Using libguestfs we can dump out the Windows registry as plain files. Here’s how.
You will need Petter Nordahl-Hagen’s Windows registry tools (Fedora package chntpw).
On NT-derived versions of Windows, the registry is stored in several binary files under the path /WINDOWS/system32/config. This document explains what’s in what file and Wikipedia explains how the registry is logically arranged.
For this example, I downloaded /WINDOWS/system32/config/software which maps to the Windows registry node HKEY_LOCAL_MACHINE\SOFTWARE:
guestfish -a /dev/mapper/Guests-Win2K3FV -m /dev/sda1 \ download /WINDOWS/system32/config/software software
Using the reged tool from chntpw, I simply dumped out everything in this file into a human-readable format:
reged -x software HKEY_LOCAL_MACHINE\\SOFTWARE \\ software.reg > /dev/null
The output file, software.reg, contains thousands of plaintext entries like this (chosen at random):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Excel] "win32"="C:\WINDOWS\system32\msexcl40.dll" "DisabledExtensions"="!xls" "ImportMixedTypes"="Text" "FirstRowHasNames"=hex:01,00 "AppendBlankRows"=dword:00000001 "TypeGuessRows"=dword:00000008
I’m now going to add this functionality to virt-inspector.
Apparently, virt-inspector doesnt work when the VM is running, but only when the VM stops. Could you explain why?
Thanks a lot,
Alan
Hello Alan,
Did you actually try using virt-inspector on a running VM? virt-inspector will usually work when the VM is running.
You’ll get reliable, guaranteed results only if you pause the VM just before starting virt-inspector (and you can resume the VM right afterwards). But having said that, virt-inspector usually works even if you don’t pause the VM.
If there is some other thing that is stopping virt-inspector from running, then I recommend setting the environment variable
LIBGUESTFS_DEBUG=1.Update
I see the manual page is inaccurate. It should say that virt-inspector will run, but it’s better to pause the domain briefly first (albeit not required).
That is clear now, thanks!
One more thing: I saw this in the virt-inspector manual:
“Because virt-inspector needs direct access to guest images, it won’t normally work over remote libvirt connections.”
I am not very familar with libvirt, so could you explain a bit about the “remote libvirt connections”??
Thanks alot!
Hi Alan,
It just means it won’t work if you’re using libvirt to access guests on a remote machine. (See documentation here). virt-inspector etc need direct access to the guest’s disk image to work.
Pingback: libhivex: Windows Registry hive extractor library « Richard WM Jones
Hi Rich,
I am trying to figure it out how virt-inspector works. Here is my assumption: it uses “mount” command to mount the FS of the guest VM, then access to FS to read particular file out, then analyze its content to get information.
So the key point here is to run “mount” command first on the guest FS. Is that correct?
Keep posting. You are working very well!
Jon
Jon, approximately this is how it works.
The best thing is probably just to look at the code.