hivexsh(1)
NAME
hivexsh - Windows Registry hive shell
SYNOPSIS
hivexsh [-options] [hivefile]
DESCRIPTION
This program provides a simple shell for navigating Windows Registry 'hive' files. It uses the hivex library for access to these binary files. Firstly you will need to provide a hive file from a Windows operating system. The hive files are usually located in "C:\Windows\System32\Config" and have names like "software", "system" etc (without any file extension). For more information about hive files, read hivex(3). For information about downloading files from virtual machines, read virt-cat(1) and guestfish(1). You can provide the name of the hive file to examine on the command line. For example: hivexsh software Or you can start "hivexsh" without any arguments, and immediately use the "load" command to load a hive: $ hivexsh Welcome to hivexsh, the hivex interactive shell for examining Windows Registry binary hive files. Type: 'help' for help with commands 'quit' to quit the shell > load software software\> Navigate through the hive's keys using the "cd" command, as if it contained a filesystem, and use "ls" to list the subkeys of the current key. Other commands are listed below.
OPTIONS
-d Enable lots of debug messages. If you find a Registry file that
this program cannot parse, please enable this option and post the
complete output and the Registry hive file in your bug report.
-f filename
Read commands from "filename" instead of stdin. To write a hivexsh
script, use:
#!/usr/bin/hivexsh -f
-w If this option is given, then writes are allowed to the hive (see
"commit" command below, and the discussion of modifying hives in
"WRITING TO HIVE FILES" in hivex(3)).
Important Note: Even if you specify this option, nothing is written
to a hive unless you call the "commit" command. If you exit the
shell without committing, all changes will be discarded.
If this option is not given, then write commands are disabled.
COMMANDS
add name
Add a subkey named "name" below the current node. The name may
contain spaces and punctuation characters, and does not need to be
quoted.
The new key will have no subkeys and no values (see "setval").
There must be no existing subkey called "name", or this command
will fail. To replace an existing subkey, delete it first like
this:
cd name
del
cd path
Change to the subkey "path". Use Windows-style backslashes to
separate path elements, and start with a backslash in order to
start from the root of the hive. For example:
cd \Classes\*
moves from the root node, to the "Classes" node, to the "*" node.
If you were already at the root node, you could do this instead:
cd Classes\*
or even:
cd Classes
cd *
Path elements (node names) are matched case insensitively, and
characters like space, "*", and "?" have no special significance.
"cd .." may be used to go to the parent directory.
"cd" without any arguments prints the current path.
Be careful with "cd \" since the readline library has an
undocumented behaviour where it will think the final backslash is a
continuation (it reads the next line of input and appends it). Put
a single space after the backslash.
close | unload
Close the currently loaded hive.
If you modified the hive, all uncommitted writes are lost when you
call this command (or if the shell exits). You have to call
"commit" to write changes.
commit [newfile]
Commit changes to the hive. If the optional "newfile" parameter is
supplied, then the hive is written to that file, else the original
file is overwritten.
Note that you have to specify the "-w" flag, otherwise no writes
are allowed.
del Delete the current node and everything beneath it. The current
directory is moved up one level (as if you did "cd ..") after this
command.
You cannot delete the root node.
exit | quit
Exit the shell.
load hivefile
Load the binary hive named "hivefile". The currently loaded hive,
if any, is closed. The current directory is changed back to the
root node.
ls List the subkeys of the current hive Registry key. Note this
command does not take any arguments.
lsval [key]
List the (key, value) pairs of the current hive Registry key. If
no argument is given then all pairs are displayed. If "key" is
given, then the value of the named key is displayed. If "@" is
given, then the value of the default key is displayed.
setval nrvals
This command replaces all (key, value) pairs at the current node
with the values in subsequent input. "nrvals" is the number of
values (ie. (key, value) pairs), and any existing values at this
node are deleted. So "setval 0" just deletes any values at the
current node.
The command reads 2 * nrvals lines of input, with each pair of
lines of input corresponding to a key and a value to add.
For example, the following setval command replaces whatever is at
the current node with two (key, value) pairs. The default key is
set to the UTF16-LE-encoded string "abcd". The other value is
named "ANumber" and is a little-endian DWORD 0x12345678.
setval 2
@
string:abcd
ANumber
dword:12345678
The first line of each pair is the key (the special key "@" means
the default key, but you can also use a blank line).
The second line of each pair is the value, which has a special
format "type:value" with possible types summarized in the table
below:
none No data is stored, and the type is set to 0.
string:abc "abc" is stored as a UTF16-LE-encoded
string (type 1). Note that only 7 bit
ASCII strings are supported as input.
expandstring:... Same as string but with type 2.
dword:0x01234567 A DWORD (type 4) with the hex value
0x01234567. You can also use decimal
or octal numbers here.
qword:0x0123456789abcdef
A QWORD (type 11) with the hex value
0x0123456789abcdef. You can also use
decimal or octal numbers here.
hex:<type>:<hexbytes>
hex:1:41,00,42,00,43,00,44,00,00,00
This is the generic way to enter any
value. <type> is the integer value type.
<hexbytes> is a list of pairs of hex
digits which are treated as bytes.
(Any non-hex-digits here are ignored,
so you can separate bytes with commas
or spaces if you want).
EXAMPLE
$ guestfish --ro -i Windows7
><fs> download win:c:\windows\system32\config\software software
><fs> quit
$ hivexsh software
Welcome to hivexsh, the hivex interactive shell for examining
Windows Registry binary hive files.
Type: 'help' for help with commands
'quit' to quit the shell
software\> ls
ATI Technologies
Classes
Clients
Intel
Microsoft
ODBC
Policies
RegisteredApplications
Sonic
Wow6432Node
software\> quit
SEE ALSO
hivex(3), hivexget(1), hivexml(1), virt-win-reg(1), guestfs(3), <http://libguestfs.org/>, virt-cat(1), virt-edit(1).
AUTHORS
Richard W.M. Jones ("rjones at redhat dot com")
COPYRIGHT
Copyright (C) 2009-2010 Red Hat Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
