1hivexsh(1) Windows Registry hivexsh(1)
2
3
4
6 hivexsh - Windows Registry hive shell
7
9 hivexsh [-options] [hivefile]
10
12 This program provides a simple shell for navigating Windows Registry
13 'hive' files. It uses the hivex library for access to these binary
14 files.
15
16 Firstly you will need to provide a hive file from a Windows operating
17 system. The hive files are usually located in
18 "C:\Windows\System32\Config" and have names like "software", "system"
19 etc (without any file extension). For more information about hive
20 files, read hivex(3). For information about downloading files from
21 virtual machines, read virt-cat(1) and guestfish(1).
22
23 You can provide the name of the hive file to examine on the command
24 line. For example:
25
26 hivexsh software
27
28 Or you can start "hivexsh" without any arguments, and immediately use
29 the "load" command to load a hive:
30
31 $ hivexsh
32
33 Welcome to hivexsh, the hivex interactive shell for examining
34 Windows Registry binary hive files.
35
36 Type: 'help' for help with commands
37 'quit' to quit the shell
38
39 > load software
40 software\>
41
42 Navigate through the hive's keys using the "cd" command, as if it
43 contained a filesystem, and use "ls" to list the subkeys of the current
44 key. Other commands are listed below.
45
47 -d Enable lots of debug messages. If you find a Registry file that
48 this program cannot parse, please enable this option and post the
49 complete output and the Registry hive file in your bug report.
50
51 -f filename
52 Read commands from "filename" instead of stdin. To write a hivexsh
53 script, use:
54
55 #!/usr/bin/hivexsh -f
56
57 -w If this option is given, then writes are allowed to the hive (see
58 "commit" command below, and the discussion of modifying hives in
59 "WRITING TO HIVE FILES" in hivex(3)).
60
61 Important Note: Even if you specify this option, nothing is written
62 to a hive unless you call the "commit" command. If you exit the
63 shell without committing, all changes will be discarded.
64
65 If this option is not given, then write commands are disabled.
66
68 add name
69 Add a subkey named "name" below the current node. The name may
70 contain spaces and punctuation characters, and does not need to be
71 quoted.
72
73 The new key will have no subkeys and no values (see "setval").
74
75 There must be no existing subkey called "name", or this command
76 will fail. To replace an existing subkey, delete it first like
77 this:
78
79 cd name
80 del
81
82 cd path
83 Change to the subkey "path". Use Windows-style backslashes to
84 separate path elements, and start with a backslash in order to
85 start from the root of the hive. For example:
86
87 cd \Classes\*
88
89 moves from the root node, to the "Classes" node, to the "*" node.
90 If you were already at the root node, you could do this instead:
91
92 cd Classes\*
93
94 or even:
95
96 cd Classes
97 cd *
98
99 Path elements (node names) are matched case insensitively, and
100 characters like space, "*", and "?" have no special significance.
101
102 "cd .." may be used to go to the parent directory.
103
104 "cd" without any arguments prints the current path.
105
106 Be careful with "cd \" since the readline library has an
107 undocumented behaviour where it will think the final backslash is a
108 continuation (it reads the next line of input and appends it). Put
109 a single space after the backslash.
110
111 close | unload
112 Close the currently loaded hive.
113
114 If you modified the hive, all uncommitted writes are lost when you
115 call this command (or if the shell exits). You have to call
116 "commit" to write changes.
117
118 commit [newfile]
119 Commit changes to the hive. If the optional "newfile" parameter is
120 supplied, then the hive is written to that file, else the original
121 file is overwritten.
122
123 Note that you have to specify the "-w" flag, otherwise no writes
124 are allowed.
125
126 del Delete the current node and everything beneath it. The current
127 directory is moved up one level (as if you did "cd ..") after this
128 command.
