1hivexsh(1) Windows Registry hivexsh(1)
2
3
4
6 hivexsh - Windows Registry hive shell
7
9 hivexsh [-options] [hivefile]
10
12 This program provides a simple shell for navigating Windows Registry
13 'hive' files. It uses the hivex library for access to these binary
14 files.
15
16 Firstly you will need to provide a hive file from a Windows operating
17 system. The hive files are usually located in
18 "C:\Windows\System32\Config" and have names like "software", "system"
19 etc (without any file extension). For more information about hive
20 files, read hivex(3). For information about downloading files from
21 virtual machines, read virt-cat(1) and guestfish(1).
22
23 You can provide the name of the hive file to examine on the command
24 line. For example:
25
26 hivexsh software
27
28 Or you can start "hivexsh" without any arguments, and immediately use
29 the "load" command to load a hive:
30
31 $ hivexsh
32
33 Welcome to hivexsh, the hivex interactive shell for examining
34 Windows Registry binary hive files.
35
36 Type: 'help' for help with commands
37 'quit' to quit the shell
38
39 > load software
40 software\>
41
42 Navigate through the hive's keys using the "cd" command, as if it
43 contained a filesystem, and use "ls" to list the subkeys of the current
44 key. Other commands are listed below.
45
47 -d Enable lots of debug messages. If you find a Registry file that
48 this program cannot parse, please enable this option and post the
49 complete output and the Registry hive file in your bug report.
50
51 -f filename
52 Read commands from "filename" instead of stdin. To write a hivexsh
53 script, use:
54
55 #!/usr/bin/hivexsh -f
56
57 -u Use heuristics to tolerate certain levels of corruption within
58 hives.
59
60 This is unsafe but may allow to export/merge valid keys/values in
61 an othewise corrupted hive.
62
63 -w If this option is given, then writes are allowed to the hive (see
64 "commit" command below, and the discussion of modifying hives in
65 "WRITING TO HIVE FILES" in hivex(3)).
66
67 Important Note: Even if you specify this option, nothing is written
68 to a hive unless you call the "commit" command. If you exit the
69 shell without committing, all changes will be discarded.
70
71 If this option is not given, then write commands are disabled.
72
74 add name
75 Add a subkey named "name" below the current node. The name may
76 contain spaces and punctuation characters, and does not need to be
77 quoted.
78
79 The new key will have no subkeys and no values (see "setval").
80
81 There must be no existing subkey called "name", or this command
82 will fail. To replace an existing subkey, delete it first like
83 this:
84
85 cd name
86 del
87
88 cd path
89 Change to the subkey "path". Use Windows-style backslashes to
90 separate path elements, and start with a backslash in order to
91 start from the root of the hive. For example:
92
93 cd \Classes\*
94
95 moves from the root node, to the "Classes" node, to the "*" node.
96 If you were already at the root node, you could do this instead:
97
98 cd Classes\*
99
100 or even:
101
102 cd Classes
103 cd *
104
105 Path elements (node names) are matched case insensitively, and
106 characters like space, "*", and "?" have no special significance.
107
108 "cd .." may be used to go to the parent directory.
109
110 "cd" without any arguments prints the current path.
111
112 Be careful with "cd \" since the readline library has an
113 undocumented behaviour where it will think the final backslash is a
114 continuation (it reads the next line of input and appends it). Put
115 a single space after the backslash.
116
117 close | unload
118 Close the currently loaded hive.
119
120 If you modified the hive, all uncommitted writes are lost when you
121 call this command (or if the shell exits). You have to call
122 "commit" to write changes.
123
124 commit [newfile]
125 Commit changes to the hive. If the optional "newfile" parameter is
126 supplied, then the hive is written to that file, else the original
127 file is overwritten.
128
129 Note that you have to specify the "-w" flag, otherwise no writes
130 are allowed.
131
132 del Delete the current node and everything beneath it. The current
133 directory is moved up one level (as if you did "cd ..") after this
134 command.
