.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "hivexsh 1"
.TH hivexsh 1 "2021-04-18" "hivex-1.3.18" "Windows Registry"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
hivexsh \- Windows Registry hive shell
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& hivexsh [\-options] [hivefile]
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This program provides a simple shell for navigating Windows Registry
\&'hive' files.  It uses the hivex library for access to these binary
files.
.PP
Firstly you will need to provide a hive file from a Windows operating
system.  The hive files are usually located in
\&\f(CW\*(C`C:\eWindows\eSystem32\eConfig\*(C'\fR and have names like \f(CW\*(C`software\*(C'\fR,
\&\f(CW\*(C`system\*(C'\fR etc (without any file extension).  For more information
about hive files, read \fBhivex\fR\|(3).  For information about downloading
files from virtual machines, read \fBvirt\-cat\fR\|(1) and \fBguestfish\fR\|(1).
.PP
You can provide the name of the hive file to examine on the command
line.  For example:
.PP
.Vb 1
\& hivexsh software
.Ve
.PP
Or you can start \f(CW\*(C`hivexsh\*(C'\fR without any arguments, and immediately use
the \f(CW\*(C`load\*(C'\fR command to load a hive:
.PP
.Vb 1
\& $ hivexsh
\&
\& Welcome to hivexsh, the hivex interactive shell for examining
\& Windows Registry binary hive files.
\&
\& Type: \*(Aqhelp\*(Aq for help with commands
\&       \*(Aqquit\*(Aq to quit the shell
\&
\& > load software
\& software\e>
.Ve
.PP
Navigate through the hive's keys using the \f(CW\*(C`cd\*(C'\fR command, as if it
contained a filesystem, and use \f(CW\*(C`ls\*(C'\fR to list the subkeys of the
current key.  Other commands are listed below.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-d\fR" 4
.IX Item "-d"
Enable lots of debug messages.  If you find a Registry file that this
program cannot parse, please enable this option and post the complete
output \fIand\fR the Registry hive file in your bug report.
.IP "\fB\-f\fR filename" 4
.IX Item "-f filename"
Read commands from \f(CW\*(C`filename\*(C'\fR instead of stdin.  To write a hivexsh
script, use:
.Sp
.Vb 1
\& #!/usr/bin/hivexsh \-f
.Ve
.IP "\fB\-u\fR" 4
.IX Item "-u"
Use heuristics to tolerate certain levels of corruption within hives.
.Sp
This is unsafe but may allow to export/merge valid keys/values in an
othewise corrupted hive.
.IP "\fB\-w\fR" 4
.IX Item "-w"
If this option is given, then writes are allowed to the hive
(see \*(L"commit\*(R" command below, and the discussion of
modifying hives in \*(L"\s-1WRITING TO HIVE FILES\*(R"\s0 in \fBhivex\fR\|(3)).
.Sp
\&\fBImportant Note:\fR Even if you specify this option, nothing is written
to a hive unless you call the \*(L"commit\*(R" command.  If you exit the
shell without committing, all changes will be discarded.
.Sp
If this option is not given, then write commands are disabled.
.SH "COMMANDS"
.IX Header "COMMANDS"
.IP "\fBadd\fR name" 4
.IX Item "add name"
Add a subkey named \f(CW\*(C`name\*(C'\fR below the current node.  The name may
contain spaces and punctuation characters, and does not need to be
quoted.
.Sp
The new key will have no subkeys and no values (see \f(CW\*(C`setval\*(C'\fR).
.Sp
There must be no existing subkey called \f(CW\*(C`name\*(C'\fR, or this command will
fail.  To replace an existing subkey, delete it first like this:
.Sp
.Vb 2
\& cd name
\& del
.Ve
.IP "\fBcd\fR path" 4
.IX Item "cd path"
Change to the subkey \f(CW\*(C`path\*(C'\fR.  Use Windows-style backslashes to
separate path elements, and start with a backslash in order to start
from the root of the hive.  For example:
.Sp
.Vb 1
\& cd \eClasses\e*
.Ve
.Sp
moves from the root node, to the \f(CW\*(C`Classes\*(C'\fR node, to the \f(CW\*(C`*\*(C'\fR node.
If you were already at the root node, you could do this instead:
.Sp
.Vb 1
\& cd Classes\e*
.Ve
.Sp
or even:
.Sp
.Vb 2
\& cd Classes
\& cd *
.Ve
.Sp
Path elements (node names) are matched case insensitively, and
characters like space, \f(CW\*(C`*\*(C'\fR, and \f(CW\*(C`?\*(C'\fR have \fIno\fR special significance.
.Sp
\&\f(CW\*(C`cd ..\*(C'\fR may be used to go to the parent directory.
.Sp
\&\f(CW\*(C`cd\*(C'\fR without any arguments prints the current path.
.Sp
Be careful with \f(CW\*(C`cd \e\*(C'\fR since the readline library has an undocumented
behaviour where it will think the final backslash is a continuation
(it reads the next line of input and appends it).  Put a single space
after the backslash.
.IP "\fBclose\fR | \fBunload\fR" 4
.IX Item "close | unload"
Close the currently loaded hive.
.Sp
If you modified the hive, all uncommitted writes are lost when you
call this command (or if the shell exits).  You have to call \f(CW\*(C`commit\*(C'\fR
to write changes.
.IP "\fBcommit\fR [newfile]" 4
.IX Item "commit [newfile]"
Commit changes to the hive.  If the optional \f(CW\*(C`newfile\*(C'\fR parameter is
supplied, then the hive is written to that file, else the original
file is overwritten.
