  (⠢ : http://aravidze.narod.ru/p/analrees.zip)
  (To expose as: http://www.geocities.com/sekirin1/p/analrees.zip)
`
      ணࠬ REG5.EXE  ANALREES.PAS ।祭  
 ॥  Win95. , 筮,  ᤥ   
REGEDIT.EXE, ⠪  祭  ணࠬ -  
⨢:  ,    ᤥ  
 API Win95.
     The pair of programs REG5.EXE and ANALREES.PAS are
intended for exhaustive questioning of the registry in Win95.
This of cource can be done with the use of REGEDIT.EXE,
so these programs have only illustrative purpose: they
demonstrate how this can be done with the use of the 
functions of Applied Program Interface of Win95.
`
     筮 , ணࠬ REG5.EXE ⠢  
室;  ᯮ   䠩   ⮩ 
ᥪ樨 (   १  ⥪⮢ ।஬).  
室   ࠭᫨஢ SpAsm'
(Specific Assembler - .. ᯥ  Win95; 㯥 
: http://betov.free.fr/SpAsm.html). ANALREES.PAS  
ࠡ   ࠭஬  ᪠.
     Naturally the program REG5.EXE is supplied with
its source; the source lies at the end of the file as
a hidden section (and can be cut with any text editor).
When necessary, it can be recompiled with SpAsm
(Specific Assembler - i.e., specific for Win95;
available at: http://betov.free.fr/SpAsm.html).
ANALREES.PAS should work with any Pascal compiler.
`
     ᪮ 楫 ணࠬ 뫮 த஢  
,   譥 ࢨ ⨯ ॡ  
㤮  孨 ⢥ ॥, ।⠢ 
१⮢  ⠥   ..  १ REG5.EXE 
 뤠  ᢮ ࠡ祩 ,  ।⠢ 
  ⠥  ⢫ ANALREES.PAS. ,  
饬  REG5.EXE ࠡ⠥   HKEY_USERS (. 
),    㣨 ⢥   ࠭᫨஢ 
     ⢨   
⭠筮 । (. ). 筮   
⨫   祭    祭, ⠪ 
    Windows ⢥砥,    
墠⠥;  室 ᫥ 㢥 ࠧ ஢ 
 ࠭᫨஢ ணࠬ.
     As far as the aim of the program was to demonstrate
the idea of exhaustive questioning, the author avoided
unnecessary service such as enumeration or comfortable
specifying of the topmost branches of the registry, 
representing the results in readable form, etc.
As a result, REG5.EXE performs only dumping of its working
area, and representing the data in the readable form is
performed by ANALREES.EXE. Further, in its existing form,
REG5.EXE works with the branch HKEY_USERS (see below),
and for analysis of the other branches one shoud recompile
the program, or manually change the handle of the branch
with the use of any hex editor (see below). Similarly,
the author did not care about full extraction of long
keys and values, so in some cases Windows responds that
the space for them is not sufficient; if necessary,
one should increase the sized of buffers and
recompile the program.
`
     冷 ࠡ:
     The order of work:
`
 - ࠭᫨㥬 ANALREES.PAS, 砥 ANALREES.EXE;
 - we compile ANALREES.PAS and obtain ANALREES.EXE;
`
 - ᪠ REG5.EXE;   ᮧ   ࠭,  
    室 䠩;  䠩 ᮧ  ⥪饬 
   ⠫  뢠 OUTFILE.DAT.   ⨣ 
   ࠧ஢ >=1,      >=1 ;
 - we run REG5.EXE; it does not produce any windows on the
   screen, but writes the ouput file; this file is created
   in the current directory and is called OUTFILE.DAT. It
   can reach >=1Mb in size, and writing it can take >=1 minute;
`
 - ஢塞,   稫 (.,  Volkov 
   Commander',    祭,   =0, 
      祭,  ணࠬ 뢠 䠩,  
   ⠭ 㫥);
 - we check that the writing is finished (e.g., in Volkov
   Commander, until writing is not finished, apparent file
   size =0, and when writing is finished and the program
   closes the file, the size becomes nonzero);
`
 - ᪠, .:
 - we run, e.g.:
      analrees.exe outfile.dat 0 >outfile.lst
   .
    '0' 砥 ⢨ ࠭祭  㡨 
   ४ᨨ   ॥; ⥫ ᫠  
   ᨬ 㡨.
   Here '0' denotes absence of restrictions on the depth of
   recursion during questioning of the registry; positive numbers
   specify maximal depth.
`
 -  - ⠥ ⥪⮢ 䠩 outfile.lst.
 - finally, we read the text file outfile.lst.
`
      ॥  ᥬ 祩 孥 ஢  
।।묨  (㦠騬 㬥⠬  
):
     In the registry, there exist seven keys of topmost level,
with predefined handles (which are used as arguments during
exhaustive questioning):
`
  80000000h - HKEY_CLASSES_ROOT
  80000001h - HKEY_CURRENT_USER
  80000002h - HKEY_LOCAL_MACHINE
  80000003h - HKEY_USERS
  80000004h - HKEY_PERFORMANCE_DATA
  80000005h - HKEY_CURRENT_CONFIG
  80000006h - HKEY_DYN_DATA
`
     騩 ਠ ࠡ⠥   HKEY_USERS.  
 㣨 ⢥ ᫥    ᬥ饭 
0FDEh: ᥩ ⠬ 03h ( 樨 6803000080 - push 
8000003h);     00h, 01h  ..
     The current version works with the branch HKEY_USERS. To
analyse the other branches, one should change the byte at
offset 0FDEh; now we have there 03h (a part of the instruction
6803000080 - push 8000003h); we should change it to 00h, 01h, etc.
`
