1hivex(3) Windows Registry hivex(3)
2
6 hivex - Windows Registry "hive" extraction library
7
9 #include <hivex.h>
10 hive_h *hivex_open (const char *filename, int flags);
12 int hivex_close (hive_h *h);
13 hive_node_h hivex_root (hive_h *h);
14 int64_t hivex_last_modified (hive_h *h);
15 char *hivex_node_name (hive_h *h, hive_node_h node);
16 int64_t hivex_node_timestamp (hive_h *h, hive_node_h node);
17 hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
18 hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
19 hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
20 hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
21 hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
22 size_t hivex_value_key_len (hive_h *h, hive_value_h val);
23 char *hivex_value_key (hive_h *h, hive_value_h val);
24 int hivex_value_type (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
25 size_t hivex_node_struct_length (hive_h *h, hive_node_h node);
26 size_t hivex_value_struct_length (hive_h *h, hive_value_h val);
27 char *hivex_value_value (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
28 char *hivex_value_string (hive_h *h, hive_value_h val);
29 char **hivex_value_multiple_strings (hive_h *h, hive_value_h val);
30 int32_t hivex_value_dword (hive_h *h, hive_value_h val);
31 int64_t hivex_value_qword (hive_h *h, hive_value_h val);
32 int hivex_commit (hive_h *h, const char *filename, int flags);
33 hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
34 int hivex_node_delete_child (hive_h *h, hive_node_h node);
35 int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);
36 int hivex_node_set_value (hive_h *h, hive_node_h node, const hive_set_value *val, int flags);
37 Link with -lhivex.
39
41 Hivex is a library for extracting the contents of Windows Registry
42 "hive" files. It is designed to be secure against buggy or malicious
43 registry files.
44 Unlike other tools in this area, it doesn't use the textual .REG
46 format, because parsing that is as much trouble as parsing the original
47 binary format. Instead it makes the file available through a C API,
48 and then wraps this API in higher level scripting and GUI tools.
49 There is a separate program to export the hive as XML (see hivexml(1)),
51 or to navigate the file (see hivexsh(1)). There is also a Perl script
52 to export and merge the file as a textual .REG (regedit) file, see
53 hivexregedit(1).
54 If you just want to export or modify the Registry of a Windows virtual
56 machine, you should look at virt-win-reg(1).
57 Hivex is also comes with language bindings for OCaml, Perl, Python and
59 Ruby.
60
62 "hive_h *"
63 This handle describes an open hive file.
64 "hive_node_h"
66 This is a node handle, an integer but opaque outside the library.
67 Valid node handles cannot be 0. The library returns 0 in some
68 situations to indicate an error.
69 "hive_type"
71 The enum below describes the possible types for the value(s) stored at
72 each node. Note that you should not trust the type field in a Windows
73 Registry, as it very often has no relationship to reality. Some
74 applications use their own types. The encoding of strings is not
75 specified. Some programs store everything (including strings) in
76 binary blobs.
77 enum hive_type {
79 /* Just a key without a value */
80 hive_t_REG_NONE = 0,
81 /* A Windows string (encoding is unknown, but often UTF16-LE) */
82 hive_t_REG_SZ = 1,
83 /* A Windows string that contains %env% (environment variable expansion) */
84 hive_t_REG_EXPAND_SZ = 2,
85 /* A blob of binary */
86 hive_t_REG_BINARY = 3,
87 /* DWORD (32 bit integer), little endian */
88 hive_t_REG_DWORD = 4,
89 /* DWORD (32 bit integer), big endian */
90 hive_t_REG_DWORD_BIG_ENDIAN = 5,
91 /* Symbolic link to another part of the registry tree */
92 hive_t_REG_LINK = 6,
93 /* Multiple Windows strings. See http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx */
94 hive_t_REG_MULTI_SZ = 7,
95 /* Resource list */
96 hive_t_REG_RESOURCE_LIST = 8,
97 /* Resource descriptor */
98 hive_t_REG_FULL_RESOURCE_DESCRIPTOR = 9,
99 /* Resouce requirements list */
100 hive_t_REG_RESOURCE_REQUIREMENTS_LIST = 10,
101 /* QWORD (64 bit integer), unspecified endianness but usually little endian */
102 hive_t_REG_QWORD = 11,
103 };
104 "hive_value_h"
106 This is a value handle, an integer but opaque outside the library.
107 Valid value handles cannot be 0. The library returns 0 in some
108 situations to indicate an error.
