1hivex(3) Windows Registry hivex(3)
2
6 hivex - Windows Registry "hive" extraction library
7
9 #include <hivex.h>
10 hive_h *hivex_open (const char *filename, int flags);
12 int hivex_close (hive_h *h);
13 hive_node_h hivex_root (hive_h *h);
14 int64_t hivex_last_modified (hive_h *h);
15 char *hivex_node_name (hive_h *h, hive_node_h node);
16 size_t hivex_node_name_len (hive_h *h, hive_node_h node);
17 int64_t hivex_node_timestamp (hive_h *h, hive_node_h node);
18 hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
19 hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
20 hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
21 hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
22 hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
23 size_t hivex_value_key_len (hive_h *h, hive_value_h val);
24 char *hivex_value_key (hive_h *h, hive_value_h val);
25 int hivex_value_type (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
26 size_t hivex_node_struct_length (hive_h *h, hive_node_h node);
27 size_t hivex_value_struct_length (hive_h *h, hive_value_h val);
28 hive_value_h hivex_value_data_cell_offset (hive_h *h, hive_value_h val, size_t *len);
29 char *hivex_value_value (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
30 char *hivex_value_string (hive_h *h, hive_value_h val);
31 char **hivex_value_multiple_strings (hive_h *h, hive_value_h val);
32 int32_t hivex_value_dword (hive_h *h, hive_value_h val);
33 int64_t hivex_value_qword (hive_h *h, hive_value_h val);
34 int hivex_commit (hive_h *h, const char *filename, int flags);
35 hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
36 int hivex_node_delete_child (hive_h *h, hive_node_h node);
37 int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);
38 int hivex_node_set_value (hive_h *h, hive_node_h node, const hive_set_value *val, int flags);
39 Link with -lhivex.
41
43 Hivex is a library for extracting the contents of Windows Registry
44 "hive" files. It is designed to be secure against buggy or malicious
45 registry files.
46 Unlike other tools in this area, it doesn't use the textual .REG
48 format, because parsing that is as much trouble as parsing the original
49 binary format. Instead it makes the file available through a C API,
50 and then wraps this API in higher level scripting and GUI tools.
51 There is a separate program to export the hive as XML (see hivexml(1)),
53 or to navigate the file (see hivexsh(1)). There is also a Perl script
54 to export and merge the file as a textual .REG (regedit) file, see
55 hivexregedit(1).
56 If you just want to export or modify the Registry of a Windows virtual
58 machine, you should look at virt-win-reg(1).
59 Hivex is also comes with language bindings for OCaml, Perl, Python and
61 Ruby.
62
64 "hive_h *"
65 This handle describes an open hive file.
66 "hive_node_h"
68 This is a node handle, an integer but opaque outside the library.
69 Valid node handles cannot be 0. The library returns 0 in some
70 situations to indicate an error.
71 "hive_type"
73 The enum below describes the possible types for the value(s) stored at
74 each node. Note that you should not trust the type field in a Windows
75 Registry, as it very often has no relationship to reality. Some
76 applications use their own types. The encoding of strings is not
77 specified. Some programs store everything (including strings) in
78 binary blobs.
79 enum hive_type {
81 /* Just a key without a value */
82 hive_t_REG_NONE = 0,
83 /* A Windows string (encoding is unknown, but often UTF16-LE) */
84 hive_t_REG_SZ = 1,
85 /* A Windows string that contains %env% (environment variable expansion) */
86 hive_t_REG_EXPAND_SZ = 2,
87 /* A blob of binary */
88 hive_t_REG_BINARY = 3,
89 /* DWORD (32 bit integer), little endian */
90 hive_t_REG_DWORD = 4,
91 /* DWORD (32 bit integer), big endian */
92 hive_t_REG_DWORD_BIG_ENDIAN = 5,
93 /* Symbolic link to another part of the registry tree */
94 hive_t_REG_LINK = 6,
95 /* Multiple Windows strings. See http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx */
96 hive_t_REG_MULTI_SZ = 7,
97 /* Resource list */
98 hive_t_REG_RESOURCE_LIST = 8,
99 /* Resource descriptor */
100 hive_t_REG_FULL_RESOURCE_DESCRIPTOR = 9,
101 /* Resouce requirements list */
102 hive_t_REG_RESOURCE_REQUIREMENTS_LIST = 10,
103 /* QWORD (64 bit integer), unspecified endianness but usually little endian */
104 hive_t_REG_QWORD = 11,
105 };
106 "hive_value_h"
108 This is a value handle, an integer but opaque outside the library.
109 Valid value handles cannot be 0. The library returns 0 in some
110 situations to indicate an error.
