1hivexsh(1)                     Windows Registry                     hivexsh(1)
2
3
4

NAME

6       hivexsh - Windows Registry hive shell
7

SYNOPSIS

9        hivexsh [-options] [hivefile]
10

DESCRIPTION

12       This program provides a simple shell for navigating Windows Registry
13       'hive' files.  It uses the hivex library for access to these binary
14       files.
15
16       Firstly you will need to provide a hive file from a Windows operating
17       system.  The hive files are usually located in
18       "C:\Windows\System32\Config" and have names like "software", "system"
19       etc (without any file extension).  For more information about hive
20       files, read hivex(3).  For information about downloading files from
21       virtual machines, read virt-cat(1) and guestfish(1).
22
23       You can provide the name of the hive file to examine on the command
24       line.  For example:
25
26        hivexsh software
27
28       Or you can start "hivexsh" without any arguments, and immediately use
29       the "load" command to load a hive:
30
31        $ hivexsh
32
33        Welcome to hivexsh, the hivex interactive shell for examining
34        Windows Registry binary hive files.
35
36        Type: 'help' for help with commands
37              'quit' to quit the shell
38
39        > load software
40        software\>
41
42       Navigate through the hive's keys using the "cd" command, as if it
43       contained a filesystem, and use "ls" to list the subkeys of the current
44       key.  Other commands are listed below.
45

OPTIONS

47       -d  Enable lots of debug messages.  If you find a Registry file that
48           this program cannot parse, please enable this option and post the
49           complete output and the Registry hive file in your bug report.
50
51       -f filename
52           Read commands from "filename" instead of stdin.  To write a hivexsh
53           script, use:
54
55            #!/usr/bin/hivexsh -f
56
57       -u  Use heuristics to tolerate certain levels of corruption within
58           hives.
59
60           This is unsafe but may allow to export/merge valid keys/values in
61           an othewise corrupted hive.
62
63       -w  If this option is given, then writes are allowed to the hive (see
64           "commit" command below, and the discussion of modifying hives in
65           "WRITING TO HIVE FILES" in hivex(3)).
66
67           Important Note: Even if you specify this option, nothing is written
68           to a hive unless you call the "commit" command.  If you exit the
69           shell without committing, all changes will be discarded.
70
71           If this option is not given, then write commands are disabled.
72

