Tag Archives: reged

Explore the Windows registry with libguestfs

Using libguestfs we can dump out the Windows registry as plain files. Here’s how.

You will need Petter Nordahl-Hagen’s Windows registry tools (Fedora package chntpw).

On NT-derived versions of Windows, the registry is stored in several binary files under the path /WINDOWS/system32/config. This document explains what’s in what file and Wikipedia explains how the registry is logically arranged.

For this example, I downloaded /WINDOWS/system32/config/software which maps to the Windows registry node HKEY_LOCAL_MACHINE\SOFTWARE:

guestfish -a /dev/mapper/Guests-Win2K3FV -m /dev/sda1 \
  download /WINDOWS/system32/config/software software

Using the reged tool from chntpw, I simply dumped out everything in this file into a human-readable format:

reged -x software HKEY_LOCAL_MACHINE\\SOFTWARE \\ software.reg > /dev/null

The output file, software.reg, contains thousands of plaintext entries like this (chosen at random):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Excel]
"win32"="C:\WINDOWS\system32\msexcl40.dll"
"DisabledExtensions"="!xls"
"ImportMixedTypes"="Text"
"FirstRowHasNames"=hex:01,00
"AppendBlankRows"=dword:00000001
"TypeGuessRows"=dword:00000008

I’m now going to add this functionality to virt-inspector.

7 Comments

Filed under Uncategorized