111 "hive_set_value"
113 The typedef "hive_set_value" is used in conjunction with the
114 "hivex_node_set_values" call described below.
115 struct hive_set_value {
117 char *key; /* key - a UTF-8 encoded ASCIIZ string */
118 hive_type t; /* type of value field */
119 size_t len; /* length of value field in bytes */
120 char *value; /* value field */
121 };
122 typedef struct hive_set_value hive_set_value;
123 To set the default value for a node, you have to pass "key = """.
125 Note that the "value" field is just treated as a list of bytes, and is
127 stored directly in the hive. The caller has to ensure correct encoding
128 and endianness, for example converting dwords to little endian.
129 The correct type and encoding for values depends on the node and key in
131 the registry, the version of Windows, and sometimes even changes
132 between versions of Windows for the same key. We don't document it
133 here. Often it's not documented at all.
134
136 hivex_open
137 hive_h *hivex_open (const char *filename, int flags);
138 Opens the hive named "filename" for reading.
140 Flags is an ORed list of the open flags (or 0 if you don't want to pass
142 any flags). These flags are defined:
143 HIVEX_OPEN_VERBOSE
145 Verbose messages.
146 HIVEX_OPEN_DEBUG
148 Very verbose messages, suitable for debugging problems in the
149 library itself.
150 This is also selected if the "HIVEX_DEBUG" environment variable is
152 set to 1.
153 HIVEX_OPEN_WRITE
155 Open the hive for writing. If omitted, the hive is read-only.
156 See "WRITING TO HIVE FILES" in hivex(3).
158 HIVEX_OPEN_UNSAFE
160 Open the hive in unsafe mode that enables heuristics to handle
161 corrupted hives.
162 This may allow to read or write registry keys/values that appear
164 intact in an otherwise corrupted hive. Use at your own risk.
165 Returns a new hive handle. On error this returns NULL and sets errno.
167 hivex_close
169 int hivex_close (hive_h *h);
170 Close a hive handle and free all associated resources.
172 Note that any uncommitted writes are not committed by this call, but
174 instead are lost. See "WRITING TO HIVE FILES" in hivex(3).
175 Returns 0 on success. On error this returns -1 and sets errno.
177 This function frees the hive handle (even if it returns an error). The
179 hive handle must not be used again after calling this function.
180 hivex_root
182 hive_node_h hivex_root (hive_h *h);
183 Return root node of the hive. All valid hives must contain a root
185 node.
186 Returns a node handle. On error this returns 0 and sets errno.
188 hivex_last_modified
190 int64_t hivex_last_modified (hive_h *h);
191 Return the modification time from the header of the hive.
193 The returned value is a Windows filetime. To convert this to a Unix
195 "time_t" see:
196 <http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842>
197 hivex_node_name
199 char *hivex_node_name (hive_h *h, hive_node_h node);
200 Return the name of the node.
202 Note that the name of the root node is a dummy, such as "$$$PROTO.HIV"
204 (other names are possible: it seems to depend on the tool or program
205 that created the hive in the first place). You can only know the
206 "real" name of the root node by knowing which registry file this hive
207 originally comes from, which is knowledge that is outside the scope of
208 this library.
209 The name is recoded to UTF-8 and may contain embedded NUL characters.
211 Returns a string. The string must be freed by the caller when it is no
213 longer needed. On error this returns NULL and sets errno.
214 hivex_node_name_len
216 size_t hivex_node_name_len (hive_h *h, hive_node_h node);
217 Return the length of the node name as produced by "hivex_node_name".
219 Returns a size. On error this returns 0 and sets errno.
221 hivex_node_timestamp
223 int64_t hivex_node_timestamp (hive_h *h, hive_node_h node);
224 Return the modification time of the node.
226 The returned value is a Windows filetime. To convert this to a Unix
228 "time_t" see:
229 <http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux/6161842#6161842>
230 hivex_node_children
232 hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
233 Return an array of nodes which are the subkeys (children) of "node".
235 Returns a 0-terminated array of nodes. The array must be freed by the
237 caller when it is no longer needed. On error this returns NULL and
238 sets errno.
239 hivex_node_get_child
241 hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
242 Return the child of node with the name "name", if it exists.
244 The name is matched case insensitively.
246 Returns a node handle. If the node was not found, this returns 0
248 without setting errno. On error this returns 0 and sets errno.