.Sp
Note that you have to specify the \f(CW\*(C`\-w\*(C'\fR flag, otherwise no writes are
allowed.
.IP "\fBdel\fR" 4
.IX Item "del"
Delete the current node and everything beneath it.  The current
directory is moved up one level (as if you did \f(CW\*(C`cd ..\*(C'\fR) after
this command.
.Sp
You cannot delete the root node.
.IP "\fBexit\fR | \fBquit\fR" 4
.IX Item "exit | quit"
Exit the shell.
.IP "\fBload\fR hivefile" 4
.IX Item "load hivefile"
Load the binary hive named \f(CW\*(C`hivefile\*(C'\fR.  The currently loaded hive, if
any, is closed.  The current directory is changed back to the root
node.
.IP "\fBls\fR" 4
.IX Item "ls"
List the subkeys of the current hive Registry key.  Note this command
does not take any arguments.
.IP "\fBlsval\fR [key]" 4
.IX Item "lsval [key]"
List the (key, value) pairs of the current hive Registry key.  If no
argument is given then all pairs are displayed.  If \f(CW\*(C`key\*(C'\fR is given,
then the value of the named key is displayed.  If \f(CW\*(C`@\*(C'\fR is given, then
the value of the default key is displayed.
.IP "\fBsetval\fR nrvals" 4
.IX Item "setval nrvals"
This command replaces all (key, value) pairs at the current node with
the values in subsequent input.  \f(CW\*(C`nrvals\*(C'\fR is the number of values
(ie. (key, value) pairs), and any existing values at this node are
deleted.  So \f(CW\*(C`setval 0\*(C'\fR just deletes any values at the current node.
.Sp
The command reads 2 * nrvals lines of input, with each pair of
lines of input corresponding to a key and a value to add.
.Sp
For example, the following setval command replaces whatever is at the
current node with two (key, value) pairs.  The default key is set to
the UTF16\-LE\-encoded string \*(L"abcd\*(R".  The other value is named
\&\*(L"ANumber\*(R" and is a little-endian \s-1DWORD\s0 0x12345678.
.Sp
.Vb 5
\& setval 2
\& @
\& string:abcd
\& ANumber
\& dword:12345678
.Ve
.Sp
The first line of each pair is the key (the special key \f(CW\*(C`@\*(C'\fR means
the default key, but you can also use a blank line).
.Sp
The second line of each pair is the value, which has a special format
\&\f(CW\*(C`type:value\*(C'\fR with possible types summarized in the table below:
.Sp
.Vb 1
\& none                 No data is stored, and the type is set to 0.
\&
\& string:abc           "abc" is stored as a UTF16\-LE\-encoded
\&                      string (type 1).  Note that only 7 bit
\&                      ASCII strings are supported as input.
\&
\& expandstring:...     Same as string but with type 2.
\&
\& dword:0x01234567     A DWORD (type 4) with the hex value
\&                      0x01234567.  You can also use decimal
\&                      or octal numbers here.
\&
\& qword:0x0123456789abcdef
\&                      A QWORD (type 11) with the hex value
\&                      0x0123456789abcdef.  You can also use
\&                      decimal or octal numbers here.
\&
\& hex:<type>:<hexbytes>
\& hex:1:41,00,42,00,43,00,44,00,00,00
\&                      This is the generic way to enter any
\&                      value.  <type> is the integer value type.
\&                      <hexbytes> is a list of pairs of hex
\&                      digits which are treated as bytes.
\&                      (Any non\-hex\-digits here are ignored,
\&                      so you can separate bytes with commas
\&                      or spaces if you want).
.Ve
.SH "EXAMPLE"
.IX Header "EXAMPLE"
.Vb 3
\& $ guestfish \-\-ro \-i Windows7
\& ><fs> download win:c:\ewindows\esystem32\econfig\esoftware software
\& ><fs> quit
\&
\& $ hivexsh software
\&
\& Welcome to hivexsh, the hivex interactive shell for examining
\& Windows Registry binary hive files.
\&
\& Type: \*(Aqhelp\*(Aq for help with commands
\&       \*(Aqquit\*(Aq to quit the shell
\&
\& software\e> ls
\& ATI Technologies
\& Classes
\& Clients
\& Intel
\& Microsoft
\& ODBC
\& Policies
\& RegisteredApplications
\& Sonic
\& Wow6432Node
\& software\e> quit
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBhivex\fR\|(3),
\&\fBhivexget\fR\|(1),
\&\fBhivexml\fR\|(1),
\&\fBvirt\-win\-reg\fR\|(1),
\&\fBguestfs\fR\|(3),
<http://libguestfs.org/>,
\&\fBvirt\-cat\fR\|(1),
\&\fBvirt\-edit\fR\|(1).
.SH "AUTHORS"
.IX Header "AUTHORS"
Richard W.M. Jones (\f(CW\*(C`rjones at redhat dot com\*(C'\fR)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (C) 2009\-2010 Red Hat Inc.
.PP
This program is free software; you can redistribute it and/or modify
it under the terms of the \s-1GNU\s0 General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.PP
This program is distributed in the hope that it will be useful,
but \s-1WITHOUT ANY WARRANTY\s0; without even the implied warranty of
\&\s-1MERCHANTABILITY\s0 or \s-1FITNESS FOR A PARTICULAR PURPOSE.\s0  See the
\&\s-1GNU\s0 General Public License for more details.
.PP
You should have received a copy of the \s-1GNU\s0 General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, \s-1MA 02110\-1301 USA.\s0