RegLast
A program to list or query the Last Write Time of Registry keys
Version 1.0
Help file
Copyright © 2001 Frank Heyne Software (http://www.heysoft.de) - All rights reserved!
Last changed: 02. June 2001
Introduction
What is RegLast good for?
RegLast allows you to list and query the Last Write Time of any Windows NT Registry key - if you have the neccessary permissions. You can of course use the program RegEdt32 to save a subtree as text file and search for this information afterwards, but this is cumbersome and does not work for all keys.You can use RegList on the command line and in batch files.

What licence terms apply to the use of RegLast?
This software was developed with the greatest attention to detail. However, the author can not guarantee that it runs under every version of Windows NT or on each computer flawlessly. Use of this program is at your own discretion. The copyright holder provides the program "as is" without warranty of any kind.
RegLast is available only as part of RegTools for Windows NT. You are not allowed to use or distribute it outside the company or organization where it is licensed for!

What are the requirements to use the program successfully?

Options

This help screen will pop up when you type RegLast /?:
RegLast 1.0 - lists or querys Last Write Time for Registry keys 
Copyright (c) 2001 Frank Heyne Software (http://www.heysoft.de) 

Usage: RegtLast Key Command 
  Key: [\\computer\]root[\subkey] 
    \\computer:  remote machine 
    root: HKLM, HKU, HKCU, HKCC or HKCR 
    subkey: path to the key you want to query 

  Query Commands: 
    /L                 List (show the Last Write Time) 
    /FAyyyymmddhhnnss  Find all subkeys changed After specified time 
    /FByyyymmddhhnnss  Find all subkeys changed Before specified time 

  Other Commands: 
    -Subtree  apply command to subtree (superfluous with /F) 
    -ANSI     Use ANSI character set instead of OEM character set 
    -UTC      Use UTC instead of local time 
    -DTF      Use Default Time Format for output 
    -?        This help screen 
 
The help screen of RegLast
First you need to provide the following information to RegLast:

  1. The full path to the Registry key whose Last Write Time you wish to query.
  2. Provide a command for the query to ask to the specified registry key. If no command is specified the program will do (surprise!) nothing.
Note: Parameters are not case sensitive.

Specifying a Registry key

The Registry key that you specify may be on the local machine or on a remote machine. The path must be the first parameter and in UNC format if the key is on a remote machine:
[\\Computer\]Root[\Subkey]

Example:[\\PegasusNT1\]HKLM\System\CurrentControlSet\Enum

If no computer name is specified then the local machine will be used. If you don't specify a subkey, the root key is used. One of the following abbreviations is used for the five possible root keys:
HKLM - HKEY_LOCAL_MACHINE
HKU  - HKEY_USERS
HKCU - HKEY_CURRENT_USER
HKCC - HKEY_CURRENT_CONFIG
HKCR - HKEY_CLASSES_ROOT
If the registry path contains spaces, then the entire path must be enclosed within "double quotes". (You may use double quotes anyway as a practice as doing so will have no adverse effects.)
Note: HKCU is not allowed on remote machines, because this would make no sense!
 
Switchs
The switch -ANSI
With the -ansi switch you tell the program to use the ANSI character set instead of the default OEM character set. As you probably know, OEM is the default character set of the command line window. ANSI is the usual character set for most GUI programs. The use of this option is recommended if you pipe the output of the utility into a file, which will be processed with a GUI program later.

The switch -SUBTREE
With the -SUBTREE switch you tell RegLast to employ the /L command to the specified key and its subtree, instead of just working with the key itself.
 
The switch -UTC
Normally RegLast uses current settings for local time zone information and daylight savings time. With the -UTC switch you tell RegLast to use UTC (Coordinated Universal Time) instead. This is the standard time Windows NT is actually using for saving Registry access times.

The switch -DTF
Normally RegLast uses the format yyyymmddhhnnss (explained with the /FA option below) for displaying the Last Write Time. With the -DTF switch you tell RegLast to use the current Default Time Format for your machine.

Commands

The command /L
With the /L command (List ) you can display the Last Write Time of the key or its entire subtree (in conjunction with the -SUBTREE switch).

The command /FAtime (Find keys After time)
This command returns a list of all keys in the entire subtree with a Last Write Time which is after the time specified.
Independently from the use of the DTF switch, the time must be encoded in the format yyyymmddhhnnss
where

You only need to specify the time as exactly as necessarty, as the following samples will show:
Your time code Decodes to
2001  1. January 2001 00:00:00
20010601 1. June 2001 00:00:00
2001060109 1. June 2001 09:00:00
20010601091020 1. June 2001 09:10:20
 

The command /FBtime (Find keys Before time)
This command returns a list of all keys in the entire subtree with a Last Write Time which is before the time specified. You may combine the commands /FA and /FB to narrow down the Last Write Time window at any precision up to a second.

Examples
1. To list all Registry keys under hklm\software which have been changed the last time on 1. June 2001 between 10:00 PM and 10:10 PM, you use the following command:
RegLast hklm\software /fa2001060122 /fb200106012210

2. Compare the results in dependence of the use of the -DTF switch:

Command:
reglast hklm\software\FrankHeyne  /l
Result:
Last write time of Registry key hklm\software\FrankHeyne:
20010601154958  hklm\software\FrankHeyne

Command:
reglast hklm\software\FrankHeyne  /l -dtf
Result:
Last write time of Registry key hklm\software\FrankHeyne:
6/1/2001  3:49:58 PM    hklm\software\FrankHeyne

3. Consider a Windows 2000 machine, where you want to list the Last Write Times for all subkeys beneath hklm\security\Policy\Secrets\
This is part of the output of RegEdt32, when you save the subtree into a text file:
 
Key Name:          SECURITY\Policy\Secrets\SAC
Class Name:
Last Write Time:
 
Key Name:          SECURITY\Policy\Secrets\SAI
Class Name:
Last Write Time:

Not very helpful, isn't it?

And this is part of the output of RegLast:
20000207185208  hklm\security\Policy\Secrets\SAC
20010530183645  hklm\security\Policy\Secrets\SAC\CupdTime
20010530183645  hklm\security\Policy\Secrets\SAC\CurrVal
20010530183645  hklm\security\Policy\Secrets\SAC\OldVal
20010530183645  hklm\security\Policy\Secrets\SAC\OupdTime
20000207185208  hklm\security\Policy\Secrets\SAC\SecDesc
20000207185208  hklm\security\Policy\Secrets\SAI
20010530183645  hklm\security\Policy\Secrets\SAI\CupdTime
20010530183645  hklm\security\Policy\Secrets\SAI\CurrVal

Now what program do you prefer? ;-)

Is everything clear now?
When you have read this document carefully and you still have a question or are vague regarding a topic, you can email to fh@heysoft.de. But please check first the Security FAQ for the Windows NT Registry - your question might be already answered there. If you find errors or would like to contribute knowledge to this document, you are encouraged to email us, too.