libhivex: Windows Registry hive extractor library

Several people managing Windows virtual machines have told me that libguestfs/virt-cat isn’t enough for them. They’d like to be able to get at Windows Registry entries in the guest.

A typical example is the imaginary [as of now] virt-win-reg command that lets you interrogate the Registry in a guest:

$ virt-win-reg MyWinGuest '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
"ProductName"="Microsoft Windows Server 2003"
"RegisteredOwner"="Richard Jones"
"CurrentVersion"="5.2"
"CurrentBuildNumber"="3790"
[etc]

Right now you can only do this indirectly, by laboriously downloading the registry hives and decoding them with tools such as reged. I outlined how to do that here but there's no doubt that it should be made a lot easier.

The first step is a more reliable way to query registry files themselves. The files come from foreign, buggy, possibly malicious guests, and so code that touches them must be written carefully and conservatively to avoid security problems.

Another problem is that the tools in this area tend to convert the binary, proprietary "hive" format into a regedit-compatible text format. The problem is that regedit itself is no easier to parse. What we would like is a more compatible format -- XML or a library.

There are several existing tools to do this. The best is certainly Petter Nordahl's chntpw utility which we've been carrying in Fedora for a while. Unfortunately Petter hasn't been answering our queries about issues in the code and we are concerned that the code isn't cautious enough to deal with an onslaught of malicious registry files. Another is the BSD-licensed dumphive program written in Pascal.

To address our concerns I have spent the last three days writing a simpler version of Petter's program called libhivex. This library and associated programs are able to extract the contents of Windows Registry "hive" files, and make this available through a simple C API or as XML. The library is written very defensively and should deal with malicious files. The scope of the library is also being kept intentionally small: we won't use it to modify these files ever, just to extract data from them.

I hope to publish a patch series for this soon for libguestfs, followed by some useful command line tools to let sysadmins get data from their Windows virtual machines.

Got a suggestion for a useful libguestfs-related tool? Let me know in the comments.

About these ads

3 Comments

Filed under Uncategorized

3 responses to “libhivex: Windows Registry hive extractor library

  1. Pingback: hivexget: Get values from a Windows Registry hive « Richard WM Jones

  2. Michal Novotny

    Nice Rich but is there an API documentation for libhivex available not to use pipe calls to “hivexget” application to get something from the windows registry file?

    • rich

      Hi Michal, I’m not sure what you mean by the question. Can you rephrase it? There is also a C API if you would like to use that instead of the separate app.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s