Thanks to “TJ” for tipping me off about another use of the Registry “hive” format in recent versions of Windows.
There are scant details available, but if you have a version of Windows Vista or later, then the boot loader is no longer configured through a plain text file (“BOOT.INI”) but via a binary blob. Microsoft provides a tool called “BCDEDIT.EXE” that you are supposed to use to edit this, but the blob is a hive so you can use hivex to display or modify it.
We first use guestfish to download the blob:
$ guestfish --ro -a /dev/vg_trick/Windows7x64 -m /dev/sda1
Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.
Type: 'help' for help with commands
'quit' to quit the shell
><fs> ll /
drwxrwxrwx 1 root root 4096 Dec 15 04:48 .
dr-xr-xr-x 20 root root 0 Mar 30 13:30 ..
-rwxrwxrwx 1 root root 8192 Dec 15 12:47 BOOTSECT.BAK
drwxrwxrwx 1 root root 4096 Dec 15 12:47 Boot
drwxrwxrwx 1 root root 0 Dec 15 04:48 System Volume Information
-rwxrwxrwx 1 root root 383562 Jul 13 2009 bootmgr
><fs> ll /Boot/
drwxrwxrwx 1 root root 4096 Dec 15 12:47 .
drwxrwxrwx 1 root root 4096 Dec 15 04:48 ..
-rwxrwxrwx 1 root root 24576 Mar 25 12:25 BCD
-rwxrwxrwx 1 root root 21504 Mar 25 12:25 BCD.LOG
-rwxrwxrwx 2 root root 0 Dec 15 12:47 BCD.LOG1
-rwxrwxrwx 2 root root 0 Dec 15 12:47 BCD.LOG2
-rwxrwxrwx 1 root root 65536 Dec 15 12:47 BOOTSTAT.DAT
><fs> download /Boot/BCD /tmp/BCD
Then we can dump the contents out using hivexregedit. (We could also browse the contents with hivexsh).
$ hivexregedit --export /tmp/BCD '\' > /tmp/BCD.reg
In typical Microsoft style, the contents themselves are obscure, consisting of plenty of subkeys that look like this:
(Note that “type 7” is a list of strings, and the whole thing is encoded in UTF-16LE, so this requires some further work to parse).
There’s scope here to extend virt-inspector to understand this stuff, or even to write a BCDEDIT-style tool to modify the way Window VMs boot. Apparently the current BCDEDIT tool is half-arsed, so here’s another opportunity to beat Microsoft’s own tooling.