249 hivex_node_parent
251 hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
252 Return the parent of "node".
254 The parent pointer of the root node in registry files that we have
256 examined seems to be invalid, and so this function will return an error
257 if called on the root node.
258 Returns a node handle. On error this returns 0 and sets errno.
260 hivex_node_values
262 hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
263 Return the array of (key, value) pairs attached to this node.
265 Returns a 0-terminated array of values. The array must be freed by the
267 caller when it is no longer needed. On error this returns NULL and
268 sets errno.
269 hivex_node_get_value
271 hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
272 Return the value attached to this node which has the name "key", if it
274 exists.
275 The key name is matched case insensitively.
277 Note that to get the default key, you should pass the empty string ""
279 here. The default key is often written "@", but inside hives that has
280 no meaning and won't give you the default key.
281 Returns a value handle. On error this returns 0 and sets errno.
283 hivex_value_key_len
285 size_t hivex_value_key_len (hive_h *h, hive_value_h val);
286 Return the length of the key (name) of a (key, value) pair as produced
288 by "hivex_value_key". The length can legitimately be 0, so errno is the
289 necessary mechanism to check for errors.
290 In the context of Windows Registries, a zero-length name means that
292 this value is the default key for this node in the tree. This is
293 usually written as "@".
294 The key is recoded to UTF-8 and may contain embedded NUL characters.
296 Returns a size. On error this returns 0 and sets errno.
298 hivex_value_key
300 char *hivex_value_key (hive_h *h, hive_value_h val);
301 Return the key (name) of a (key, value) pair. The name is reencoded as
303 UTF-8 and returned as a string.
304 The string should be freed by the caller when it is no longer needed.
306 Note that this function can return a zero-length string. In the
308 context of Windows Registries, this means that this value is the
309 default key for this node in the tree. This is usually written as "@".
310 Returns a string. The string must be freed by the caller when it is no
312 longer needed. On error this returns NULL and sets errno.
313 hivex_value_type
315 int hivex_value_type (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
316 Return the data length and data type of the value in this (key, value)
318 pair. See also "hivex_value_value" which returns all this information,
319 and the value itself. Also, "hivex_value_*" functions below which can
320 be used to return the value in a more useful form when you know the
321 type in advance.
322 Returns 0 on success. On error this returns -1 and sets errno.
324 hivex_node_struct_length
326 size_t hivex_node_struct_length (hive_h *h, hive_node_h node);
327 Return the length of the node data structure.
329 Returns a size. On error this returns 0 and sets errno.
331 hivex_value_struct_length
333 size_t hivex_value_struct_length (hive_h *h, hive_value_h val);
334 Return the length of the value data structure.
336 Returns a size. On error this returns 0 and sets errno.
338 hivex_value_data_cell_offset
340 hive_value_h hivex_value_data_cell_offset (hive_h *h, hive_value_h val, size_t *len);
341 Return the offset and length of the value's data cell.
343 The data cell is a registry structure that contains the length (a 4
345 byte, little endian integer) followed by the data.
346 If the length of the value is less than or equal to 4 bytes then the
348 offset and length returned by this function is zero as the data is
349 inlined in the value.
350 Returns 0 and sets errno on error.
352 Returns a value handle. On error this returns 0 and sets errno.
354 hivex_value_value
356 char *hivex_value_value (hive_h *h, hive_value_h val, hive_type *t, size_t *len);
357 Return the value of this (key, value) pair. The value should be
359 interpreted according to its type (see "hive_type").
360 The value is returned as an array of bytes (of length "len"). The
362 value must be freed by the caller when it is no longer needed. On
363 error this returns NULL and sets errno.
364 hivex_value_string
366 char *hivex_value_string (hive_h *h, hive_value_h val);
367 If this value is a string, return the string reencoded as UTF-8 (as a C
369 string). This only works for values which have type "hive_t_string",
370 "hive_t_expand_string" or "hive_t_link".
371 Returns a string. The string must be freed by the caller when it is no
373 longer needed. On error this returns NULL and sets errno.
374 hivex_value_multiple_strings
376 char **hivex_value_multiple_strings (hive_h *h, hive_value_h val);
377 If this value is a multiple-string, return the strings reencoded as
379 UTF-8 (in C, as a NULL-terminated array of C strings, in other language
380 bindings, as a list of strings). This only works for values which have
381 type "hive_t_multiple_strings".
382 Returns a NULL-terminated array of C strings. The strings and the
384 array must all be freed by the caller when they are no longer needed.
