

9.9.2.3 Updating existing keys

reg update updates a single value of an existing key. You can update any value where you have permission according to the parent key's ACL; if you're trying to modify a remote machine's Registry you must have access to it. reg warns you if you try to modify a nonexistent value.

REG UPDATE [rootKey\]key [\value=newValue] [machine]

rootKey: Optional; specifies which root key holds the targeted key. May be HKLM, HKCU, HKCR, HKU, or HKCC on local machine or HKLM or HKU on remote machine. Defaults to HKLM if omitted.
key: Specifies the full name of the key to update under the specified rootKey.
value: Specifies which value under key to update.
newValue: Contents to use when replacing existing value. String values may contain spaces and special characters, but must be enclosed in double quotes if they do. DWORD values must be specified in decimal.
machine: Specifies name of a remote machine to query; if omitted, defaults to local machine. You can query HKLM and HKU only on remote machines.

9.9.2.4 Removing a key

reg delete removes a key or value. When removing a key, it removes all subkeys and values beneath that key; however, it asks you to confirm your intentions before it actually deletes anything.

REG DELETE [rootKey\]key [\value] [machine]

rootKey: Optional; specifies which root key the targeted key lives under. May be HKLM, HKCU, HKCR, HKU, or HKCC on local machine or HKLM or HKU on remote machine. Defaults to HKLM if omitted.
key: Specifies the full name of the key to remove under the specified rootKey.
value: Specifies which value under key to remove. If omitted, all keys and values under key are deleted.
machine: Specifies name of a remote machine to remove the key on; if omitted, defaults to local machine. You can modify HKLM and HKU only on remote machines.

9.9.2.5 Copying keys and values

The Windows NT version of the reg copy command is a little more flexible than its big brother, since it can copy values from one location to another.

REG COPY [srcRootKey\]srcKey [\srcValue] [srcMachine] [destRootKey\]destKey 
         [\destValue] [destMachine]

srcRootKey: Optional; specifies which root key holds the source key. May be HKLM, HKCU, HKCR, HKU, or HKCC. Defaults to HKLM if omitted.
srcKey: Specifies the full name of the source key.
srcValue: Optionally specifies a value under srcKey to copy. If omitted, all keys and values under srcKey are copied.
srcMachine: Specifies name of a remote machine to act as copy source; if omitted, defaults to local machine. You can use remote machines' HKLM and HKU only as source roots.
destRootKey: Optional; specifies where copied key should be rooted. May be HKLM or HKU; defaults to HKLM if omitted.
destKey: Specifies the full name of the key to hold the copied data.
destValue: Optionally specifies name for a single copied value; ignored if no srcValue is specified.
destMachine: Specifies name of a remote machine to serve as the copy target; if omitted, defaults to local machine.

When I installed a beta version of a popular Internet mail package, I (rightly, as it turned out) feared that the new version would damage the old version's Registry settings. A quick command saved the day:

reg copy software\qualcomm\eudora software\qualcomm\eudora-4.3

This code made a backup copy of my existing settings so I could install the new version, secure in the knowledge that I could easily revert to a previous version if needed.

9.9.2.6 Saving and restoring keys

The REGBACK and REGREST utilities allow you to back up and restore entire hives, but reg offers a similar pair of functions that add the ability to save and reload individual keys, much like RegEdt32 's commands. To save a key and its values, you can use either reg save or reg backup (they're synonyms).

REG SAVE [rootKey\]key fileName [machine]

rootKey: Optional; specifies under which root key the key to save lives. May be HKLM, HKCU, HKCR, HKU, or HKCC on local machine or HKLM or HKU on remote machine. Defaults to HKLM if omitted.
key: Specifies the full name of the key to update under the specified rootKey. If omitted, all contents of rootKeyare saved.
fileName: Specifies name of file that will hold the saved data. fileName may not have an extension specified.
machine: Specifies name of a remote machine to query; if omitted, defaults to local machine.

To quickly store a copy of all of your current settings, use this command:

reg save HKLM my-profile

You then can use it anywhere you use a hive file.

You may also restore a saved hive with the reg restore command. This command overwrites an existing key with a new set of values, so you must be cautious when using it (reg asks you to confirm your command before it overwrites anything, though).

REG RESTORE fileName [rootKey\]key [machine]

fileName: Specifies file name that holds the data you want restored, with no extension.
rootKey: Optional; specifies which root key the targeted key lives under. May be HKLM, HKCU, HKCR, HKU, or HKCC on local machine or HKLM or HKU on remote machine. Defaults to HKLM if omitted.
key: Specifies the full name of the key whose subkeys and values will be replaced.
machine: Specifies name of a remote machine to query; if omitted, defaults to local machine. You can query HKLM and HKU only on remote machines.

9.9.2.7 Loading and unloading hives

The Windows NT resource kit versions of reg load and reg unload operate identically to the Windows 2000 version, with all the same restrictions and capabilities. They're arguably more useful under NT, since you can use them to engineer the default profile settings you want new user accounts to inherit.

9.9.3 Comparing Keys and Values with COMPREG

When you're trying to troubleshoot a configuration problem, it's often useful to examine the broken machine and one that works to discern what's different between the two. Without the resource kit, doing this with the Registry involves saving suspect portions of the Registry to a text file, then using a difference tool such as windiff to highlight differences between the two files. The compreg tool, included for the first time in the NT 4.0 resource kit, provides a command-line tool for comparing differences in Registry keys. Here's how it works.

