1hivexregedit(1) Windows Registry hivexregedit(1)
2
3
4
6 hivexregedit - Merge and export Registry changes from regedit-format
7 files.
8
10 hivexregedit --merge [--prefix prefix] [--encoding enc] \
11 hivefile [regfile]
12
13 hivexregedit --export [--prefix prefix] hivefile key > regfile
14
16 Please note hivexregedit is a low-level tool for manipulating hive
17 files directly. To merge or export registry changes to Windows virtual
18 machines it's better to use virt-win-reg(1).
19
20 Given a local binary ("hive") file, there are two modes. "--merge"
21 imports (merges) changes from a regedit-format file into the hive. It
22 is similar to using the "/s" switch in Windows regedit.exe.
23
24 "--export" exports a Registry key (recursively) into the regedit
25 format.
26
27 ENCODING
28 "hivexregedit" expects that regedit files have already been re-encoded
29 in the local encoding. Usually on Linux hosts, this means UTF-8 with
30 Unix-style line endings. Since Windows regedit files are often in
31 UTF-16LE with Windows-style line endings, you may need to re-encode the
32 whole file before or after processing.
33
34 To re-encode a file from Windows format to Linux (before processing it
35 with the "--merge" option), you would do something like this:
36
37 iconv -f utf-16le -t utf-8 < win.reg | dos2unix > linux.reg
38
39 To go in the opposite direction, after using "--export" and before
40 sending the file to a Windows user, do something like this:
41
42 unix2dos < linux.reg | iconv -f utf-8 -t utf-16le > win.reg
43
44 For more information about encoding, see Win::Hivex::Regedit(3).
45
46 If you are unsure about the current encoding, use the file(1) command.
47 Recent versions of Windows regedit.exe produce a UTF-16LE file with
48 Windows-style (CRLF) line endings, like this:
49
50 $ file software.reg
51 software.reg: Little-endian UTF-16 Unicode text, with very long lines,
52 with CRLF line terminators
53
54 This file would need conversion before you could "--merge" it.
55
56 SHELL QUOTING
57 Be careful when passing parameters containing "\" (backslash) in the
58 shell. Usually you will have to use 'single quotes' or double
59 backslashes (but not both) to protect them from the shell.
60
61 CurrentControlSet etc.
62 Registry keys like "CurrentControlSet" don't really exist in the
63 Windows Registry at the level of the hive file, and therefore you
64 cannot modify these.
65
66 "CurrentControlSet" is usually an alias for "ControlSet001". In some
67 circumstances it might refer to another control set. The way to find
68 out is to look at the "HKLM\SYSTEM\Select" key:
69
70 $ hivexregedit --export SYSTEM '\Select'
71 [\Select]
72 "Current"=dword:00000001
73 "Default"=dword:00000001
74 "Failed"=dword:00000000
75 "LastKnownGood"=dword:00000002
76
77 "Current" is the one which Windows will choose when it boots.
78
79 Similarly, other "Current..." keys in the path may need to be replaced.
80
82 $ virt-cat WindowsGuest /Windows/System32/config/software > software.hive
83 $ hivexregedit --export \
84 --prefix 'HKEY_LOCAL_MACHINE\SOFTWARE' \
85 software.hive '\Microsoft' > ms-keys.reg
86
87 $ hivexregedit --merge system.hive \
88 --prefix 'HKEY_LOCAL_MACHINE\SYSTEM' additions.reg
89
91 --help
92 Display help.
93
94 --debug
95 Enable debugging in the hivex library. This is useful for
96 diagnosing bugs and also malformed hive files.
97
98 --merge
99 hivexregedit --merge [--prefix prefix] [--encoding enc] \
100 hivefile [regfile]
101
102 Merge "regfile" (a regedit-format text file) into the hive
103 "hivefile". If "regfile" is omitted, then the program reads from
104 standard input. (Also you can give multiple input files).
105
106 "--prefix" specifies the Windows Registry prefix. It is almost
107 always necessary to use this when dealing with real hive files.
