hivex

hivex is a powerful library and set of command-line tools for reading, writing, and manipulating Windows Registry hive files. Essential for digital forensics, incident response, and Windows system analysis. Supports extracting artifacts from SAM, SYSTEM, SECURITY, SOFTWARE, and NTUSER.DAT hives.

Installation

# Kali Linux (pre-installed)
hivexsh --version

# Manual installation
sudo apt-get update
sudo apt-get install hivex

# From source
git clone git://git.annexia.org/libhivex.git
cd libhivex
./configure
make
sudo make install

# Verify installation
which hivexsh
which hivexml
which hivexregedit
hivexml --help

Core Components

Tool	Purpose
`hivexsh`	Interactive shell for registry hive navigation
`hivexml`	Convert hive to XML format
`hivexregedit`	Python-based registry editor
`hivexget`	Extract values from registry hives
`hivexdiff`	Compare two registry hives

Interactive Shell (hivexsh)

# Open registry hive
hivexsh -w SAM

# Open system hive
hivexsh -w SYSTEM

# Open user hive
hivexsh -w C:/Users/username/NTUSER.DAT

# Read-only mode (default)
hivexsh SAM

# Show root keys
cd /
ls

Command	Purpose
`cd <path>`	Navigate to registry path
`ls`	List subkeys in current location
`cat <key>`	Display key value
`info`	Show key metadata
`dump`	Export current location
`quit`	Exit interactive shell
`help`	Display command help
`path`	Show current path

Interactive Session Examples

# Navigate SAM hive
hivexsh SAM
> cd /
> ls
> cd SAM/Domains/Builtin/Users
> ls
> cat Names

# Extract user information
> cd /SAM/Domains/Builtin/Users
> ls
> cd 000001F4
> info
> cat F

# Examine SYSTEM hive
hivexsh SYSTEM
> cd /ControlSet001/Services
> ls
> cd /CurrentVersion
> cat SystemRoot

Command-Line Tools

hivexml - XML Export

# Convert hive to XML
hivexml SAM > sam.xml

# Convert SYSTEM hive
hivexml SYSTEM > system.xml

# Convert NTUSER.DAT
hivexml NTUSER.DAT > ntuser.xml

# Pretty print XML
hivexml SAM | xmllint --format - > sam_formatted.xml

# Filter specific keys
hivexml SAM | grep -A 5 "Names"

hivexget - Extract Values

# Get specific registry value
hivexget SAM '/SAM/Domains/Builtin/Users/Names'

# Extract from SYSTEM hive
hivexget SYSTEM '/ControlSet001/Services/RealTek/ImagePath'

# Get all values in key
hivexget SAM '/SAM/Domains/Builtin'

# Extract with path display
hivexget -p NTUSER.DAT '/Software/Microsoft/Windows/CurrentVersion/Run'

hivexdiff - Compare Hives

# Compare two SAM files
hivexdiff SAM_old SAM_new

# Compare SYSTEM hives
hivexdiff SYSTEM_jan SYSTEM_feb

# Generate detailed diff report
hivexdiff -v old.hive new.hive > changes.txt

# Show only added keys
hivexdiff SAM_before SAM_after | grep "^<"

Forensic Analysis Workflows

User Account Analysis

# Extract user accounts from SAM
hivexsh SAM
> cd /SAM/Domains/Builtin/Users
> ls
> cd 000001F4
> dump

# Export to XML for analysis
hivexml SAM > sam_analysis.xml

# Search for specific users
hivexml SAM | grep -i "administrator"

# Get user RID mapping
hivexget SAM '/SAM/Domains/Builtin/Users'

LastLogon and LoginIP Extraction

# Check last logon times
hivexsh SECURITY
> cd /Policy/PolAdtEv
> cat AuditLogRetentionPeriod

# Extract from SYSTEM hive
hivexsh SYSTEM
> cd /ControlSet001/Control/Session Manager
> ls

# Look for network configuration
> cd /ControlSet001/Services/Tcpip/Parameters
> dump

Software and Services Analysis

# List installed software
hivexsh SOFTWARE
> cd /Microsoft/Windows/CurrentVersion/Uninstall
> ls
> cd <GUID>
> cat DisplayName
> cat InstallLocation