COMPREG key1 key2 [-v] [-r] [-e] [-d] [-q] [-n] [-h] [-?]

key1: Specifies the full path to the first key to compare. This path can include a machine name (e.g., \\ENIGMA\HKEY_LOCAL_MACHINE\SOFTWARE\LJL). Instead of spelling out the Registry keys, you may abbreviate them by taking the standard mnemonic we've used in this book and dropping the initial "HK"; for example, you could also specify a path of \\ENIGMA\lm\SOFTWARE\LJL to save some typing. If no root is specified, HKCU is the default.
key2: Specifies the full path to the second key to compare. This can be the same path as key1 but on a different machine, or it can be a different path altogether. If you specify only a machine name, compreg uses the path from key1 but looks for it on the computer specified in key2.
-v: Verbose mode; prints both keys whose values differ and those that match.
-r: Recurse into keys that only have a single subkey.
-e: At exit, sets errorlevel to the last error encountered. This switch lets you test the return value of compreg when using it in scripts or batch files.
-d: Suppresses printing the values of keys whose values differ; prints just the keys themselves.
-n: Monochrome output (the default scheme uses multiple colors).
-?: Displays a short help message.

The ability to find differences between two machines is extremely useful at times. While troubleshooting some of the entries in Chapter 10, I wanted to clone an existing drive restriction and modify it. Unfortunately, after I modified it it didn't work, and I couldn't see what I had done wrong. A quick:

compreg software\Microsoft\Windows\CurrentVersion\Policies\Explorer \\armory

showed me my error, and I was able to fix it without any further damage to my Registry or my self-esteem.

9.9.4 Searching for Keys with regfind

Sometimes there's no substitute for a little brute-force searching. If you've ever used grep or findstr (the Win32 equivalent) to find something you knew was somewhere on your disk, you'll love regfind. It's flexible: it can search for value and key names or contents, it can search or search and replace, and it understands all the common Registry data types. This flexibility makes it a bit more complex than some of the other Resource Kit utilities, though:

REGFIND [-h hiveFile hiveRoot | -w win95Dir | -m \\machine]
        [-i tabStop] [-o outputWidth]
        [-p keyPath] [-z | -t dataType] [-b | -B] [-y] [-n]
        [searchString [-r replacementString]]

-h hiveFile hiveRoot: Specifies the full path to a local hive file (generated with reg save or RegEdt32).
-w win95Dir: Tells regfind to look for Windows 95 user.dat and system.dat hive files in the directory specified by win95Dir.
-m machine: Specifies that regfind should search the remote computer named machine.
-i tabStop: Sets the tabstop width; the default is 4.
-o outputWidth: Tells regfind how wide to make its output. The default is the width of the console window, or 240 if the output's been redirected to a file.
-p keyPath: Directs regfind to start looking in keyPath. You may specify one of HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_USER, or USER; since HKCR and HKCC are links into HKLM, this is not a big loss. If you omit this switch, regfind searches the entire Registry.
-z: Searches for REG_MULTI_SZ or REG_EXPAND_SZ strings that are missing the required zero terminator or that have illegal lengths.
-t dataType: Forces regfind to look only at values with the specified data type. You may specify any one of REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_BINARY, and REG_NONE. If no type is specified, regfind looks at all the string types.
-b: Tells regfind to look for the specified search string inside REG_BINARY values in addition to any SZ type specified with -t.
-B: Same as -b, but also searches for ANSI strings in addition to Unicode.
-y: When used during an SZ search, forces regfind to do a case-insensitive search. Ignored for REG_DWORD, REG_BINARY, and REG_NONE searches.
-n: Searches key and value names, not just contents. -n and -t are mutually exclusive.
searchString: Specifies string to search for. To search for a string with embedded spaces, brackets, etc., wrap it in double quotes. If no search string is specified, the search finds values of the specified type. When searching for a REG_DWORD, you may specify it in decimal or hex, with a leading 0x. When searching for a binary value, you must provide a length byte, optionally followed by a sequence of DWORDs containing the actual data to search for.
-r replacementString: Replaces any occurrence of searchString with replacementString. searchString and replacementString must be of the same type, but their lengths may differ. There are several constraints that apply to the use of -r:

You may specify replacementString the same way as searchString. However, if your searchString is a REG_BINARY length only, you can't use -r.
If you specify -z and -r together, the replacement string is ignored. Instead of replacing anything, regfind fixes any strings with missing terminators or bad lengths.
There's no confirmation option with -r, so it's a good idea to run regfind without it until you're sure what is replaced is what you want replaced.

Because this is a complicated command, an example may help to clarify how the command works. Let's try finding all the keys whose contents or names include the string "Mac":

C:\ntreskit>regfind -y -n Mac
Scanning \Registry registry tree
Case Insensitive Search for 'Mac'
Will match values of type: REG_SZ REG_EXPAND_SZ REG_MULTI_SZ
Search will include key or value names
\Registry
    Machine
        SOFTWARE
            Microsoft
                AsyncMac
                Exchange
                    Client
                        Mac File Types
                Shared Tools
                    Text Converters
                        Export
                            MSWordMac4
                            MSWordMac5
                            MSWordMac51
                        Import
                            MSWordMac
        SYSTEM
            ControlSet001
                Services
                    AsyncMac
                    AsyncMac2
                    EventLog
                        System
                            AsyncMac
            ControlSet003
                Services
                    AsyncMac
                    AsyncMac2
                    EventLog
                        System
                            AsyncMac
    Users
        S-1-5-21-1944135612-1199777195-24521265-500
            Software
                Microsoft
                    Ntbackup
                        Backup Engine
                            Process Macintosh files = 1
                            Machine Type = 0
                    Telnet
                        Machine1 = fly.hiwaay.net 
                        LastMachine = hq
                        Machine2 = hq

The only real drawback to regfind is that it can't handle regular expressions or wildcards like findstr and grep can. Apart from that limitation, though, it's a valuable tool when you need to find a key whose value you know but whose path you don't. If you need to use regular expressions, use scanreg.exe instead.