5 hivexsh - Windows Registry hive shell
9 hivexsh [-options] [hivefile]
13 This program provides a simple shell for navigating Windows Registry
14 'hive' files. It uses the hivex library for access to these binary
17 Firstly you will need to provide a hive file from a Windows operating
18 system. The hive files are usually located in
19 C<C:\Windows\System32\Config> and have names like C<software>,
20 C<system> etc (without any file extension). For more information
21 about hive files, read L<hivex(3)>. For information about downloading
22 files from virtual machines, read L<virt-cat(1)> and L<guestfish(1)>.
24 You can provide the name of the hive file to examine on the command
29 Or you can start C<hivexsh> without any arguments, and immediately use
30 the C<load> command to load a hive:
34 Welcome to hivexsh, the hivex interactive shell for examining
35 Windows Registry binary hive files.
37 Type: 'help' for help with commands
38 'quit' to quit the shell
43 Navigate through the hive's keys using the C<cd> command, as if it
44 contained a filesystem, and use C<ls> to list the subkeys of the
45 current key. Other commands are listed below.
53 Enable lots of debug messages. If you find a Registry file that this
54 program cannot parse, please enable this option and post the complete
55 output I<and> the Registry hive file in your bug report.
59 Read commands from C<filename> instead of stdin. To write a hivexsh
72 Change to the subkey C<path>. Use Windows-style backslashes to
73 separate path elements, and start with a backslash in order to start
74 from the root of the hive. For example:
78 moves from the root node, to the C<Classes> node, to the C<*> node.
79 If you were already at the root node, you could do this instead:
88 Path elements (node names) are matched case insensitively, and
89 characters like space, C<*>, and C<?> have I<no> special significance.
91 C<..> may be used to go to the parent directory.
93 =item B<close> | B<unload>
95 Close the currently loaded hive.
97 =item B<exit> | B<quit>
101 =item B<load> hivefile
103 Load the binary hive named C<hivefile>. The currently loaded hive, if
104 any, is closed. The current directory is changed back to the root
109 List the subkeys of the current hive Registry key. Note this command
110 does not take any arguments.
114 List the (key, value) pairs of the current hive Registry key. If no
115 argument is given then all pairs are displayed. If C<key> is given,
116 then the value of the named key is displayed. If C<@> is given, then
117 the value of the default key is displayed.
123 $ guestfish --ro -i Windows7
124 ><fs> download win:c:\windows\system32\config\software software
129 Welcome to hivexsh, the hivex interactive shell for examining
130 Windows Registry binary hive files.
132 Type: 'help' for help with commands
133 'quit' to quit the shell
143 RegisteredApplications
155 L<http://libguestfs.org/>,
161 Richard W.M. Jones (C<rjones at redhat dot com>)
165 Copyright (C) 2009-2010 Red Hat Inc.
167 This program is free software; you can redistribute it and/or modify
168 it under the terms of the GNU General Public License as published by
169 the Free Software Foundation; either version 2 of the License, or
170 (at your option) any later version.
172 This program is distributed in the hope that it will be useful,
173 but WITHOUT ANY WARRANTY; without even the implied warranty of
174 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
175 GNU General Public License for more details.
177 You should have received a copy of the GNU General Public License along
178 with this program; if not, write to the Free Software Foundation, Inc.,
179 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.