# Analyze services
hivexsh SYSTEM
> cd /ControlSet001/Services
> ls
> cd <ServiceName>
> cat ImagePath
> cat Start

AutoRun and Persistence Analysis

# Check Run registry keys
hivexsh SOFTWARE
> cd /Microsoft/Windows/CurrentVersion/Run
> dump

# Check RunOnce
> cd /Microsoft/Windows/CurrentVersion/RunOnce
> dump

# Examine scheduled tasks
> cd /Microsoft/Windows/CurrentVersion/Explorer/Run
> dump

# User-level Run keys
hivexsh NTUSER.DAT
> cd /Software/Microsoft/Windows/CurrentVersion/Run
> dump

Windows Artifact Extraction

Network Configuration

# Extract network configuration
hivexsh SYSTEM
> cd /ControlSet001/Services/Tcpip/Interfaces
> ls

# Get network interface details
> cd /<InterfaceGUID>
> cat DhcpIPAddress
> cat DhcpNameServers
> cat Domain

# Extract from registry
hivexml SYSTEM | grep -i "tcpip"

USB History and Device Analysis

# Analyze USB devices
hivexsh SYSTEM
> cd /ControlSet001/Enum/USB
> ls

# Get device details
> cd /VID_1234&PID_5678
> dump

# Extract from SOFTWARE hive
hivexsh SOFTWARE
> cd /Microsoft/Windows/CurrentVersion/Explorer/MountPoints2
> ls

# User MRU
hivexsh NTUSER.DAT
> cd /Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2
> dump

Browser History and Artifacts

# Chrome extensions
hivexsh NTUSER.DAT
> cd /Software/Google/Chrome/Extensions
> ls
> cd <ExtensionID>
> dump

# Firefox add-ons registry refs
> cd /Software/Mozilla
> ls
> dump

# IE history
> cd /Software/Microsoft/Internet Explorer/TypedURLs
> ls
> dump

Batch Processing Scripts

Extract Multiple Hives

#!/bin/bash
# Extract all hives to XML

hives=("SAM" "SYSTEM" "SECURITY" "SOFTWARE" "NTUSER.DAT")

for hive in "${hives[@]}"; do
    if [ -f "$hive" ]; then
        echo "Converting $hive..."
        hivexml "$hive" > "${hive}.xml"
        echo "Saved to ${hive}.xml"
    fi
done

# Verify exports
ls -lh *.xml

Search All Hives for Pattern

#!/bin/bash
# Search all hives for keyword

search_term="$1"

for hive in SAM SYSTEM SOFTWARE SECURITY NTUSER.DAT; do
    if [ -f "$hive" ]; then
        echo "=== Searching $hive for '$search_term' ==="
        hivexml "$hive" 2>/dev/null | grep -i "$search_term"
    fi
done

Registry Value Extraction

#!/bin/bash
# Extract specific registry paths from all hives

paths=(
    "/Software/Microsoft/Windows/CurrentVersion/Run"
    "/ControlSet001/Services/RealTek"
    "/SAM/Domains/Builtin/Users"
)

for path in "${paths[@]}"; do
    echo "=== Extracting: $path ==="
    for hive in SAM SYSTEM SOFTWARE NTUSER.DAT; do
        hivexget "$hive" "$path" 2>/dev/null
    done
done

Incident Response Analysis

Suspicious Process Analysis

# Find suspicious services
hivexsh SYSTEM
> cd /ControlSet001/Services
> ls
> cd <SuspiciousService>
> cat ImagePath
> cat DisplayName
> cat Start

# Extract all services to file
hivexml SYSTEM | grep -A 10 "<key name=\"Services\"" > services.xml

# Check for unsigned drivers
> cd /ControlSet001/Services/<DriverName>
> cat ImagePath

Backdoor and Malware Indicators

# Check autorun locations
hivexsh SOFTWARE
> cd /Microsoft/Windows/CurrentVersion/Run
> dump

# Look for suspicious paths
> cd /Microsoft/Windows/CurrentVersion/RunOnce
> dump

# Check shell associations
> cd /Classes/.exe
> cat (Default)

# Examine AppInit_DLLs
> cd /Microsoft/Windows NT/CurrentVersion/Windows
> cat AppInit_DLLs

Timeline Analysis

# Extract modification times
hivexml SAM | grep "timestamp"

# Compare hive versions
hivexdiff SAM_2024-01-01 SAM_2024-01-15

# Track configuration changes
hivexdiff SYSTEM_baseline SYSTEM_current > config_changes.txt

# Generate event timeline
cat config_changes.txt | awk '{print $1, "Registry Change:", $0}'

Python API Usage

Basic Hive Reading

#!/usr/bin/env python3
import guestfs

# Open hive file
g = guestfs.GuestFS()
h = g.open('SAM')

# List root keys
keys = h.keys('/')
for key in keys:
    print(key)

# Navigate to Users
users_key = h.open('/SAM/Domains/Builtin/Users')
user_list = h.keys()
for user in user_list:
    print(f"User: {user}")

