hivexsh - Man Page

 hivexsh [-options] [hivefile]

This program provides a simple shell for navigating Windows Registry 'hive' files.  It uses the hivex library for access to these binary files.

Firstly you will need to provide a hive file from a Windows operating system.  The hive files are usually located in C:\Windows\System32\Config and have names like software, system etc (without any file extension).  For more information about hive files, read hivex(3).  For information about downloading files from virtual machines, read virt-cat(1) and guestfish(1).

You can provide the name of the hive file to examine on the command line.  For example:

 hivexsh software

Or you can start hivexsh without any arguments, and immediately use the load command to load a hive:

 $ hivexsh

 Welcome to hivexsh, the hivex interactive shell for examining
 Windows Registry binary hive files.

 Type: 'help' for help with commands
       'quit' to quit the shell

 > load software
 software\>

Navigate through the hive's keys using the cd command, as if it contained a filesystem, and use ls to list the subkeys of the current key.  Other commands are listed below.

-d

Enable lots of debug messages.  If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry hive file in your bug report.

-f filename

Read commands from filename instead of stdin.  To write a hivexsh script, use:

 #!/usr/bin/hivexsh -f

-u

Use heuristics to tolerate certain levels of corruption within hives.

This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.

-w

If this option is given, then writes are allowed to the hive (see "commit" command below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)).

Important Note: Even if you specify this option, nothing is written to a hive unless you call the "commit" command.  If you exit the shell without committing, all changes will be discarded.

If this option is not given, then write commands are disabled.

add name

Add a subkey named name below the current node.  The name may contain spaces and punctuation characters, and does not need to be quoted.

The new key will have no subkeys and no values (see setval).

There must be no existing subkey called name, or this command will fail.  To replace an existing subkey, delete it first like this:

 cd name
 del

cd path

Change to the subkey path.  Use Windows-style backslashes to separate path elements, and start with a backslash in order to start from the root of the hive.  For example:

 cd \Classes\*

moves from the root node, to the Classes node, to the * node. If you were already at the root node, you could do this instead:

 cd Classes\*

or even:

 cd Classes
 cd *

Path elements (node names) are matched case insensitively, and characters like space, *, and ? have no special significance.

cd .. may be used to go to the parent directory.

cd without any arguments prints the current path.

Be careful with cd \ since the readline library has an undocumented behaviour where it will think the final backslash is a continuation (it reads the next line of input and appends it).  Put a single space after the backslash.

close | unload

Close the currently loaded hive.

If you modified the hive, all uncommitted writes are lost when you call this command (or if the shell exits).  You have to call commit to write changes.

commit [newfile]

Commit changes to the hive.  If the optional newfile parameter is supplied, then the hive is written to that file, else the original file is overwritten.

Note that you have to specify the -w flag, otherwise no writes are allowed.

del

Delete the current node and everything beneath it.  The current directory is moved up one level (as if you did cd ..) after this command.

You cannot delete the root node.

exit | quit

Exit the shell.

load hivefile

Load the binary hive named hivefile.  The currently loaded hive, if any, is closed.  The current directory is changed back to the root node.

ls

List the subkeys of the current hive Registry key.  Note this command does not take any arguments.

lsval [key]

List the (key, value) pairs of the current hive Registry key.  If no argument is given then all pairs are displayed.  If key is given, then the value of the named key is displayed.  If @ is given, then the value of the default key is displayed.

setval nrvals

This command replaces all (key, value) pairs at the current node with the values in subsequent input.  nrvals is the number of values (ie. (key, value) pairs), and any existing values at this node are deleted.  So setval 0 just deletes any values at the current node.

The command reads 2 * nrvals lines of input, with each pair of lines of input corresponding to a key and a value to add.

For example, the following setval command replaces whatever is at the current node with two (key, value) pairs.  The default key is set to the UTF16-LE-encoded string "abcd".  The other value is named "ANumber" and is a little-endian DWORD 0x12345678.

 setval 2
 @
 string:abcd
 ANumber
 dword:12345678

The first line of each pair is the key (the special key @ means the default key, but you can also use a blank line).

The second line of each pair is the value, which has a special format type:value with possible types summarized in the table below:

 none                 No data is stored, and the type is set to 0.

 string:abc           "abc" is stored as a UTF16-LE-encoded
                      string (type 1).  Note that only 7 bit
                      ASCII strings are supported as input.

 expandstring:...     Same as string but with type 2.

 dword:0x01234567     A DWORD (type 4) with the hex value
                      0x01234567.  You can also use decimal
                      or octal numbers here.

 qword:0x0123456789abcdef
                      A QWORD (type 11) with the hex value
                      0x0123456789abcdef.  You can also use
                      decimal or octal numbers here.

 hex:<type>:<hexbytes>
 hex:1:41,00,42,00,43,00,44,00,00,00
                      This is the generic way to enter any
                      value.  <type> is the integer value type.
                      <hexbytes> is a list of pairs of hex
                      digits which are treated as bytes.
                      (Any non-hex-digits here are ignored,
                      so you can separate bytes with commas
                      or spaces if you want).

 $ guestfish --ro -i Windows7
 ><fs> download win:c:\windows\system32\config\software software
 ><fs> quit

 $ hivexsh software

 Welcome to hivexsh, the hivex interactive shell for examining
 Windows Registry binary hive files.

 Type: 'help' for help with commands
       'quit' to quit the shell

 software\> ls
 ATI Technologies
 Classes
 Clients
 Intel
 Microsoft
 ODBC
 Policies
 RegisteredApplications
 Sonic
 Wow6432Node
 software\> quit

hivex(3), hivexget(1), hivexml(1), virt-win-reg(1), guestfs(3), <http://libguestfs.org/>, virt-cat(1), virt-edit(1).

Richard W.M. Jones (rjones at redhat dot com)

Copyright (C) 2009-2010 Red Hat Inc.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

hivex(3), hivexget(1), hivexml(1), hivexregedit(1), virt-win-reg(1).