385 On error this returns NULL and sets errno.
386 hivex_value_dword
388 int32_t hivex_value_dword (hive_h *h, hive_value_h val);
389 If this value is a DWORD (Windows int32), return it. This only works
391 for values which have type "hive_t_dword" or "hive_t_dword_be".
392 hivex_value_qword
394 int64_t hivex_value_qword (hive_h *h, hive_value_h val);
395 If this value is a QWORD (Windows int64), return it. This only works
397 for values which have type "hive_t_qword".
398 hivex_commit
400 int hivex_commit (hive_h *h, const char *filename, int flags);
401 Commit (write) any changes which have been made.
403 "filename" is the new file to write. If "filename" is null/undefined
405 then we overwrite the original file (ie. the file name that was passed
406 to "hivex_open").
407 Note this does not close the hive handle. You can perform further
409 operations on the hive after committing, including making more
410 modifications. If you no longer wish to use the hive, then you should
411 close the handle after committing.
412 The flags parameter is unused. Always pass 0.
414 Returns 0 on success. On error this returns -1 and sets errno.
416 hivex_node_add_child
418 hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
419 Add a new child node named "name" to the existing node "parent". The
421 new child initially has no subnodes and contains no keys or values.
422 The sk-record (security descriptor) is inherited from the parent.
423 The parent must not have an existing child called "name", so if you
425 want to overwrite an existing child, call "hivex_node_delete_child"
426 first.
427 Returns a node handle. On error this returns 0 and sets errno.
429 hivex_node_delete_child
431 int hivex_node_delete_child (hive_h *h, hive_node_h node);
432 Delete the node "node". All values at the node and all subnodes are
434 deleted (recursively). The "node" handle and the handles of all
435 subnodes become invalid. You cannot delete the root node.
436 Returns 0 on success. On error this returns -1 and sets errno.
438 hivex_node_set_values
440 int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);
441 This call can be used to set all the (key, value) pairs stored in
443 "node".
444 "node" is the node to modify.
446 The flags parameter is unused. Always pass 0.
448 "values" is an array of (key, value) pairs. There should be
450 "nr_values" elements in this array.
451 Any existing values stored at the node are discarded, and their
453 "hive_value_h" handles become invalid. Thus you can remove all values
454 stored at "node" by passing "nr_values = 0".
455 Returns 0 on success. On error this returns -1 and sets errno.
457 hivex_node_set_value
459 int hivex_node_set_value (hive_h *h, hive_node_h node, const hive_set_value *val, int flags);
460 This call can be used to replace a single "(key, value)" pair stored in
462 "node". If the key does not already exist, then a new key is added.
463 Key matching is case insensitive.
464 "node" is the node to modify.
466 The flags parameter is unused. Always pass 0.
468 "value" is a single (key, value) pair.
470 Existing "hive_value_h" handles become invalid.
472 Returns 0 on success. On error this returns -1 and sets errno.
474
476 The hivex library supports making limited modifications to hive files.
477 We have tried to implement this very conservatively in order to reduce
478 the chance of corrupting your registry. However you should be careful
479 and take back-ups, since Microsoft has never documented the hive
480 format, and so it is possible there are nuances in the reverse-
481 engineered format that we do not understand.
482 To be able to modify a hive, you must pass the "HIVEX_OPEN_WRITE" flag
484 to "hivex_open", otherwise any write operation will return with errno
485 "EROFS".
486 The write operations shown below do not modify the on-disk file
488 immediately. You must call "hivex_commit" in order to write the
489 changes to disk. If you call "hivex_close" without committing then any
490 writes are discarded.
491 Hive files internally consist of a "memory dump" of binary blocks (like
493 the C heap), and some of these blocks can be unused. The hivex library
494 never reuses these unused blocks. Instead, to ensure robustness in the
495 face of the partially understood on-disk format, hivex only allocates
496 new blocks after the end of the file, and makes minimal modifications
497 to existing structures in the file to point to these new blocks. This
498 makes hivex slightly less disk-efficient than it could be, but disk is
499 cheap, and registry modifications tend to be very small.
500 When deleting nodes, it is possible that this library may leave
502 unreachable live blocks in the hive. This is because certain parts of
503 the hive disk format such as security (sk) records and big data (db)
504 records and classname fields are not well understood (and not
505 documented at all) and we play it safe by not attempting to modify
506 them. Apart from wasting a little bit of disk space, it is not thought
507 that unreachable blocks are a problem.
508 WRITE OPERATIONS WHICH ARE NOT SUPPORTED
510 · Changing the root node.
