Thanks to “TJ” for tipping me off about another use of the Registry “hive” format in recent versions of Windows.
There are scant details available, but if you have a version of Windows Vista or later, then the boot loader is no longer configured through a plain text file (“BOOT.INI”) but via a binary blob. Microsoft provides a tool called “BCDEDIT.EXE” that you are supposed to use to edit this, but the blob is a hive so you can use hivex to display or modify it.
We first use guestfish to download the blob:
$ guestfish --ro -a /dev/vg_trick/Windows7x64 -m /dev/sda1
Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.
Type: 'help' for help with commands
'quit' to quit the shell
><fs> ll /
total 392
drwxrwxrwx 1 root root 4096 Dec 15 04:48 .
dr-xr-xr-x 20 root root 0 Mar 30 13:30 ..
-rwxrwxrwx 1 root root 8192 Dec 15 12:47 BOOTSECT.BAK
drwxrwxrwx 1 root root 4096 Dec 15 12:47 Boot
drwxrwxrwx 1 root root 0 Dec 15 04:48 System Volume Information
-rwxrwxrwx 1 root root 383562 Jul 13 2009 bootmgr
><fs> ll /Boot/
total 596
drwxrwxrwx 1 root root 4096 Dec 15 12:47 .
drwxrwxrwx 1 root root 4096 Dec 15 04:48 ..
-rwxrwxrwx 1 root root 24576 Mar 25 12:25 BCD
-rwxrwxrwx 1 root root 21504 Mar 25 12:25 BCD.LOG
-rwxrwxrwx 2 root root 0 Dec 15 12:47 BCD.LOG1
-rwxrwxrwx 2 root root 0 Dec 15 12:47 BCD.LOG2
-rwxrwxrwx 1 root root 65536 Dec 15 12:47 BOOTSTAT.DAT
[snipped]
><fs> download /Boot/BCD /tmp/BCD
><fs> ^D
Then we can dump the contents out using hivexregedit. (We could also browse the contents with hivexsh).
$ hivexregedit --export /tmp/BCD '\' > /tmp/BCD.reg
In typical Microsoft style, the contents themselves are obscure, consisting of plenty of subkeys that look like this:
[\Objects\{1afa9c49-16ab-4a5c-901b-212802da9460}\Elements\14000006]
"Element"=hex(7):7b,00,37,00,65,00,61,00,32,00,65,00,31,00,61,00,63,\
00,2d,00,32,00,65,00,36,00,31,00,2d,00,34,00,37,00,32,00,38,00,2d,00,\
61,00,61,00,61,00,33,00,2d,00,38,00,39,00,36,00,64,00,39,00,64,00,30,\
00,61,00,39,00,66,00,30,00,65,00,7d,00,00,00,00,00
(Note that “type 7” is a list of strings, and the whole thing is encoded in UTF-16LE, so this requires some further work to parse).
There’s scope here to extend virt-inspector to understand this stuff, or even to write a BCDEDIT-style tool to modify the way Window VMs boot. Apparently the current BCDEDIT tool is half-arsed, so here’s another opportunity to beat Microsoft’s own tooling.
Richard WM Jones 
Hi Richard,
Hivex is great! It was the last thing I needed to get Windows 7 deployment over PXE to work for my Ulimate Deployment Appliance. I wrote a perl script that uses hivexsh to do the edits to a bcd file. Since hivex can not create a BCD file I just use the one I find on the installation DVD, clean it out entirely and then create the appropriate entries for PXE booting. Get the
script at: ultimatedeployment.org
The script currently only supports creating a PXE bootable BCD store, but it can quite easily be extended.
The dude
We also have Perl bindings for hivex …
Hi Richard,
I am using hivexsh to read the BCD contents, is there a way to convert the hex(7) string into human readable string or vice versa.
Not easily. However other tools like
hivexregeditandvirt-win-reghave an option--unsafe-printable-stringswhich does what you want. Another alternative is to use the API, or to implement something in hivexsh.