Tag Archives: libhivex

hivexget: Get values from a Windows Registry hive

$ hivexget system '\ControlSet001\Control'
"PreshutdownOrder"=hex(7):77,00,75,00,61[...]
"WaitToKillServiceTimeout"="12000"
"CurrentUser"="USERNAME"
"BootDriverFlags"=dword:00000000"
"ServiceControlManagerExtension"=str(2):"%systemroot%\\system32\\scext.dll"
"SystemStartOptions"=" NOEXECUTE=OPTIN"
"SystemBootDevice"="multi(0)disk(0)rdisk(0)partition(2)"
"FirmwareBootDevice"="multi(0)disk(0)rdisk(0)partition(1)"
$ hivexget system '\ControlSet001\Control' SystemBootDevice
multi(0)disk(0)rdisk(0)partition(2)

There is also a tool (hivexml) to convert the registry hive into an XML file.

These are low-level tools at the moment. These are the basis for writing a nice, usable, high-level virt-win-reg program for grabbing values out of a Windows guest.

3 Comments

Filed under Uncategorized

libhivex: Windows Registry hive extractor library

Several people managing Windows virtual machines have told me that libguestfs/virt-cat isn’t enough for them. They’d like to be able to get at Windows Registry entries in the guest.

A typical example is the imaginary [as of now] virt-win-reg command that lets you interrogate the Registry in a guest:

$ virt-win-reg MyWinGuest '\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
"ProductName"="Microsoft Windows Server 2003"
"RegisteredOwner"="Richard Jones"
"CurrentVersion"="5.2"
"CurrentBuildNumber"="3790"
[etc]

Right now you can only do this indirectly, by laboriously downloading the registry hives and decoding them with tools such as reged. I outlined how to do that here but there’s no doubt that it should be made a lot easier.

The first step is a more reliable way to query registry files themselves. The files come from foreign, buggy, possibly malicious guests, and so code that touches them must be written carefully and conservatively to avoid security problems.

Another problem is that the tools in this area tend to convert the binary, proprietary “hive” format into a regedit-compatible text format. The problem is that regedit itself is no easier to parse. What we would like is a more compatible format — XML or a library.

There are several existing tools to do this. The best is certainly Petter Nordahl’s chntpw utility which we’ve been carrying in Fedora for a while. Unfortunately Petter hasn’t been answering our queries about issues in the code and we are concerned that the code isn’t cautious enough to deal with an onslaught of malicious registry files. Another is the BSD-licensed dumphive program written in Pascal.

To address our concerns I have spent the last three days writing a simpler version of Petter’s program called libhivex. This library and associated programs are able to extract the contents of Windows Registry “hive” files, and make this available through a simple C API or as XML. The library is written very defensively and should deal with malicious files. The scope of the library is also being kept intentionally small: we won’t use it to modify these files ever, just to extract data from them.

I hope to publish a patch series for this soon for libguestfs, followed by some useful command line tools to let sysadmins get data from their Windows virtual machines.

Got a suggestion for a useful libguestfs-related tool? Let me know in the comments.

3 Comments

Filed under Uncategorized