511 · Creating a new hive file from scratch. This is impossible at
513 present because not all fields in the header are understood. In
514 the hivex source tree is a file called "images/minimal" which could
515 be used as the basis for a new hive (but caveat emptor).
516 · Modifying or deleting single values at a node.
518 · Modifying security key (sk) records or classnames. Previously we
520 did not understand these records. However now they are well-
521 understood and we could add support if it was required (but nothing
522 much really uses them).
523
525 The visitor pattern is useful if you want to visit all nodes in the
526 tree or all nodes below a certain point in the tree.
527 First you set up your own "struct hivex_visitor" with your callback
529 functions.
530 Each of these callback functions should return 0 on success or -1 on
532 error. If any callback returns -1, then the entire visit terminates
533 immediately. If you don't need a callback function at all, set the
534 function pointer to NULL.
535 struct hivex_visitor {
537 int (*node_start) (hive_h *, void *opaque, hive_node_h, const char *name);
538 int (*node_end) (hive_h *, void *opaque, hive_node_h, const char *name);
539 int (*value_string) (hive_h *, void *opaque, hive_node_h, hive_value_h,
540 hive_type t, size_t len, const char *key, const char *str);
541 int (*value_multiple_strings) (hive_h *, void *opaque, hive_node_h,
542 hive_value_h, hive_type t, size_t len, const char *key, char **argv);
543 int (*value_string_invalid_utf16) (hive_h *, void *opaque, hive_node_h,
544 hive_value_h, hive_type t, size_t len, const char *key,
545 const char *str);
546 int (*value_dword) (hive_h *, void *opaque, hive_node_h, hive_value_h,
547 hive_type t, size_t len, const char *key, int32_t);
548 int (*value_qword) (hive_h *, void *opaque, hive_node_h, hive_value_h,
549 hive_type t, size_t len, const char *key, int64_t);
550 int (*value_binary) (hive_h *, void *opaque, hive_node_h, hive_value_h,
551 hive_type t, size_t len, const char *key, const char *value);
552 int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h,
553 hive_type t, size_t len, const char *key, const char *value);
554 int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h,
555 hive_type t, size_t len, const char *key, const char *value);
556 /* If value_any callback is not NULL, then the other value_*
557 * callbacks are not used, and value_any is called on all values.
558 */
559 int (*value_any) (hive_h *, void *opaque, hive_node_h, hive_value_h,
560 hive_type t, size_t len, const char *key, const char *value);
561 };
562 hivex_visit
564 int hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
565 Visit all the nodes recursively in the hive "h".
567 "visitor" should be a "hivex_visitor" structure with callback
569 fields filled in as required (unwanted callbacks can be set to
570 NULL). "len" must be the length of the 'visitor' struct (you
571 should pass "sizeof (struct hivex_visitor)" for this).
572 This returns 0 if the whole recursive visit was completed
574 successfully. On error this returns -1. If one of the callback
575 functions returned an error than we don't touch errno. If the
576 error was generated internally then we set errno.
577 You can skip bad registry entries by setting "flag" to
579 "HIVEX_VISIT_SKIP_BAD". If this flag is not set, then a bad
580 registry causes the function to return an error immediately.
581 This function is robust if the registry contains cycles or pointers
583 which are invalid or outside the registry. It detects these cases
584 and returns an error.
585 hivex_visit_node
587 int hivex_visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *visitor, size_t len, void *opaque);
588 Same as "hivex_visit" but instead of starting out at the root, this
590 starts at "node".
591
593 Note: To understand the relationship between hives and the common
594 Windows Registry keys (like "HKEY_LOCAL_MACHINE") please see the
595 Wikipedia page on the Windows Registry.
596 The Windows Registry is split across various binary files, each file
598 being known as a "hive". This library only handles a single hive file
599 at a time.
600 Hives are n-ary trees with a single root. Each node in the tree has a
602 name.
603 Each node in the tree (including non-leaf nodes) may have an arbitrary
605 list of (key, value) pairs attached to it. It may be the case that one
606 of these pairs has an empty key. This is referred to as the default
607 key for the node.
608 The (key, value) pairs are the place where the useful data is stored in
610 the registry. The key is always a string (possibly the empty string
611 for the default key). The value is a typed object (eg. string, int32,
612 binary, etc.).
613 RELATIONSHIP TO .REG FILES
615 The hivex C library does not care about or deal with Windows .REG
616 files. Instead we push this complexity up to the Perl Win::Hivex(3)
617 library and the Perl programs hivexregedit(1) and virt-win-reg(1).
