Explore the Windows registry with libguestfs

Using libguestfs we can dump out the Windows registry as plain files. Here’s how.

You will need Petter Nordahl-Hagen’s Windows registry tools (Fedora package chntpw).

On NT-derived versions of Windows, the registry is stored in several binary files under the path /WINDOWS/system32/config. This document explains what’s in what file and Wikipedia explains how the registry is logically arranged.

For this example, I downloaded /WINDOWS/system32/config/software which maps to the Windows registry node HKEY_LOCAL_MACHINE\SOFTWARE:

guestfish -a /dev/mapper/Guests-Win2K3FV -m /dev/sda1 \
  download /WINDOWS/system32/config/software software

Using the reged tool from chntpw, I simply dumped out everything in this file into a human-readable format:

reged -x software HKEY_LOCAL_MACHINE\\SOFTWARE \\ software.reg > /dev/null

The output file, software.reg, contains thousands of plaintext entries like this (chosen at random):


I’m now going to add this functionality to virt-inspector.