COMMANDS

74       add name
75           Add a subkey named "name" below the current node.  The name may
76           contain spaces and punctuation characters, and does not need to be
77           quoted.
78
79           The new key will have no subkeys and no values (see "setval").
80
81           There must be no existing subkey called "name", or this command
82           will fail.  To replace an existing subkey, delete it first like
83           this:
84
85            cd name
86            del
87
88       cd path
89           Change to the subkey "path".  Use Windows-style backslashes to
90           separate path elements, and start with a backslash in order to
91           start from the root of the hive.  For example:
92
93            cd \Classes\*
94
95           moves from the root node, to the "Classes" node, to the "*" node.
96           If you were already at the root node, you could do this instead:
97
98            cd Classes\*
99
100           or even:
101
102            cd Classes
103            cd *
104
105           Path elements (node names) are matched case insensitively, and
106           characters like space, "*", and "?" have no special significance.
107
108           "cd .." may be used to go to the parent directory.
109
110           "cd" without any arguments prints the current path.
111
112           Be careful with "cd \" since the readline library has an
113           undocumented behaviour where it will think the final backslash is a
114           continuation (it reads the next line of input and appends it).  Put
115           a single space after the backslash.
116
117       close | unload
118           Close the currently loaded hive.
119
120           If you modified the hive, all uncommitted writes are lost when you
121           call this command (or if the shell exits).  You have to call
122           "commit" to write changes.
123
124       commit [newfile]
125           Commit changes to the hive.  If the optional "newfile" parameter is
126           supplied, then the hive is written to that file, else the original
127           file is overwritten.
128
129           Note that you have to specify the "-w" flag, otherwise no writes
130           are allowed.
131
132       del Delete the current node and everything beneath it.  The current
133           directory is moved up one level (as if you did "cd ..") after this
134           command.
135
136           You cannot delete the root node.
137
138       exit | quit
139           Exit the shell.
140
141       load hivefile
142           Load the binary hive named "hivefile".  The currently loaded hive,
143           if any, is closed.  The current directory is changed back to the
144           root node.
145
146       ls  List the subkeys of the current hive Registry key.  Note this
147           command does not take any arguments.
148
149       lsval [key]
150           List the (key, value) pairs of the current hive Registry key.  If
151           no argument is given then all pairs are displayed.  If "key" is
152           given, then the value of the named key is displayed.  If "@" is
153           given, then the value of the default key is displayed.
154
155       setval nrvals
156           This command replaces all (key, value) pairs at the current node
157           with the values in subsequent input.  "nrvals" is the number of
158           values (ie. (key, value) pairs), and any existing values at this
159           node are deleted.  So "setval 0" just deletes any values at the
160           current node.
161
162           The command reads 2 * nrvals lines of input, with each pair of
163           lines of input corresponding to a key and a value to add.
164
165           For example, the following setval command replaces whatever is at
166           the current node with two (key, value) pairs.  The default key is
167           set to the UTF16-LE-encoded string "abcd".  The other value is
168           named "ANumber" and is a little-endian DWORD 0x12345678.
169
170            setval 2
171            @
172            string:abcd
173            ANumber
174            dword:12345678
175
176           The first line of each pair is the key (the special key "@" means
177           the default key, but you can also use a blank line).
178
179           The second line of each pair is the value, which has a special
180           format "type:value" with possible types summarized in the table
181           below:
182
183            none                 No data is stored, and the type is set to 0.
184
185            string:abc           "abc" is stored as a UTF16-LE-encoded
186                                 string (type 1).  Note that only 7 bit
187                                 ASCII strings are supported as input.
188
189            expandstring:...     Same as string but with type 2.
190
191            dword:0x01234567     A DWORD (type 4) with the hex value
192                                 0x01234567.  You can also use decimal
193                                 or octal numbers here.
194
195            qword:0x0123456789abcdef
196                                 A QWORD (type 11) with the hex value
197                                 0x0123456789abcdef.  You can also use
198                                 decimal or octal numbers here.
199
200            hex:<type>:<hexbytes>
201            hex:1:41,00,42,00,43,00,44,00,00,00
202                                 This is the generic way to enter any
203                                 value.  <type> is the integer value type.
204                                 <hexbytes> is a list of pairs of hex
205                                 digits which are treated as bytes.
206                                 (Any non-hex-digits here are ignored,
207                                 so you can separate bytes with commas
208                                 or spaces if you want).
209

EXAMPLE

211        $ guestfish --ro -i Windows7
212        ><fs> download win:c:\windows\system32\config\software software
213        ><fs> quit
214
215        $ hivexsh software
216
217        Welcome to hivexsh, the hivex interactive shell for examining
218        Windows Registry binary hive files.
219
220        Type: 'help' for help with commands
221              'quit' to quit the shell
222
223        software\> ls
224        ATI Technologies
225        Classes
226        Clients
227        Intel
228        Microsoft
229        ODBC
230        Policies
231        RegisteredApplications
232        Sonic
233        Wow6432Node
234        software\> quit
235

SEE ALSO

237       hivex(3), hivexget(1), hivexml(1), virt-win-reg(1), guestfs(3),
238       <http://libguestfs.org/>, virt-cat(1), virt-edit(1).
239

AUTHORS

241       Richard W.M. Jones ("rjones at redhat dot com")
242
244       Copyright (C) 2009-2010 Red Hat Inc.
245
246       This program is free software; you can redistribute it and/or modify it
247       under the terms of the GNU General Public License as published by the
248       Free Software Foundation; either version 2 of the License, or (at your
249       option) any later version.
250
251       This program is distributed in the hope that it will be useful, but
252       WITHOUT ANY WARRANTY; without even the implied warranty of
253       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
254       General Public License for more details.
255
256       You should have received a copy of the GNU General Public License along
257       with this program; if not, write to the Free Software Foundation, Inc.,
258       51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
259
260
261
262hivex-1.3.18                      2020-02-27                        hivexsh(1)
Impressum