Page MenuHomePhabricator
Files F5157713

hivexsh.pod
No OneTemporary
Actions

Size
7 KB
Referenced Files
None
Subscribers
None

hivexsh.pod
View Options

=encoding utf8
=head1 NAME
hivexsh - Windows Registry hive shell
=head1 SYNOPSIS
hivexsh [-options] [hivefile]
=head1 DESCRIPTION
This program provides a simple shell for navigating Windows Registry
'hive' files. It uses the hivex library for access to these binary
files.
Firstly you will need to provide a hive file from a Windows operating
system. The hive files are usually located in
C<C:\Windows\System32\Config> and have names like C<software>,
C<system> etc (without any file extension). For more information
about hive files, read L<hivex(3)>. For information about downloading
files from virtual machines, read L<virt-cat(1)> and L<guestfish(1)>.
You can provide the name of the hive file to examine on the command
line. For example:
hivexsh software
Or you can start C<hivexsh> without any arguments, and immediately use
the C<load> command to load a hive:
$ hivexsh
Welcome to hivexsh, the hivex interactive shell for examining
Windows Registry binary hive files.
Type: 'help' for help with commands
'quit' to quit the shell
> load software
software\>
Navigate through the hive's keys using the C<cd> command, as if it
contained a filesystem, and use C<ls> to list the subkeys of the
current key. Other commands are listed below.
=head1 OPTIONS
=over 4
=item B<-d>
Enable lots of debug messages. If you find a Registry file that this
program cannot parse, please enable this option and post the complete
output I<and> the Registry hive file in your bug report.
=item B<-f> filename
Read commands from C<filename> instead of stdin. To write a hivexsh
script, use:
#!/usr/bin/hivexsh -f
=item B<-w>
If this option is given, then writes are allowed to the hive
(see L</commit> command below, and the discussion of
modifying hives in L<hivex(3)/WRITING TO HIVE FILES>).
B<Important Note:> Even if you specify this option, nothing is written
to a hive unless you call the L</commit> command. If you exit the
shell without committing, all changes will be discarded.
If this option is not given, then write commands are disabled.
=back
=head1 COMMANDS
=over 4
=item B<add> name
Add a subkey named C<name> below the current node. The name may
contain spaces and punctuation characters, and does not need to be
quoted.
The new key will have no subkeys and no values (see C<setval>).
There must be no existing subkey called C<name>, or this command will
fail. To replace an existing subkey, delete it first like this:
cd name
del
=item B<cd> path
Change to the subkey C<path>. Use Windows-style backslashes to
separate path elements, and start with a backslash in order to start
from the root of the hive. For example:
cd \Classes\*
moves from the root node, to the C<Classes> node, to the C<*> node.
If you were already at the root node, you could do this instead:
cd Classes\*
or even:
cd Classes
cd *
Path elements (node names) are matched case insensitively, and
characters like space, C<*>, and C<?> have I<no> special significance.
C<cd ..> may be used to go to the parent directory.
C<cd> without any arguments prints the current path.
Be careful with C<cd \> since the readline library has an undocumented
behaviour where it will think the final backslash is a continuation
(it reads the next line of input and appends it). Put a single space
after the backslash.
=item B<close> | B<unload>
Close the currently loaded hive.
If you modified the hive, all uncommitted writes are lost when you
call this command (or if the shell exits). You have to call C<commit>
to write changes.
=item B<commit> [newfile]
Commit changes to the hive. If the optional C<newfile> parameter is
supplied, then the hive is written to that file, else the original
file is overwritten.
Note that you have to specify the C<-w> flag, otherwise no writes are
allowed.
=item B<del>
Delete the current node and everything beneath it. The current
directory is moved up one level (as if you did C<cd ..>) after
this command.
You cannot delete the root node.
=item B<exit> | B<quit>
Exit the shell.
=item B<load> hivefile
Load the binary hive named C<hivefile>. The currently loaded hive, if
any, is closed. The current directory is changed back to the root
node.
=item B<ls>
List the subkeys of the current hive Registry key. Note this command
does not take any arguments.
=item B<lsval> [key]
List the (key, value) pairs of the current hive Registry key. If no
argument is given then all pairs are displayed. If C<key> is given,
then the value of the named key is displayed. If C<@> is given, then
the value of the default key is displayed.
=item B<setval> nrvals
This command replaces all (key, value) pairs at the current node with
the values in subsequent input. C<nrvals> is the number of values
(ie. (key, value) pairs), and any existing values at this node are
deleted. So C<setval 0> just deletes any values at the current node.
The command reads 2 * nrvals lines of input, with each pair of
lines of input corresponding to a key and a value to add.
For example, the following setval command replaces whatever is at the
current node with two (key, value) pairs. The default key is set to
the UTF16-LE-encoded string "abcd". The other value is named
"ANumber" and is a little-endian DWORD 0x12345678.
setval 2
@
string:abcd
ANumber
dword:12345678
The first line of each pair is the key (the special key C<@> means
the default key, but you can also use a blank line).
The second line of each pair is the value, which has a special format
C<type:value> with possible types summarized in the table below:
none No data is stored, and the type is set to 0.
string:abc "abc" is stored as a UTF16-LE-encoded
string (type 1). Note that only 7 bit
ASCII strings are supported as input.
expandstring:... Same as string but with type 2.
dword:0x01234567 A DWORD (type 4) with the hex value
0x01234567. You can also use decimal
or octal numbers here.
qword:0x0123456789abcdef
A QWORD (type 11) with the hex value
0x0123456789abcdef. You can also use
decimal or octal numbers here.
hex:<type>:<hexbytes>
hex:1:41,00,42,00,43,00,44,00,00,00
This is the generic way to enter any
value. <type> is the integer value type.
<hexbytes> is a list of pairs of hex
digits which are treated as bytes.
(Any non-hex-digits here are ignored,
so you can separate bytes with commas
or spaces if you want).
=back
=head1 EXAMPLE
$ guestfish --ro -i Windows7
><fs> download win:c:\windows\system32\config\software software
><fs> quit
$ hivexsh software
Welcome to hivexsh, the hivex interactive shell for examining
Windows Registry binary hive files.
Type: 'help' for help with commands
'quit' to quit the shell
software\> ls
ATI Technologies
Classes
Clients
Intel
Microsoft
ODBC
Policies
RegisteredApplications
Sonic
Wow6432Node
software\> quit
=head1 SEE ALSO
L<hivex(3)>,
L<hivexget(1)>,
L<hivexml(1)>,
L<virt-win-reg(1)>,
L<guestfs(3)>,
L<http://libguestfs.org/>,
L<virt-cat(1)>,
L<virt-edit(1)>.
=head1 AUTHORS
Richard W.M. Jones (C<rjones at redhat dot com>)
=head1 COPYRIGHT
Copyright (C) 2009-2010 Red Hat Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

File Metadata

Mime Type
text/plain
Expires
Thu, Jun 26, 4:08 AM (1 d, 14 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1256512
Default Alt Text
hivexsh.pod (7 KB)

Event Timeline