5 hivexsh - Windows Registry hive shell
9 hivexsh [-options] [hivefile]
13 This program provides a simple shell for navigating Windows Registry
14 'hive' files. It uses the hivex library for access to these binary
17 Firstly you will need to provide a hive file from a Windows operating
18 system. The hive files are usually located in
19 C<C:\Windows\System32\Config> and have names like C<software>,
20 C<system> etc (without any file extension). For more information
21 about hive files, read L<hivex(3)>. For information about downloading
22 files from virtual machines, read L<virt-cat(1)> and L<guestfish(1)>.
24 You can provide the name of the hive file to examine on the command
29 Or you can start C<hivexsh> without any arguments, and immediately use
30 the C<load> command to load a hive:
34 Welcome to hivexsh, the hivex interactive shell for examining
35 Windows Registry binary hive files.
37 Type: 'help' for help with commands
38 'quit' to quit the shell
43 Navigate through the hive's keys using the C<cd> command, as if it
44 contained a filesystem, and use C<ls> to list the subkeys of the
45 current key. Other commands are listed below.
53 Enable lots of debug messages. If you find a Registry file that this
54 program cannot parse, please enable this option and post the complete
55 output I<and> the Registry hive file in your bug report.
59 Read commands from C<filename> instead of stdin. To write a hivexsh
66 If this option is given, then writes are allowed to the hive
67 (see L</commit> command below, and the discussion of
68 modifying hives in L<hivex(3)/WRITING TO HIVE FILES>).
70 B<Important Note:> Even if you specify this option, nothing is written
71 to a hive unless you call the L</commit> command. If you exit the
72 shell without committing, all changes will be discarded.
74 If this option is not given, then write commands are disabled.
84 Change to the subkey C<path>. Use Windows-style backslashes to
85 separate path elements, and start with a backslash in order to start
86 from the root of the hive. For example:
90 moves from the root node, to the C<Classes> node, to the C<*> node.
91 If you were already at the root node, you could do this instead:
100 Path elements (node names) are matched case insensitively, and
101 characters like space, C<*>, and C<?> have I<no> special significance.
103 C<..> may be used to go to the parent directory.
105 =item B<close> | B<unload>
107 Close the currently loaded hive.
109 If you modified the hive, all uncommitted writes are lost when you
110 call this command (or if the shell exits). You have to call C<commit>
113 =item B<commit> [newfile]
115 Commit changes to the hive. If the optional C<newfile> parameter is
116 supplied, then the hive is written to that file, else the original
119 Note that you have to specify the C<-w> flag, otherwise no writes are
124 Delete the current node and everything beneath it. The current
125 directory is moved up one level (as if you did C<cd ..>) after
128 You cannot delete the root node.
130 =item B<exit> | B<quit>
134 =item B<load> hivefile
136 Load the binary hive named C<hivefile>. The currently loaded hive, if
137 any, is closed. The current directory is changed back to the root
142 List the subkeys of the current hive Registry key. Note this command
143 does not take any arguments.
147 List the (key, value) pairs of the current hive Registry key. If no
148 argument is given then all pairs are displayed. If C<key> is given,
149 then the value of the named key is displayed. If C<@> is given, then
150 the value of the default key is displayed.
152 =item B<setval> nrvals
154 This command replaces all (key, value) pairs at the current node with
155 the values in subsequent input. C<nrvals> is the number of values
156 (ie. (key, value) pairs), and any existing values at this node are
157 deleted. So C<setval 0> just deletes any values at the current node.
159 The command reads 2 * nrvals lines of input, with each pair of
160 lines of input corresponding to a key and a value to add.
162 For example, the following setval command replaces whatever is at the
163 current node with two (key, value) pairs. The default key is set to
164 the UTF16-LE-encoded string "abcd". The other value is named
165 "ANumber" and is a little-endian DWORD 0x12345678.
173 The first line of each pair is the key (the special key C<@> means
174 the default key, but you can also use a blank line).
176 The second line of each pair is the value, which has a special format
177 C<type:value> with possible types summarized in the table below:
179 none No data is stored, and the type is set to 0.
181 string:abc "abc" is stored as a UTF16-LE-encoded
182 string (type 1). Note that only 7 bit
183 ASCII strings are supported as input.
185 expandstring:... Same as string but with type 2.
187 dword:0x01234567 A DWORD (type 4) with the hex value
188 0x01234567. You can also use decimal
189 or octal numbers here.
191 qword:0x0123456789abcdef
192 A QWORD (type 11) with the hex value
193 0x0123456789abcdef. You can also use
194 decimal or octal numbers here.
196 hex:<type>:<hexbytes>
197 hex:1:41,00,42,00,43,00,44,00,00,00
198 This is the generic way to enter any
199 value. <type> is the integer value type.
200 <hexbytes> is a list of pairs of hex
201 digits which are treated as bytes.
202 (Any non-hex-digits here are ignored,
203 so you can separate bytes with commas
204 or spaces if you want).
210 $ guestfish --ro -i Windows7
211 ><fs> download win:c:\windows\system32\config\software software
216 Welcome to hivexsh, the hivex interactive shell for examining
217 Windows Registry binary hive files.
219 Type: 'help' for help with commands
220 'quit' to quit the shell
230 RegisteredApplications
242 L<http://libguestfs.org/>,
248 Richard W.M. Jones (C<rjones at redhat dot com>)
252 Copyright (C) 2009-2010 Red Hat Inc.
254 This program is free software; you can redistribute it and/or modify
255 it under the terms of the GNU General Public License as published by
256 the Free Software Foundation; either version 2 of the License, or
257 (at your option) any later version.
259 This program is distributed in the hope that it will be useful,
260 but WITHOUT ANY WARRANTY; without even the implied warranty of
261 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
262 GNU General Public License for more details.
264 You should have received a copy of the GNU General Public License along
265 with this program; if not, write to the Free Software Foundation, Inc.,
266 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.