618 Nevertheless it is useful to look at the relationship between the
619 Registry and .REG files because they are so common.
620 A .REG file is a textual representation of the registry, or part of the
622 registry. The actual registry hives that Windows uses are binary
623 files. There are a number of Windows and Linux tools that let you
624 generate .REG files, or merge .REG files back into the registry hives.
625 Notable amongst them is Microsoft's REGEDIT program (formerly known as
626 REGEDT32).
627 A typical .REG file will contain many sections looking like this:
629 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Stack]
631 "@"="Generic Stack"
632 "TileInfo"="prop:System.FileCount"
633 "TilePath"=str(2):"%systemroot%\\system32"
634 "ThumbnailCutoff"=dword:00000000
635 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
636 6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,\
637 33,00,32,00,5c,00,73,00,65,00,61,00,72,00,63,00,68,00,66,00,\
638 6f,00,6c,00,64,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,\
639 2d,00,39,00,30,00,32,00,38,00,00,00,d8
640 Taking this one piece at a time:
642 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Stack]
644 This is the path to this node in the registry tree. The first part,
646 "HKEY_LOCAL_MACHINE\SOFTWARE" means that this comes from a hive file
647 called "C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE". "\Classes\Stack" is the
648 real path part, starting at the root node of the "SOFTWARE" hive.
649 Below the node name is a list of zero or more key-value pairs. Any
651 interior or leaf node in the registry may have key-value pairs
652 attached.
653 "@"="Generic Stack"
655 This is the "default key". In reality (ie. inside the binary hive) the
657 key string is the empty string. In .REG files this is written as "@"
658 but this has no meaning either in the hives themselves or in this
659 library. The value is a string (type 1 - see "enum hive_type" above).
660 "TileInfo"="prop:System.FileCount"
662 This is a regular (key, value) pair, with the value being a type 1
664 string. Note that inside the binary file the string is likely to be
665 UTF-16LE encoded. This library converts to and from UTF-8 strings
666 transparently in some cases.
667 "TilePath"=str(2):"%systemroot%\\system32"
669 The value in this case has type 2 (expanded string) meaning that some
671 %...% variables get expanded by Windows. (This library doesn't know or
672 care about variable expansion).
673 "ThumbnailCutoff"=dword:00000000
675 The value in this case is a dword (type 4).
677 "FriendlyTypeName"=hex(2):40,00,....
679 This value is an expanded string (type 2) represented in the .REG file
681 as a series of hex bytes. In this case the string appears to be a
682 UTF-16LE string.
683
685 Many functions in this library set errno to indicate errors. These are
686 the values of errno you may encounter (this list is not exhaustive):
687 ENOTSUP
689 Corrupt or unsupported Registry file format.
690 HIVEX_NO_KEY
692 Missing root key.
693 EINVAL
695 Passed an invalid argument to the function.
696 EFAULT
698 Followed a Registry pointer which goes outside the registry or
699 outside a registry block.
700 ELOOP
702 Registry contains cycles.
703 ERANGE
705 Field in the registry out of range.
706 EEXIST
708 Registry key already exists.
709 EROFS
711 Tried to write to a registry which is not opened for writing.
712
714 HIVEX_DEBUG
715 Setting HIVEX_DEBUG=1 will enable very verbose messages. This is
716 useful for debugging problems with the library itself.
717
719 hivexget(1), hivexml(1), hivexsh(1), hivexregedit(1), virt-win-reg(1),
720 Win::Hivex(3), guestfs(3), <http://libguestfs.org/>, virt-cat(1),
721 virt-edit(1), <http://en.wikipedia.org/wiki/Windows_Registry>.
722
724 Richard W.M. Jones ("rjones at redhat dot com")
725
727 Copyright (C) 2009-2010 Red Hat Inc.
728 Derived from code by Petter Nordahl-Hagen under a compatible license:
730 Copyright (C) 1997-2007 Petter Nordahl-Hagen.
731 Derived from code by Markus Stephany under a compatible license:
733 Copyright (C) 2000-2004 Markus Stephany.
734 This library is free software; you can redistribute it and/or modify it
736 under the terms of the GNU Lesser General Public License as published
737 by the Free Software Foundation; version 2.1 of the License only.
738 This library is distributed in the hope that it will be useful, but
740 WITHOUT ANY WARRANTY; without even the implied warranty of
741 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
742 Lesser General Public License for more details.
743hivex-1.3.10 2018-04-12 hivex(3)