109 "hive_set_value"
111 The typedef "hive_set_value" is used in conjunction with the
112 "hivex_node_set_values" call described below.
113 struct hive_set_value {
115 char *key; /* key - a UTF-8 encoded ASCIIZ string */
116 hive_type t; /* type of value field */
117 size_t len; /* length of value field in bytes */
118 char *value; /* value field */
119 };
120 typedef struct hive_set_value hive_set_value;
121 To set the default value for a node, you have to pass "key = """.
123 Note that the "value" field is just treated as a list of bytes, and is
125 stored directly in the hive. The caller has to ensure correct encoding
126 and endianness, for example converting dwords to little endian.
127 The correct type and encoding for values depends on the node and key in
129 the registry, the version of Windows, and sometimes even changes
130 between versions of Windows for the same key. We don't document it
131 here. Often it's not documented at all.
132
134 hivex_open
135 hive_h *hivex_open (const char *filename, int flags);
136 Opens the hive named "filename" for reading.
138 Flags is an ORed list of the open flags (or 0 if you don't want to pass
140 any flags). These flags are defined:
141 HIVEX_OPEN_VERBOSE
143 Verbose messages.
144 HIVEX_OPEN_DEBUG
146 Very verbose messages, suitable for debugging problems in the
147 library itself.
148 This is also selected if the "HIVEX_DEBUG" environment variable is
150 set to 1.
151 HIVEX_OPEN_WRITE
153 Open the hive for writing. If omitted, the hive is read-only.
154 See "WRITING TO HIVE FILES" in hivex(3).
156 Returns a new hive handle. On error this returns NULL and sets errno.
158 hivex_close
160 int hivex_close (hive_h *h);
161 Close a hive handle and free all associated resources.
163 Note that any uncommitted writes are not committed by this call, but
165 instead are lost. See "WRITING TO HIVE FILES" in hivex(3).
166 Returns 0 on success. On error this returns -1 and sets errno.
168 This function frees the hive handle (even if it returns an error). The
170 hive handle must not be used again after calling this function.
171 hivex_root
173 hive_node_h hivex_root (hive_h *h);
174 Return root node of the hive. All valid hives must contain a root
176 node.
177 Returns a node handle. On error this returns 0 and sets errno.
179 hivex_last_modified
181 int64_t hivex_last_modified (hive_h *h);
182 Return the modification time from the header of the hive.
184 The returned value is a Windows filetime. To convert this to a Unix
186 "time_t" see:
187 <http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842>
188 hivex_node_name
190 char *hivex_node_name (hive_h *h, hive_node_h node);
191 Return the name of the node.
193 Note that the name of the root node is a dummy, such as "$$$PROTO.HIV"
195 (other names are possible: it seems to depend on the tool or program
196 that created the hive in the first place). You can only know the
197 "real" name of the root node by knowing which registry file this hive
198 originally comes from, which is knowledge that is outside the scope of
199 this library.
200 Returns a string. The string must be freed by the caller when it is no
202 longer needed. On error this returns NULL and sets errno.
203 hivex_node_timestamp
205 int64_t hivex_node_timestamp (hive_h *h, hive_node_h node);
206 Return the modification time of the node.
208 The returned value is a Windows filetime. To convert this to a Unix
210 "time_t" see:
211 <http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842>
212 hivex_node_children
214 hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
215 Return an array of nodes which are the subkeys (children) of "node".
217 Returns a 0-terminated array of nodes. The array must be freed by the
219 caller when it is no longer needed. On error this returns NULL and
220 sets errno.
221 hivex_node_get_child
223 hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
224 Return the child of node with the name "name", if it exists.
226 The name is matched case insensitively.
228 Returns a node handle. If the node was not found, this returns 0
230 without setting errno. On error this returns 0 and sets errno.
231 hivex_node_parent
233 hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
234 Return the parent of "node".
236 The parent pointer of the root node in registry files that we have
238 examined seems to be invalid, and so this function will return an error
239 if called on the root node.
