Using libguestfs we can dump out the Windows registry as plain files. Here’s how.
You will need Petter Nordahl-Hagen’s Windows registry tools (Fedora package chntpw).
On NT-derived versions of Windows, the registry is stored in several binary files under the path /WINDOWS/system32/config. This document explains what’s in what file and Wikipedia explains how the registry is logically arranged.
For this example, I downloaded /WINDOWS/system32/config/software which maps to the Windows registry node HKEY_LOCAL_MACHINE\SOFTWARE:
guestfish -a /dev/mapper/Guests-Win2K3FV -m /dev/sda1 \ download /WINDOWS/system32/config/software software
Using the reged tool from chntpw, I simply dumped out everything in this file into a human-readable format:
reged -x software HKEY_LOCAL_MACHINE\\SOFTWARE \\ software.reg > /dev/null
The output file, software.reg, contains thousands of plaintext entries like this (chosen at random):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Excel] "win32"="C:\WINDOWS\system32\msexcl40.dll" "DisabledExtensions"="!xls" "ImportMixedTypes"="Text" "FirstRowHasNames"=hex:01,00 "AppendBlankRows"=dword:00000001 "TypeGuessRows"=dword:00000008
I’m now going to add this functionality to virt-inspector.
