1hivexsh(1) Windows Registry hivexsh(1)
2
6 hivexsh - Windows Registry hive shell
7
9 hivexsh [-options] [hivefile]
10
12 This program provides a simple shell for navigating Windows Registry
13 'hive' files. It uses the hivex library for access to these binary
14 files.
15 Firstly you will need to provide a hive file from a Windows operating
17 system. The hive files are usually located in
18 "C:\Windows\System32\Config" and have names like "software", "system"
19 etc (without any file extension). For more information about hive
20 files, read hivex(3). For information about downloading files from
21 virtual machines, read virt-cat(1) and guestfish(1).
22 You can provide the name of the hive file to examine on the command
24 line. For example:
25 hivexsh software
27 Or you can start "hivexsh" without any arguments, and immediately use
29 the "load" command to load a hive:
30 $ hivexsh
32 Welcome to hivexsh, the hivex interactive shell for examining
34 Windows Registry binary hive files.
35 Type: 'help' for help with commands
37 'quit' to quit the shell
38 > load software
40 software\>
41 Navigate through the hive's keys using the "cd" command, as if it
43 contained a filesystem, and use "ls" to list the subkeys of the current
44 key. Other commands are listed below.
45
47 -d Enable lots of debug messages. If you find a Registry file that
48 this program cannot parse, please enable this option and post the
49 complete output and the Registry hive file in your bug report.
50 -f filename
52 Read commands from "filename" instead of stdin. To write a hivexsh
53 script, use:
54 #!/usr/bin/hivexsh -f
56 -w If this option is given, then writes are allowed to the hive (see
58 "commit" command below, and the discussion of modifying hives in
59 "WRITING TO HIVE FILES" in hivex(3)).
60 Important Note: Even if you specify this option, nothing is written
62 to a hive unless you call the "commit" command. If you exit the
63 shell without committing, all changes will be discarded.
64 If this option is not given, then write commands are disabled.
66
68 add name
69 Add a subkey named "name" below the current node. The name may
70 contain spaces and punctuation characters, and does not need to be
71 quoted.
72 The new key will have no subkeys and no values (see "setval").
74 There must be no existing subkey called "name", or this command
76 will fail. To replace an existing subkey, delete it first like
77 this:
78 cd name
80 del
81 cd path
83 Change to the subkey "path". Use Windows-style backslashes to
84 separate path elements, and start with a backslash in order to
85 start from the root of the hive. For example:
86 cd \Classes\*
88 moves from the root node, to the "Classes" node, to the "*" node.
90 If you were already at the root node, you could do this instead:
91 cd Classes\*
93 or even:
95 cd Classes
97 cd *
98 Path elements (node names) are matched case insensitively, and
100 characters like space, "*", and "?" have no special significance.
101 "cd .." may be used to go to the parent directory.
103 "cd" without any arguments prints the current path.
105 Be careful with "cd \" since the readline library has an
107 undocumented behaviour where it will think the final backslash is a
108 continuation (it reads the next line of input and appends it). Put
109 a single space after the backslash.
110 close | unload
112 Close the currently loaded hive.
113 If you modified the hive, all uncommitted writes are lost when you
115 call this command (or if the shell exits). You have to call
116 "commit" to write changes.
117 commit [newfile]
119 Commit changes to the hive. If the optional "newfile" parameter is
120 supplied, then the hive is written to that file, else the original
121 file is overwritten.
122 Note that you have to specify the "-w" flag, otherwise no writes
124 are allowed.
125 del Delete the current node and everything beneath it. The current
127 directory is moved up one level (as if you did "cd ..") after this
128 command.
129 You cannot delete the root node.
131 exit | quit
133 Exit the shell.
134 load hivefile
136 Load the binary hive named "hivefile". The currently loaded hive,
137 if any, is closed. The current directory is changed back to the
138 root node.
139 ls List the subkeys of the current hive Registry key. Note this
141 command does not take any arguments.
142 lsval [key]
144 List the (key, value) pairs of the current hive Registry key. If
145 no argument is given then all pairs are displayed. If "key" is
146 given, then the value of the named key is displayed. If "@" is
147 given, then the value of the default key is displayed.
148 setval nrvals
150 This command replaces all (key, value) pairs at the current node
151 with the values in subsequent input. "nrvals" is the number of
152 values (ie. (key, value) pairs), and any existing values at this
153 node are deleted. So "setval 0" just deletes any values at the
154 current node.
155 The command reads 2 * nrvals lines of input, with each pair of
157 lines of input corresponding to a key and a value to add.
158 For example, the following setval command replaces whatever is at
160 the current node with two (key, value) pairs. The default key is
161 set to the UTF16-LE-encoded string "abcd". The other value is
162 named "ANumber" and is a little-endian DWORD 0x12345678.
163 setval 2
165 @
166 string:abcd
167 ANumber
168 dword:12345678
169 The first line of each pair is the key (the special key "@" means
171 the default key, but you can also use a blank line).
172 The second line of each pair is the value, which has a special
174 format "type:value" with possible types summarized in the table
175 below:
176 none No data is stored, and the type is set to 0.
178 string:abc "abc" is stored as a UTF16-LE-encoded
180 string (type 1). Note that only 7 bit
181 ASCII strings are supported as input.
182 expandstring:... Same as string but with type 2.
184 dword:0x01234567 A DWORD (type 4) with the hex value
186 0x01234567. You can also use decimal
187 or octal numbers here.
188 qword:0x0123456789abcdef
190 A QWORD (type 11) with the hex value
191 0x0123456789abcdef. You can also use
192 decimal or octal numbers here.
193 hex:<type>:<hexbytes>
195 hex:1:41,00,42,00,43,00,44,00,00,00
196 This is the generic way to enter any
197 value. <type> is the integer value type.
198 <hexbytes> is a list of pairs of hex
199 digits which are treated as bytes.
200 (Any non-hex-digits here are ignored,
201 so you can separate bytes with commas
202 or spaces if you want).
203
205 $ guestfish --ro -i Windows7
206 ><fs> download win:c:\windows\system32\config\software software
207 ><fs> quit
208 $ hivexsh software
210 Welcome to hivexsh, the hivex interactive shell for examining
212 Windows Registry binary hive files.
213 Type: 'help' for help with commands
215 'quit' to quit the shell
216 software\> ls
218 ATI Technologies
219 Classes
220 Clients
221 Intel
222 Microsoft
223 ODBC
224 Policies
225 RegisteredApplications
226 Sonic
227 Wow6432Node
228 software\> quit
229
231 hivex(3), hivexget(1), hivexml(1), virt-win-reg(1), guestfs(3),
232 <http://libguestfs.org/>, virt-cat(1), virt-edit(1).
233
235 Richard W.M. Jones ("rjones at redhat dot com")
236
238 Copyright (C) 2009-2010 Red Hat Inc.
239 This program is free software; you can redistribute it and/or modify it
241 under the terms of the GNU General Public License as published by the
242 Free Software Foundation; either version 2 of the License, or (at your
243 option) any later version.
244 This program is distributed in the hope that it will be useful, but
246 WITHOUT ANY WARRANTY; without even the implied warranty of
247 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
248 General Public License for more details.
249 You should have received a copy of the GNU General Public License along
251 with this program; if not, write to the Free Software Foundation, Inc.,
252 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
253hivex-1.3.10 2012-12-03 hivexsh(1)