$ hivexget system '\ControlSet001\Control' "PreshutdownOrder"=hex(7):77,00,75,00,61[...] "WaitToKillServiceTimeout"="12000" "CurrentUser"="USERNAME" "BootDriverFlags"=dword:00000000" "ServiceControlManagerExtension"=str(2):"%systemroot%\\system32\\scext.dll" "SystemStartOptions"=" NOEXECUTE=OPTIN" "SystemBootDevice"="multi(0)disk(0)rdisk(0)partition(2)" "FirmwareBootDevice"="multi(0)disk(0)rdisk(0)partition(1)" $ hivexget system '\ControlSet001\Control' SystemBootDevice multi(0)disk(0)rdisk(0)partition(2)
There is also a tool (hivexml) to convert the registry hive into an XML file.
These are low-level tools at the moment. These are the basis for writing a nice, usable, high-level virt-win-reg program for grabbing values out of a Windows guest.
3 Comments
October 30, 2009 at 8:24 am
Nice. A usability improvement would
be to map ‘/’ into ‘\’ so people can run
hivexget system /ControlSet001/Control SystemBootDevice
No need for shell escaping.
Hmmm… the next thing would be to provide bash_complete function
October 30, 2009 at 8:25 am
Oron, that’s a bit tricky in fact because Windows Registry path elements might contain a forwards “/” character.
November 4, 2009 at 10:12 am
[...] (and several other “Current*” keys) are synthetic. They don’t exist in the underlying Registry “hive” (file), but are created by Windows when it is running to refer to the currently selected setting for the [...]