Hivex is a library for reading and writing Windows Registry “hive” files. New in version 1.3.0 and Fedora 16 is the ability to access the library from Ruby.
As an example, first grab some hive files from a Windows virtual machine. The simplest way is using virt-copy-out:
# virt-copy-out -a win.img \
'win:c:\windows\system32\config' .
# ls config/
...
SOFTWARE
SYSTEM
...
Using the following Ruby script you can extract and display registry keys from the hive files:
#!/usr/bin/ruby
require 'hivex'
h = Hivex::open("config/SOFTWARE", {})
# Use this instead if you want to make changes:
# h = Hivex::open("config/SOFTWARE", { :write => 1 })
root = h.root()
node = h.node_get_child(root, "Microsoft")
if node.nil? then
puts "no HKLM\\SOFTWARE\\Microsoft node: Probably not the correct hive"
end
node = h.node_get_child(node, "Windows NT")
node = h.node_get_child(node, "CurrentVersion")
val = h.node_get_value(node, "ProductName")
hash = h.value_value(val)
puts "Windows product name:", hash[:value]
Richard WM Jones 