This is the command hivexsh that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
hivexsh - Windows Registry hive shell
SYNOPSIS
hivexsh [-options] [hivefile]
DESCRIPTION
This program provides a simple shell for navigating Windows Registry 'hive' files. It
uses the hivex library for access to these binary files.
Firstly you will need to provide a hive file from a Windows operating system. The hive
files are usually located in "C:\Windows\System32\Config" and have names like "software",
"system" etc (without any file extension). For more information about hive files, read
hivex(3). For information about downloading files from virtual machines, read virt-cat(1)
and guestfish(1).
You can provide the name of the hive file to examine on the command line. For example:
hivexsh software
Or you can start "hivexsh" without any arguments, and immediately use the "load" command
to load a hive:
$ hivexsh
Welcome to hivexsh, the hivex interactive shell for examining
Windows Registry binary hive files.
Type: 'help' for help with commands
'quit' to quit the shell
> load software
software\>
Navigate through the hive's keys using the "cd" command, as if it contained a filesystem,
and use "ls" to list the subkeys of the current key. Other commands are listed below.
OPTIONS
-d Enable lots of debug messages. If you find a Registry file that this program cannot
parse, please enable this option and post the complete output and the Registry hive
file in your bug report.
-f filename
Read commands from "filename" instead of stdin. To write a hivexsh script, use:
#!/usr/bin/hivexsh -f
-w If this option is given, then writes are allowed to the hive (see "commit" command
below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)).
Important Note: Even if you specify this option, nothing is written to a hive unless
you call the "commit" command. If you exit the shell without committing, all changes
will be discarded.
If this option is not given, then write commands are disabled.
COMMANDS
add name
Add a subkey named "name" below the current node. The name may contain spaces and
punctuation characters, and does not need to be quoted.
The new key will have no subkeys and no values (see "setval").
There must be no existing subkey called "name", or this command will fail. To replace
an existing subkey, delete it first like this:
cd name
del
cd path
Change to the subkey "path". Use Windows-style backslashes to separate path elements,
and start with a backslash in order to start from the root of the hive. For example:
cd \Classes\*
moves from the root node, to the "Classes" node, to the "*" node. If you were already
at the root node, you could do this instead:
cd Classes\*
or even:
cd Classes
cd *
Path elements (node names) are matched case insensitively, and characters like space,
"*", and "?" have no special significance.
"cd .." may be used to go to the parent directory.
"cd" without any arguments prints the current path.
Be careful with "cd \" since the readline library has an undocumented behaviour where
it will think the final backslash is a continuation (it reads the next line of input
and appends it). Put a single space after the backslash.
close | unload
Close the currently loaded hive.
If you modified the hive, all uncommitted writes are lost when you call this command
(or if the shell exits). You have to call "commit" to write changes.
commit [newfile]
Commit changes to the hive. If the optional "newfile" parameter is supplied, then the
hive is written to that file, else the original file is overwritten.
Note that you have to specify the "-w" flag, otherwise no writes are allowed.
del Delete the current node and everything beneath it. The current directory is moved up
one level (as if you did "cd ..") after this command.
You cannot delete the root node.
exit | quit
Exit the shell.
load hivefile
Load the binary hive named "hivefile". The currently loaded hive, if any, is closed.
The current directory is changed back to the root node.
ls List the subkeys of the current hive Registry key. Note this command does not take
any arguments.
lsval [key]
List the (key, value) pairs of the current hive Registry key. If no argument is given
then all pairs are displayed. If "key" is given, then the value of the named key is
displayed. If "@" is given, then the value of the default key is displayed.
setval nrvals
This command replaces all (key, value) pairs at the current node with the values in
subsequent input. "nrvals" is the number of values (ie. (key, value) pairs), and any
existing values at this node are deleted. So "setval 0" just deletes any values at
the current node.
The command reads 2 * nrvals lines of input, with each pair of lines of input
corresponding to a key and a value to add.
For example, the following setval command replaces whatever is at the current node
with two (key, value) pairs. The default key is set to the UTF16-LE-encoded string
"abcd". The other value is named "ANumber" and is a little-endian DWORD 0x12345678.
setval 2
@
string:abcd
ANumber
dword:12345678
The first line of each pair is the key (the special key "@" means the default key, but
you can also use a blank line).
The second line of each pair is the value, which has a special format "type:value"
with possible types summarized in the table below:
none No data is stored, and the type is set to 0.
string:abc "abc" is stored as a UTF16-LE-encoded
string (type 1). Note that only 7 bit
ASCII strings are supported as input.
expandstring:... Same as string but with type 2.
dword:0x01234567 A DWORD (type 4) with the hex value
0x01234567. You can also use decimal
or octal numbers here.
qword:0x0123456789abcdef
A QWORD (type 11) with the hex value
0x0123456789abcdef. You can also use
decimal or octal numbers here.
hex:<type>:<hexbytes>
hex:1:41,00,42,00,43,00,44,00,00,00
This is the generic way to enter any
value. <type> is the integer value type.
<hexbytes> is a list of pairs of hex
digits which are treated as bytes.
(Any non-hex-digits here are ignored,
so you can separate bytes with commas
or spaces if you want).
EXAMPLE
$ guestfish --ro -i Windows7
><fs> download win:c:\windows\system32\config\software software
><fs> quit
$ hivexsh software
Welcome to hivexsh, the hivex interactive shell for examining
Windows Registry binary hive files.
Type: 'help' for help with commands
'quit' to quit the shell
software\> ls
ATI Technologies
Classes
Clients
Intel
Microsoft
ODBC
Policies
RegisteredApplications
Sonic
Wow6432Node
software\> quit
Use hivexsh online using onworks.net services