135
136 You cannot delete the root node.
137
138 exit | quit
139 Exit the shell.
140
141 load hivefile
142 Load the binary hive named "hivefile". The currently loaded hive,
143 if any, is closed. The current directory is changed back to the
144 root node.
145
146 ls List the subkeys of the current hive Registry key. Note this
147 command does not take any arguments.
148
149 lsval [key]
150 List the (key, value) pairs of the current hive Registry key. If
151 no argument is given then all pairs are displayed. If "key" is
152 given, then the value of the named key is displayed. If "@" is
153 given, then the value of the default key is displayed.
154
155 setval nrvals
156 This command replaces all (key, value) pairs at the current node
157 with the values in subsequent input. "nrvals" is the number of
158 values (ie. (key, value) pairs), and any existing values at this
159 node are deleted. So "setval 0" just deletes any values at the
160 current node.
161
162 The command reads 2 * nrvals lines of input, with each pair of
163 lines of input corresponding to a key and a value to add.
164
165 For example, the following setval command replaces whatever is at
166 the current node with two (key, value) pairs. The default key is
167 set to the UTF16-LE-encoded string "abcd". The other value is
168 named "ANumber" and is a little-endian DWORD 0x12345678.
169
170 setval 2
171 @
172 string:abcd
173 ANumber
174 dword:12345678
175
176 The first line of each pair is the key (the special key "@" means
177 the default key, but you can also use a blank line).
178
179 The second line of each pair is the value, which has a special
180 format "type:value" with possible types summarized in the table
181 below:
182
183 none No data is stored, and the type is set to 0.
184
185 string:abc "abc" is stored as a UTF16-LE-encoded
186 string (type 1). Note that only 7 bit
187 ASCII strings are supported as input.
188
189 expandstring:... Same as string but with type 2.
190
191 dword:0x01234567 A DWORD (type 4) with the hex value
192 0x01234567. You can also use decimal
193 or octal numbers here.
194
195 qword:0x0123456789abcdef
196 A QWORD (type 11) with the hex value
197 0x0123456789abcdef. You can also use
198 decimal or octal numbers here.
199
200 hex:<type>:<hexbytes>
201 hex:1:41,00,42,00,43,00,44,00,00,00
202 This is the generic way to enter any
203 value. <type> is the integer value type.
204 <hexbytes> is a list of pairs of hex
205 digits which are treated as bytes.
206 (Any non-hex-digits here are ignored,
207 so you can separate bytes with commas
208 or spaces if you want).
209
211 $ guestfish --ro -i Windows7
212 ><fs> download win:c:\windows\system32\config\software software
213 ><fs> quit
214
215 $ hivexsh software
216
217 Welcome to hivexsh, the hivex interactive shell for examining
218 Windows Registry binary hive files.
219
220 Type: 'help' for help with commands
221 'quit' to quit the shell
222
223 software\> ls
224 ATI Technologies
225 Classes
226 Clients
227 Intel
228 Microsoft
229 ODBC
230 Policies
231 RegisteredApplications
232 Sonic
233 Wow6432Node
234 software\> quit
235
237 hivex(3), hivexget(1), hivexml(1), virt-win-reg(1), guestfs(3),
238 <http://libguestfs.org/>, virt-cat(1), virt-edit(1).
239
241 Richard W.M. Jones ("rjones at redhat dot com")
242
244 Copyright (C) 2009-2010 Red Hat Inc.
245
246 This program is free software; you can redistribute it and/or modify it
247 under the terms of the GNU General Public License as published by the
248 Free Software Foundation; either version 2 of the License, or (at your
249 option) any later version.
250
251 This program is distributed in the hope that it will be useful, but
252 WITHOUT ANY WARRANTY; without even the implied warranty of
253 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
254 General Public License for more details.
255
256 You should have received a copy of the GNU General Public License along
257 with this program; if not, write to the Free Software Foundation, Inc.,
258 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
259
260
261
262hivex-1.3.18 2020-02-27 hivexsh(1)