240 Returns a node handle. On error this returns 0 and sets errno.
242 hivex_node_values
244 hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
245 Return the array of (key, value) pairs attached to this node.
247 Returns a 0-terminated array of values. The array must be freed by the
249 caller when it is no longer needed. On error this returns NULL and
250 sets errno.
251 hivex_node_get_value
253 hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
254 Return the value attached to this node which has the name "key", if it
256 exists.
257 The key name is matched case insensitively.
259 Note that to get the default key, you should pass the empty string ""
261 here. The default key is often written "@", but inside hives that has
262 no meaning and won't give you the default key.
263 Returns a value handle. On error this returns 0 and sets errno.
265 hivex_value_key_len
267 size_t hivex_value_key_len (hive_h *h, hive_value_h val);
268 Return the length of the key (name) of a (key, value) pair. The length
270 can legitimately be 0, so errno is the necessary mechanism to check for
271 errors.
272 In the context of Windows Registries, a zero-length name means that
274 this value is the default key for this node in the tree. This is
275 usually written as "@".
276 Returns a size. On error this returns 0 and sets errno.
278 hivex_value_key
280 char *hivex_value_key (hive_h *h, hive_value_h val);
281 Return the key (name) of a (key, value) pair. The name is reencoded as
283 UTF-8 and returned as a string.
284 The string should be freed by the caller when it is no longer needed.
286 Note that this function can return a zero-length string. In the
288 context of Windows Registries, this means that this value is the
289 default key for this node in the tree. This is usually written as "@".
290 Returns a string. The string must be freed by the caller when it is no
292 longer needed. On error this returns NULL and sets errno.
293 hivex_value_type
295 int hivex_value_type (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
296 Return the data length and data type of the value in this (key, value)
298 pair. See also "hivex_value_value" which returns all this information,
299 and the value itself. Also, "hivex_value_*" functions below which can
300 be used to return the value in a more useful form when you know the
301 type in advance.
302 Returns 0 on success. On error this returns -1 and sets errno.
304 hivex_node_struct_length
306 size_t hivex_node_struct_length (hive_h *h, hive_node_h node);
307 Return the length of the node data structure.
309 Returns a size. On error this returns 0 and sets errno.
311 hivex_value_struct_length
313 size_t hivex_value_struct_length (hive_h *h, hive_value_h val);
314 Return the length of the value data structure.
316 Returns a size. On error this returns 0 and sets errno.
318 hivex_value_value
320 char *hivex_value_value (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
321 Return the value of this (key, value) pair. The value should be
323 interpreted according to its type (see "hive_type").
324 The value is returned as an array of bytes (of length "len"). The
326 value must be freed by the caller when it is no longer needed. On
327 error this returns NULL and sets errno.
328 hivex_value_string
330 char *hivex_value_string (hive_h *h, hive_value_h val);
331 If this value is a string, return the string reencoded as UTF-8 (as a C
333 string). This only works for values which have type "hive_t_string",
334 "hive_t_expand_string" or "hive_t_link".
335 Returns a string. The string must be freed by the caller when it is no
337 longer needed. On error this returns NULL and sets errno.
338 hivex_value_multiple_strings
340 char **hivex_value_multiple_strings (hive_h *h, hive_value_h val);
341 If this value is a multiple-string, return the strings reencoded as
343 UTF-8 (in C, as a NULL-terminated array of C strings, in other language
344 bindings, as a list of strings). This only works for values which have
345 type "hive_t_multiple_strings".
346 Returns a NULL-terminated array of C strings. The strings and the
348 array must all be freed by the caller when they are no longer needed.
349 On error this returns NULL and sets errno.
350 hivex_value_dword
352 int32_t hivex_value_dword (hive_h *h, hive_value_h val);
353 If this value is a DWORD (Windows int32), return it. This only works
355 for values which have type "hive_t_dword" or "hive_t_dword_be".
356 hivex_value_qword
358 int64_t hivex_value_qword (hive_h *h, hive_value_h val);
359 If this value is a QWORD (Windows int64), return it. This only works
361 for values which have type "hive_t_qword".
362 hivex_commit
364 int hivex_commit (hive_h *h, const char *filename, int flags);
365 Commit (write) any changes which have been made.
367 "filename" is the new file to write. If "filename" is null/undefined
369 then we overwrite the original file (ie. the file name that was passed
370 to "hivex_open").