# Close hive
h.close()

Extract Registry Values

#!/usr/bin/env python3
import sys
from hive import hive_open

def extract_registry_path(hive_path, reg_path):
    """Extract registry value from hive"""
    h = hive_open(hive_path)
    
    try:
        value = h.value_utf8(reg_path)
        return value
    except Exception as e:
        print(f"Error: {e}")
        return None
    finally:
        h.close()

# Usage
value = extract_registry_path('SYSTEM', '/ControlSet001/Services/RealTek/ImagePath')
if value:
    print(f"Value: {value}")

Output Formatting

XML Processing

# Pretty print hivexml output
hivexml SAM | xmllint --format - > formatted.xml

# Extract specific XML elements
hivexml SYSTEM | xmllint --xpath "//key[@name='Services']" - > services.xml

# Count registry keys
hivexml SAM | grep -c "<key"

# Generate XML report with metadata
hivexml SAM > raw.xml
xsltproc transform.xsl raw.xml > report.html

Text Report Generation

# Create registry inventory
hivexml SAM | grep "<key name=" | awk -F'"' '{print $2}' > registry_keys.txt

# Generate user list
hivexget SAM '/SAM/Domains/Builtin/Users' > users.txt

# Create change report
hivexdiff before.hive after.hive > changes_report.txt

# Summarize findings
cat changes_report.txt | wc -l

Common Forensic Scenarios

System Compromise Investigation

# 1. Extract last logon information
hivexsh SYSTEM
> cd /ControlSet001/Control/TimeZoneInformation
> dump

# 2. Check installed software for suspicious apps
hivexsh SOFTWARE
> cd /Microsoft/Windows/CurrentVersion/Uninstall
> ls

# 3. Find autorun locations
> cd /Microsoft/Windows/CurrentVersion/Run
> dump

# 4. Check services
hivexsh SYSTEM
> cd /ControlSet001/Services
> ls

# 5. Examine network config
> cd /ControlSet001/Services/Tcpip/Parameters
> dump

Data Theft Investigation

# 1. Check recent files
hivexsh NTUSER.DAT
> cd /Software/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs
> dump

# 2. Examine search history
> cd /Software/Microsoft/Windows/CurrentVersion/Explorer/TypedPaths
> dump

# 3. Check browser history
> cd /Software/Microsoft/Internet Explorer/TypedURLs
> dump

# 4. Look for cloud sync apps
hivexsh SOFTWARE
> cd /Microsoft/Windows/CurrentVersion/Uninstall
> ls | grep -i "dropbox\|onedrive\|gdrive"

Account Activity Analysis

# 1. Extract user accounts
hivexsh SAM
> cd /SAM/Domains/Builtin/Users
> dump

# 2. Get account creation times
> cd /SAM/Domains/Builtin
> dump

# 3. Check group memberships
> cd /SAM/Domains/Builtin/Groups
> dump

# 4. Extract password policy
hivexsh SYSTEM
> cd /ControlSet001/Control/Lsa
> cat MinimumPasswordLength

Troubleshooting

# Permission denied error
sudo hivexsh /path/to/hive

# Corrupted hive recovery
hivexml corrupted.hive 2>&1 | grep -i "error"

# Extract despite corruption
hivexml --partial corrupted.hive > partial_export.xml

# Verify hive integrity
file SAM
hivexml SAM --check

# Debug XML parsing
hivexml SYSTEM 2>&1 | head -20

# Handle Unicode characters
hivexml NTUSER.DAT | iconv -f UTF-16LE -t UTF-8

Tips and Best Practices

Always work with evidence copies, never modify originals
Document registry paths and findings with timestamps
Cross-reference multiple hives for corroboration
Export to XML for detailed analysis and comparison
Use grep and xmllint for pattern searching
Maintain chain of custody documentation
Validate findings with multiple tools
Document registry value meanings and forensic significance

Registry Key Reference

Path	Purpose
`SAM/Domains/Builtin/Users`	Local user accounts
`SYSTEM/ControlSet001/Services`	Windows services
`SOFTWARE/Microsoft/Windows/CurrentVersion/Run`	Autorun programs
`SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall`	Installed applications
`NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Run`	User autorun programs
`SYSTEM/CurrentControlSet/Control/TimeZoneInformation`	Time zone settings
`SYSTEM/ControlSet001/Services/Tcpip`	Network configuration

hivex is essential for Windows system forensics, incident response, and detailed registry analysis during investigations.