--- name: reg displayName: Windows Registry Export Reader & Converter description: Reads and converts Windows registry export files (.reg) to text, JSON, or CSV. Use when inspecting, extracting, or transforming .reg file contents. tags: - registry - windows - reg - converter - extractor - json - csv capabilities: - ReadReg - ConvertToJson - ConvertToCsv - ExtractKeys - ExtractValues representativeQueries: - read a .reg file and show me what's inside - convert a Windows registry export to JSON - extract registry keys and values from a .reg file - parse a .reg file to CSV for analysis - what keys and values are in this registry export version: 0.1.0 tier: curated --- # Windows Registry Export Reader & Converter Reads Windows registry export files (.reg) and converts their keys, value names, types, and data to human-readable text, JSON, or CSV using Python's standard library — no external dependencies required. ## When to use - Inspect an unfamiliar `.reg` file to understand which keys and values it sets or deletes. - Extract registry entries as JSON or CSV for programmatic analysis or diffing. - Identify the hive roots, key paths, value types (REG_SZ, REG_DWORD, REG_BINARY, etc.), and raw data present in an export. - Audit registry changes before applying them to a system. ## Steps 1. **Locate and verify the source file.** Confirm the file exists and starts with the expected magic header (`Windows Registry Editor Version 5.00` or `REGEDIT4`). Detect BOM for UTF-16 LE files. 2. **Decode the file.** Read with UTF-16 LE if a BOM is present, otherwise attempt UTF-8, falling back to Latin-1. 3. **Parse sections.** Split on `[...]` key headers; collect value lines (joining backslash-continued lines) inside each key block. 4. **Parse values.** For each value line, extract the name, data type, and raw data. Decode typed data: DWORD as integer, hex blobs as hex string, REG_EXPAND_SZ / REG_MULTI_SZ as decoded UTF-16 LE text. 5. **Emit output.** Print a text summary, JSON object tree, or flat CSV with columns: `key`, `key_deleted`, `value_name`, `type`, `data`. ## Output - **Text summary** (default): indented tree of keys and values with type annotations. - **JSON**: flat object with full registry key paths as keys; each value is `{deleted: bool, values: [{name, type, data}, ...]}`. The `deleted` flag is `true` for `[-KEY]` deletion entries. - **CSV**: flat table with columns `key`, `key_deleted`, `value_name`, `type`, `data` — one row per registry value. ## Notes - The `scripts/reg_converter.py` script accepts `--format text|json|csv` and prints to stdout. - Deletion entries (keys prefixed with `-` or value names prefixed with `-`) are included in output with `type: DELETE`. - REGEDIT4 files are ANSI-only (no Unicode support); values are decoded as Latin-1. - REG_MULTI_SZ multi-string values are joined with `\n` in text output, emitted as a native JSON array in JSON output, and as pipe-separated (`|`) in CSV. - Very large binary blobs are emitted as hex strings; truncation is not applied by default. ## Remote runner (MCP) Can't run this locally (no setup, missing dependency)? The StealthStack runner exposes the **same code** as server-side MCP tools — no local install needed: `reg_read`, `reg_to_json`, `reg_to_csv`. Call the `application/mcp` catalog twin of this skill (its `runnerTwin`).