$ hivexget system '\ControlSet001\Control' "PreshutdownOrder"=hex(7):77,00,75,00,61[...] "WaitToKillServiceTimeout"="12000" "CurrentUser"="USERNAME" "BootDriverFlags"=dword:00000000" "ServiceControlManagerExtension"=str(2):"%systemroot%\\system32\\scext.dll" "SystemStartOptions"=" NOEXECUTE=OPTIN" "SystemBootDevice"="multi(0)disk(0)rdisk(0)partition(2)" "FirmwareBootDevice"="multi(0)disk(0)rdisk(0)partition(1)" $ hivexget system '\ControlSet001\Control' SystemBootDevice multi(0)disk(0)rdisk(0)partition(2)
There is also a tool (hivexml) to convert the registry hive into an XML file.
These are low-level tools at the moment. These are the basis for writing a nice, usable, high-level virt-win-reg program for grabbing values out of a Windows guest.
Richard WM Jones 
Nice. A usability improvement would
be to map ‘/’ into ‘\’ so people can run
hivexget system /ControlSet001/Control SystemBootDevice
No need for shell escaping.
Hmmm… the next thing would be to provide bash_complete function 😉
Oron, that’s a bit tricky in fact because Windows Registry path elements might contain a forwards “/” character.
Pingback: Tip: virt-win-reg: CurrentControlSet in Windows Registry « Richard WM Jones