Thanks to “TJ” for tipping me off about another use of the Registry “hive” format in recent versions of Windows.
There are scant details available, but if you have a version of Windows Vista or later, then the boot loader is no longer configured through a plain text file (“BOOT.INI”) but via a binary blob. Microsoft provides a tool called “BCDEDIT.EXE” that you are supposed to use to edit this, but the blob is a hive so you can use hivex to display or modify it.
We first use guestfish to download the blob:
$ guestfish --ro -a /dev/vg_trick/Windows7x64 -m /dev/sda1 Welcome to guestfish, the libguestfs filesystem interactive shell for editing virtual machine filesystems. Type: 'help' for help with commands 'quit' to quit the shell ><fs> ll / total 392 drwxrwxrwx 1 root root 4096 Dec 15 04:48 . dr-xr-xr-x 20 root root 0 Mar 30 13:30 .. -rwxrwxrwx 1 root root 8192 Dec 15 12:47 BOOTSECT.BAK drwxrwxrwx 1 root root 4096 Dec 15 12:47 Boot drwxrwxrwx 1 root root 0 Dec 15 04:48 System Volume Information -rwxrwxrwx 1 root root 383562 Jul 13 2009 bootmgr ><fs> ll /Boot/ total 596 drwxrwxrwx 1 root root 4096 Dec 15 12:47 . drwxrwxrwx 1 root root 4096 Dec 15 04:48 .. -rwxrwxrwx 1 root root 24576 Mar 25 12:25 BCD -rwxrwxrwx 1 root root 21504 Mar 25 12:25 BCD.LOG -rwxrwxrwx 2 root root 0 Dec 15 12:47 BCD.LOG1 -rwxrwxrwx 2 root root 0 Dec 15 12:47 BCD.LOG2 -rwxrwxrwx 1 root root 65536 Dec 15 12:47 BOOTSTAT.DAT [snipped] ><fs> download /Boot/BCD /tmp/BCD ><fs> ^D
Then we can dump the contents out using hivexregedit. (We could also browse the contents with hivexsh).
$ hivexregedit --export /tmp/BCD '\' > /tmp/BCD.reg
In typical Microsoft style, the contents themselves are obscure, consisting of plenty of subkeys that look like this:
[\Objects\{1afa9c49-16ab-4a5c-901b-212802da9460}\Elements\14000006] "Element"=hex(7):7b,00,37,00,65,00,61,00,32,00,65,00,31,00,61,00,63,\ 00,2d,00,32,00,65,00,36,00,31,00,2d,00,34,00,37,00,32,00,38,00,2d,00,\ 61,00,61,00,61,00,33,00,2d,00,38,00,39,00,36,00,64,00,39,00,64,00,30,\ 00,61,00,39,00,66,00,30,00,65,00,7d,00,00,00,00,00
(Note that “type 7” is a list of strings, and the whole thing is encoded in UTF-16LE, so this requires some further work to parse).
There’s scope here to extend virt-inspector to understand this stuff, or even to write a BCDEDIT-style tool to modify the way Window VMs boot. Apparently the current BCDEDIT tool is half-arsed, so here’s another opportunity to beat Microsoft’s own tooling.
Hi Richard,
Hivex is great! It was the last thing I needed to get Windows 7 deployment over PXE to work for my Ulimate Deployment Appliance. I wrote a perl script that uses hivexsh to do the edits to a bcd file. Since hivex can not create a BCD file I just use the one I find on the installation DVD, clean it out entirely and then create the appropriate entries for PXE booting. Get the
script at: ultimatedeployment.org
The script currently only supports creating a PXE bootable BCD store, but it can quite easily be extended.
The dude
We also have Perl bindings for hivex …
Hi Richard,
I am using hivexsh to read the BCD contents, is there a way to convert the hex(7) string into human readable string or vice versa.
Not easily. However other tools like
hivexregedit
andvirt-win-reg
have an option--unsafe-printable-strings
which does what you want. Another alternative is to use the API, or to implement something in hivexsh.