371 Note this does not close the hive handle. You can perform further
373 operations on the hive after committing, including making more
374 modifications. If you no longer wish to use the hive, then you should
375 close the handle after committing.
376 The flags parameter is unused. Always pass 0.
378 Returns 0 on success. On error this returns -1 and sets errno.
380 hivex_node_add_child
382 hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
383 Add a new child node named "name" to the existing node "parent". The
385 new child initially has no subnodes and contains no keys or values.
386 The sk-record (security descriptor) is inherited from the parent.
387 The parent must not have an existing child called "name", so if you
389 want to overwrite an existing child, call "hivex_node_delete_child"
390 first.
391 Returns a node handle. On error this returns 0 and sets errno.
393 hivex_node_delete_child
395 int hivex_node_delete_child (hive_h *h, hive_node_h node);
396 Delete the node "node". All values at the node and all subnodes are
398 deleted (recursively). The "node" handle and the handles of all
399 subnodes become invalid. You cannot delete the root node.
400 Returns 0 on success. On error this returns -1 and sets errno.
402 hivex_node_set_values
404 int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);
405 This call can be used to set all the (key, value) pairs stored in
407 "node".
408 "node" is the node to modify.
410 The flags parameter is unused. Always pass 0.
412 "values" is an array of (key, value) pairs. There should be
414 "nr_values" elements in this array.
415 Any existing values stored at the node are discarded, and their
417 "hive_value_h" handles become invalid. Thus you can remove all values
418 stored at "node" by passing "nr_values = 0".
419 Returns 0 on success. On error this returns -1 and sets errno.
421 hivex_node_set_value
423 int hivex_node_set_value (hive_h *h, hive_node_h node, const hive_set_value *val, int flags);
424 This call can be used to replace a single "(key, value)" pair stored in
426 "node". If the key does not already exist, then a new key is added.
427 Key matching is case insensitive.
428 "node" is the node to modify.
430 The flags parameter is unused. Always pass 0.
432 "value" is a single (key, value) pair.
434 Existing "hive_value_h" handles become invalid.
436 Returns 0 on success. On error this returns -1 and sets errno.
438
440 The hivex library supports making limited modifications to hive files.
441 We have tried to implement this very conservatively in order to reduce
442 the chance of corrupting your registry. However you should be careful
443 and take back-ups, since Microsoft has never documented the hive
444 format, and so it is possible there are nuances in the reverse-
445 engineered format that we do not understand.
446 To be able to modify a hive, you must pass the "HIVEX_OPEN_WRITE" flag
448 to "hivex_open", otherwise any write operation will return with errno
449 "EROFS".
450 The write operations shown below do not modify the on-disk file
452 immediately. You must call "hivex_commit" in order to write the
453 changes to disk. If you call "hivex_close" without committing then any
454 writes are discarded.
455 Hive files internally consist of a "memory dump" of binary blocks (like
457 the C heap), and some of these blocks can be unused. The hivex library
458 never reuses these unused blocks. Instead, to ensure robustness in the
459 face of the partially understood on-disk format, hivex only allocates
460 new blocks after the end of the file, and makes minimal modifications
461 to existing structures in the file to point to these new blocks. This
462 makes hivex slightly less disk-efficient than it could be, but disk is
463 cheap, and registry modifications tend to be very small.
464 When deleting nodes, it is possible that this library may leave
466 unreachable live blocks in the hive. This is because certain parts of
467 the hive disk format such as security (sk) records and big data (db)
468 records and classname fields are not well understood (and not
469 documented at all) and we play it safe by not attempting to modify
470 them. Apart from wasting a little bit of disk space, it is not thought
471 that unreachable blocks are a problem.
472 WRITE OPERATIONS WHICH ARE NOT SUPPORTED
474 · Changing the root node.
475 · Creating a new hive file from scratch. This is impossible at
477 present because not all fields in the header are understood. In
478 the hivex source tree is a file called "images/minimal" which could
479 be used as the basis for a new hive (but caveat emptor).
480 · Modifying or deleting single values at a node.
482 · Modifying security key (sk) records or classnames. Previously we
484 did not understand these records. However now they are well-
485 understood and we could add support if it was required (but nothing
486 much really uses them).