108
109 "--encoding" specifies the encoding for unmarked strings in the
110 input. It defaults to "UTF-16LE" which should work for recent
111 versions of Windows. Another possibility is to use "ASCII".
112
113 --export
114 hivexregedit --export [--prefix prefix] hivefile key > regfile
115
116 "key" is a path within the hive "hivefile". (The key should not
117 contain any prefix and should be quoted to defend backslashes from
118 the shell). The key is exported, recursively, to standard output
119 in the textual regedit format.
120
121 "--prefix" specifies the Windows Registry prefix. It is almost
122 always necessary to use this when dealing with real hive files.
123
124 --prefix prefix
125 Hive files and Windows Registry key names are indirectly related.
126 For example, inside the software hive, all keys are stored relative
127 to "HKEY_LOCAL_MACHINE\SOFTWARE". Thus
128 "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft" appears in the hive file as
129 "\Microsoft".
130
131 The hive format itself does not store this prefix, so you have to
132 supply it based on outside knowledge. (virt-win-reg(1), amongst
133 other things, already knows about this).
134
135 Usually it is sufficient to pass the parameter "--prefix
136 'HKEY_LOCAL_MACHINE\SOFTWARE'" or similar when doing merges and
137 exports.
138
139 --encoding UTF-16LE|ASCII
140 When merging (only), you may need to specify the encoding for
141 strings to be used in the hive file. This is explained in detail
142 in "ENCODING STRINGS" in Win::Hivex::Regedit(3).
143
144 The default is to use UTF-16LE, which should work with recent
145 versions of Windows.
146
147 --unsafe-printable-strings
148 When exporting (only), assume strings are UTF-16LE and print them
149 as strings instead of hex sequences. Remove the final zero
150 codepoint from strings if present.
151
152 This is unsafe and does not preserve the fidelity of strings in the
153 original hive for various reasons:
154
155 · Assumes the original encoding is UTF-16LE. ASCII strings and
156 strings in other encodings will be corrupted by this
157 transformation.
158
159 · Assumes that everything which has type 1 or 2 is really a
160 string and that everything else is not a string, but the type
161 field in real hives is not reliable.
162
163 · Loses information about whether a zero codepoint followed the
164 string in the hive or not.
165
166 This all happens because the hive itself contains no information
167 about how strings are encoded (see "ENCODING STRINGS" in
168 Win::Hivex::Regedit(3)).
169
170 You should only use this option for quick hacking and debugging of
171 the hive contents, and never use it if the output is going to be
172 passed into another program or stored in another hive.
173
174 --unsafe
175 Use heuristics to tolerate certain levels of corruption within
176 hives.
177
178 This is unsafe but may allow to export/merge valid keys/values in
179 an othewise corrupted hive.
180
181 --max-depth depth
182 Limits the recursion depth of the export. For example, an export
183 with a max depth of 1 will only include values directly under the
184 specified key/prefix. A max depth of 0 will return no values.
185
186 Exports include all child keys by default (fully recursive), which
187 may take a while if the registry hive is large / bloated. This
188 behavior can also be achieved by providing a negative max depth.
189
191 virt-win-reg(1), Win::Hivex::Regedit(3), Win::Hivex(3), hivexsh(1),
192 dos2unix(1), unix2dos(1), iconv(1), <http://libguestfs.org/>.
193
195 Richard W.M. Jones <http://people.redhat.com/~rjones/>
196
198 Copyright (C) 2010 Red Hat Inc.
199
200 This program is free software; you can redistribute it and/or modify it
201 under the terms of the GNU General Public License as published by the
202 Free Software Foundation; either version 2 of the License, or (at your
203 option) any later version.
204
205 This program is distributed in the hope that it will be useful, but
206 WITHOUT ANY WARRANTY; without even the implied warranty of
207 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
208 General Public License for more details.
209
210 You should have received a copy of the GNU General Public License along
211 with this program; if not, write to the Free Software Foundation, Inc.,
212 675 Mass Ave, Cambridge, MA 02139, USA.
213
214
215
216hivex-1.3.18 2020-02-27 hivexregedit(1)