129
130 You cannot delete the root node.
131
132 exit | quit
133 Exit the shell.
134
135 load hivefile
136 Load the binary hive named "hivefile". The currently loaded hive,
137 if any, is closed. The current directory is changed back to the
138 root node.
139
140 ls List the subkeys of the current hive Registry key. Note this
141 command does not take any arguments.
142
143 lsval [key]
144 List the (key, value) pairs of the current hive Registry key. If
145 no argument is given then all pairs are displayed. If "key" is
146 given, then the value of the named key is displayed. If "@" is
147 given, then the value of the default key is displayed.
148
149 setval nrvals
150 This command replaces all (key, value) pairs at the current node
151 with the values in subsequent input. "nrvals" is the number of
152 values (ie. (key, value) pairs), and any existing values at this
153 node are deleted. So "setval 0" just deletes any values at the
154 current node.
155
156 The command reads 2 * nrvals lines of input, with each pair of
157 lines of input corresponding to a key and a value to add.
158
159 For example, the following setval command replaces whatever is at
160 the current node with two (key, value) pairs. The default key is
161 set to the UTF16-LE-encoded string "abcd". The other value is
162 named "ANumber" and is a little-endian DWORD 0x12345678.
163
164 setval 2
165 @
166 string:abcd
167 ANumber
168 dword:12345678
169
170 The first line of each pair is the key (the special key "@" means
171 the default key, but you can also use a blank line).
172
173 The second line of each pair is the value, which has a special
174 format "type:value" with possible types summarized in the table
175 below:
176
177 none No data is stored, and the type is set to 0.
178
179 string:abc "abc" is stored as a UTF16-LE-encoded
180 string (type 1). Note that only 7 bit
181 ASCII strings are supported as input.
182
183 expandstring:... Same as string but with type 2.
184
185 dword:0x01234567 A DWORD (type 4) with the hex value
186 0x01234567. You can also use decimal
187 or octal numbers here.
188
189 qword:0x0123456789abcdef
190 A QWORD (type 11) with the hex value
191 0x0123456789abcdef. You can also use
192 decimal or octal numbers here.
193
194 hex:<type>:<hexbytes>
195 hex:1:41,00,42,00,43,00,44,00,00,00
196 This is the generic way to enter any
197 value. <type> is the integer value type.
198 <hexbytes> is a list of pairs of hex
199 digits which are treated as bytes.
200 (Any non-hex-digits here are ignored,
201 so you can separate bytes with commas
202 or spaces if you want).
203
205 $ guestfish --ro -i Windows7
206 ><fs> download win:c:\windows\system32\config\software software
207 ><fs> quit
208
209 $ hivexsh software
210
211 Welcome to hivexsh, the hivex interactive shell for examining
212 Windows Registry binary hive files.
213
214 Type: 'help' for help with commands
215 'quit' to quit the shell
216
217 software\> ls
218 ATI Technologies
219 Classes
220 Clients
221 Intel
222 Microsoft
223 ODBC
224 Policies
225 RegisteredApplications
226 Sonic
227 Wow6432Node
228 software\> quit
229
231 hivex(3), hivexget(1), hivexml(1), virt-win-reg(1), guestfs(3),
232 <http://libguestfs.org/>, virt-cat(1), virt-edit(1).
233
235 Richard W.M. Jones ("rjones at redhat dot com")
236
238 Copyright (C) 2009-2010 Red Hat Inc.
239
240 This program is free software; you can redistribute it and/or modify it
241 under the terms of the GNU General Public License as published by the
242 Free Software Foundation; either version 2 of the License, or (at your
243 option) any later version.
244
245 This program is distributed in the hope that it will be useful, but
246 WITHOUT ANY WARRANTY; without even the implied warranty of
247 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
248 General Public License for more details.
249
250 You should have received a copy of the GNU General Public License along
251 with this program; if not, write to the Free Software Foundation, Inc.,
252 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
253
254
255
256hivex-1.3.3 2011-06-28 hivexsh(1)