487
489 The visitor pattern is useful if you want to visit all nodes in the
490 tree or all nodes below a certain point in the tree.
491 First you set up your own "struct hivex_visitor" with your callback
493 functions.
494 Each of these callback functions should return 0 on success or -1 on
496 error. If any callback returns -1, then the entire visit terminates
497 immediately. If you don't need a callback function at all, set the
498 function pointer to NULL.
499 struct hivex_visitor {
501 int (*node_start) (hive_h *, void *opaque, hive_node_h, const char *name);
502 int (*node_end) (hive_h *, void *opaque, hive_node_h, const char *name);
503 int (*value_string) (hive_h *, void *opaque, hive_node_h, hive_value_h,
504 hive_type t, size_t len, const char *key, const char *str);
505 int (*value_multiple_strings) (hive_h *, void *opaque, hive_node_h,
506 hive_value_h, hive_type t, size_t len, const char *key, char **argv);
507 int (*value_string_invalid_utf16) (hive_h *, void *opaque, hive_node_h,
508 hive_value_h, hive_type t, size_t len, const char *key,
509 const char *str);
510 int (*value_dword) (hive_h *, void *opaque, hive_node_h, hive_value_h,
511 hive_type t, size_t len, const char *key, int32_t);
512 int (*value_qword) (hive_h *, void *opaque, hive_node_h, hive_value_h,
513 hive_type t, size_t len, const char *key, int64_t);
514 int (*value_binary) (hive_h *, void *opaque, hive_node_h, hive_value_h,
515 hive_type t, size_t len, const char *key, const char *value);
516 int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h,
517 hive_type t, size_t len, const char *key, const char *value);
518 int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h,
519 hive_type t, size_t len, const char *key, const char *value);
520 /* If value_any callback is not NULL, then the other value_*
521 * callbacks are not used, and value_any is called on all values.
522 */
523 int (*value_any) (hive_h *, void *opaque, hive_node_h, hive_value_h,
524 hive_type t, size_t len, const char *key, const char *value);
525 };
526 hivex_visit
528 int hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
529 Visit all the nodes recursively in the hive "h".
531 "visitor" should be a "hivex_visitor" structure with callback
533 fields filled in as required (unwanted callbacks can be set to
534 NULL). "len" must be the length of the 'visitor' struct (you
535 should pass "sizeof (struct hivex_visitor)" for this).
536 This returns 0 if the whole recursive visit was completed
538 successfully. On error this returns -1. If one of the callback
539 functions returned an error than we don't touch errno. If the
540 error was generated internally then we set errno.
541 You can skip bad registry entries by setting "flag" to
543 "HIVEX_VISIT_SKIP_BAD". If this flag is not set, then a bad
544 registry causes the function to return an error immediately.
545 This function is robust if the registry contains cycles or pointers
547 which are invalid or outside the registry. It detects these cases
548 and returns an error.
549 hivex_visit_node
551 int hivex_visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *visitor, size_t len, void *opaque);
552 Same as "hivex_visit" but instead of starting out at the root, this
554 starts at "node".
555
557 Note: To understand the relationship between hives and the common
558 Windows Registry keys (like "HKEY_LOCAL_MACHINE") please see the
559 Wikipedia page on the Windows Registry.
560 The Windows Registry is split across various binary files, each file
562 being known as a "hive". This library only handles a single hive file
563 at a time.
564 Hives are n-ary trees with a single root. Each node in the tree has a
566 name.
567 Each node in the tree (including non-leaf nodes) may have an arbitrary
569 list of (key, value) pairs attached to it. It may be the case that one
570 of these pairs has an empty key. This is referred to as the default
571 key for the node.
572 The (key, value) pairs are the place where the useful data is stored in
574 the registry. The key is always a string (possibly the empty string
575 for the default key). The value is a typed object (eg. string, int32,
576 binary, etc.).
577 RELATIONSHIP TO .REG FILES
579 The hivex C library does not care about or deal with Windows .REG
580 files. Instead we push this complexity up to the Perl Win::Hivex(3)
581 library and the Perl programs hivexregedit(1) and virt-win-reg(1).
582 Nevertheless it is useful to look at the relationship between the
583 Registry and .REG files because they are so common.
584 A .REG file is a textual representation of the registry, or part of the
586 registry. The actual registry hives that Windows uses are binary
587 files. There are a number of Windows and Linux tools that let you
588 generate .REG files, or merge .REG files back into the registry hives.
