Hivetools - Offline Windows Registry Utilities (GPL)

Contents

• Status
• Download
• News
• Introduction
• Layout
• Future Development
• Contributing
• License

Status: alpha

Warning: This software is alpha quality. It may work as expected, it may not. It may corrupt your registry. Use with caution. Always backup your registry before using this software.

Download

The source: hivetools-0.4pre0.tar.gz
Win32 Binaries: hivetools-0.4pre0-w32.zip
The old source: hivetools-0.3.tar.gz
All files: files/

News

070927 - New Version 0.4pre0 !

After over a year there ia a new version available! It seems that I skipped ahead to Milestone 2, so Milestone 1 is next on the list.

• Vastly improved unicode support
• Windows version is functional
• Win32 passthrough is working
• Bug fixes
• Added proftool to do the messy parts of Manual profile migration

Introduction

Hivetools aims at providing a flexible API by which one can access data stored in the registry. Also included are a set of (currently rudimentry) programs that leverage the API.

History

Hivetools is a fork of the popular offline windows registry tool Chntpw, by Petter Nordahl-Hagen. It started as a hack to set and retrieve registry values from command line.

The Layout of Hivetools

The software is organized into a low-level library (lib), a mid-level library (hivetools) and user programs (bin). The low-level library provides access to raw hive files. Its interface attempts to approximate that of the win32 registry API. The mid-level library facilitates use of the low-level library. It provides a POSIX-like API as well as functions that operate on data stored within the registry (such as SAM data). The programs leverage both the mid and low-level libraries. They allow users to perform actions upon the registry.

Programs (bin)

• regmod - insert and extract .reg (Regedit style) files
• hiveshell - what has become of the chntpw interface. Some of the chntpw functionality is still missing from hiveshell at this time.
• sam - provides access to Security Accounts Manager data

Mid-level Library (hivetools)

The mid-level library is found in the hivetools directory (which may be renamed in the near future). It currently provides the following:

• nstdreg: provides registry access through a more POSIX-like interface. Provides functions such as
  • ns_open(char*) open a registry key such as "HKEY_LOCAL_MACHINE/software/whatever"
  • ns_opendir(char*)
  • ns_readdir()
  • ns_rewinddir()
  • ns_mkdir()
  • ns_unlink()
  • ns_exists()
  • etc, etc...
• sam: provides access to the SAM database
  • retrieve user list
  • decode user V,F structures
  • decode SAM F structure
  • password crypto functions

Low-level library (lib)

The low-level library attempts to emulate (currently poorly) the windows registry API. It provides functions such as:

• long rlRegOpenHiveFile(rl_hkey *result, const char *fname, const char *keypath, int mode );
• long rlRegOpenKeyEx(rl_hkey hkey, const char *skname, ulong options, REGSAM, rl_hkey *result);
• long rlRegQueryValueEx(rl_hkey key, const char *vname, unsigned long *type,
• long rlRegEnumKeyEx(rl_hkey, unsigned long index, char *name, unsigned long *len, char *cname,
• long rlRegEnumValue(rl_hkey key, unsigned long index, char *vname, unsigned
• long rlRegSetValueEx( rl_hkey key, const char *vname, ulong reserved, ulong type, const char* buf, ulong blen);
• long rlRegCreateKeyEx(rl_hkey hkey, const char *skname, const char *r_class, unsigned long options, REGSAM desired,
• long rlRegQueryInfoKey()
• long rlRegQueryMultipleValues()
• long rlRegCloseKey(rl_hkey key)
• long rlRegFlushKey(rl_hkey key)
• long rlRegDeleteKey(rl_hkey key, const char *skname)
• long rlRegDeleteValue(rl_hkey key, const char *vname)

Future Development

Please note that I do not intend to put a lot of time into this project between now (July 20, 2006) and mid-to-late fall.

Milestones

Milestones focus mostly on the library portions of the code. During the course of development additional things may happen with the hivetools top-level programs.

Milestone 0 ( version 0.3, initial release )

Initial alpha release.

• RI_KEY (large keys) support is minimal. They can be read from and written to in an unbalanced sort of way. They can not be created yet and L?_KEYs can not yet be converted to them.
• CD_KEYS (large values) are totally unsupported.
• There is no ACL support.
• Paged file access does not yet exist. Hive files can be neither grown nor shrunk. Entire hive files must be loaded into memory.
• Little testing has been done. There are bugs galore.
• A lot of the code is messy.

Milestone 2 ( version 0.4 )

Native Windows operation is supported.

• program compiles under Mingw and/or Cygwin
• rlReg* functions support pass-through to win32 API

Milestone 1 ( to be version 0.5 )

Most major low-level library functionality is implemented.

• RI_KEYs are properly supported. L?_KEYs can be converted to and from RI_KEYS. Insertion into/deletion from RI_KEYS maintains a reasonable spread in the child LI_KEYs.
• CD_KEYs are supported.
• SK_KEYS (security keys/ACLs) are supported.
• Paged file access is possible. Hive files can be grown and (possibly) shrunk.
• More of the rlReg* functions are implemented or are implemented more fully.
• The nstdreg namespace issues have been delt with. ( 070927 - This is mostly done )
• The existing nstdreg API is frozen.
• Stability improvements.
• Big code cleanup.

Milestone 3 ( to be version 0.6 )

Low-level library is stable. When this milestone is reached stable and unstable branches will be created.

• low-level library is quite stable.
• Many new unit tests have been added.

Further On

These are some ideas that may or may not ever come to fruition.

• Write a program that would scan all of the locations in the registry where programs start from, from where explorer extensions are loaded, winlogon, etc. The program would move all entries that are not required to boot the system to a temporary location. The user could then boot the system in "more-safe-mode", and run ad-aware/hijackthis/spybot/whatever in peace. The program could then restore the temporarily moved startup items.
• A program that would scan all of the registry startup items and then calculate MD5s for the files that those items refer to. This program could then connect to a database/wiki/something over the Internet. The database would contain file names, MD5s and some sort of danger/safe ratings. User contribution to the database would be built into the software.
• Viewing hardware configurations should be very easy. It *might* be possible to export hardware configurations from the hive and retrieve driver files from disk. This would be very nice for reinstalling (if it is even possible).
• A utility to set/query certain values (things like CrashOnCtrlScroll) might be fun^Wuseful

Contributing

I welcome your comments, suggestions, bug reports, patches, documentation, money, pizza, beer, etc. You can reach me at sloaring@tec-man.com. You can donate money (pleeeeese) here.

License Information

This software is released under the Version 2 of the GPL . See COPYING.