589 Notable amongst them is Microsoft's REGEDIT program (formerly known as
590 REGEDT32).
591 A typical .REG file will contain many sections looking like this:
593 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Stack]
595 "@"="Generic Stack"
596 "TileInfo"="prop:System.FileCount"
597 "TilePath"=str(2):"%systemroot%\\system32"
598 "ThumbnailCutoff"=dword:00000000
599 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
600 6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,\
601 33,00,32,00,5c,00,73,00,65,00,61,00,72,00,63,00,68,00,66,00,\
602 6f,00,6c,00,64,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,\
603 2d,00,39,00,30,00,32,00,38,00,00,00,d8
604 Taking this one piece at a time:
606 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Stack]
608 This is the path to this node in the registry tree. The first part,
610 "HKEY_LOCAL_MACHINE\SOFTWARE" means that this comes from a hive file
611 called "C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE". "\Classes\Stack" is the
612 real path part, starting at the root node of the "SOFTWARE" hive.
613 Below the node name is a list of zero or more key-value pairs. Any
615 interior or leaf node in the registry may have key-value pairs
616 attached.
617 "@"="Generic Stack"
619 This is the "default key". In reality (ie. inside the binary hive) the
621 key string is the empty string. In .REG files this is written as "@"
622 but this has no meaning either in the hives themselves or in this
623 library. The value is a string (type 1 - see "enum hive_type" above).
624 "TileInfo"="prop:System.FileCount"
626 This is a regular (key, value) pair, with the value being a type 1
628 string. Note that inside the binary file the string is likely to be
629 UTF-16LE encoded. This library converts to and from UTF-8 strings
630 transparently in some cases.
631 "TilePath"=str(2):"%systemroot%\\system32"
633 The value in this case has type 2 (expanded string) meaning that some
635 %...% variables get expanded by Windows. (This library doesn't know or
636 care about variable expansion).
637 "ThumbnailCutoff"=dword:00000000
639 The value in this case is a dword (type 4).
641 "FriendlyTypeName"=hex(2):40,00,....
643 This value is an expanded string (type 2) represented in the .REG file
645 as a series of hex bytes. In this case the string appears to be a
646 UTF-16LE string.
647
649 Many functions in this library set errno to indicate errors. These are
650 the values of errno you may encounter (this list is not exhaustive):
651 ENOTSUP
653 Corrupt or unsupported Registry file format.
654 HIVEX_NO_KEY
656 Missing root key.
657 EINVAL
659 Passed an invalid argument to the function.
660 EFAULT
662 Followed a Registry pointer which goes outside the registry or
663 outside a registry block.
664 ELOOP
666 Registry contains cycles.
667 ERANGE
669 Field in the registry out of range.
670 EEXIST
672 Registry key already exists.
673 EROFS
675 Tried to write to a registry which is not opened for writing.
676
678 HIVEX_DEBUG
679 Setting HIVEX_DEBUG=1 will enable very verbose messages. This is
680 useful for debugging problems with the library itself.
681
683 hivexget(1), hivexml(1), hivexsh(1), hivexregedit(1), virt-win-reg(1),
684 Win::Hivex(3), guestfs(3), <http://libguestfs.org/>, virt-cat(1),
685 virt-edit(1), <http://en.wikipedia.org/wiki/Windows_Registry>.
686
688 Richard W.M. Jones ("rjones at redhat dot com")
689
691 Copyright (C) 2009-2010 Red Hat Inc.
692 Derived from code by Petter Nordahl-Hagen under a compatible license:
694 Copyright (C) 1997-2007 Petter Nordahl-Hagen.
695 Derived from code by Markus Stephany under a compatible license:
697 Copyright (C) 2000-2004 Markus Stephany.
698 This library is free software; you can redistribute it and/or modify it
700 under the terms of the GNU Lesser General Public License as published
701 by the Free Software Foundation; version 2.1 of the License only.
702 This library is distributed in the hope that it will be useful, but
704 WITHOUT ANY WARRANTY; without even the implied warranty of
705 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
706 Lesser General Public License for more details.
707hivex-1.3.3 2015-07-23 hivex(3)