Forensicswindowsregistryhiveforensicsanalysis

hivex

Hivex is a library and collection of tools for reading and writing Windows Registry hive binary files. It provides command-line utilities for extracting, navigating, converting, and modifying registry data.

Description

Hivex offers a comprehensive set of tools for forensic analysis and manipulation of Windows Registry hive files, which are binary files typically found in C:\Windows\System32\Config. The suite includes utilities like hivexget for extracting subkey data, hivexml for converting hives to XML format, hivexsh for interactive shell navigation, and hivexregedit for merging regedit-format changes.

These tools are particularly useful in digital forensics for examining Windows system artifacts, malware analysis, and incident response. They enable investigators to extract configuration data, user settings, installed software information, and system events stored in registry hives without needing a full Windows environment.

Unlike traditional .REG format parsers, hivex works directly with the binary hive format through a stable C API, providing reliable parsing even for corrupted files with appropriate options.

How It Works

Hivex parses the proprietary binary format of Windows Registry hive files using a self-contained C library (libhivex). The tools access hive structures through this API: hivexget traverses node paths to extract key-value pairs; hivexml serializes the entire hive tree to XML; hivexsh provides an interactive shell with filesystem-like navigation (cd/ls) over registry nodes; hivexregedit converts between regedit text format and binary hives. String values are decoded from Windows UTF-16LE to UTF-8, numeric values (DWORD/QWORD) are properly interpreted, and hex-encoded raw data is supported.

Installation

bash
sudo apt install libhivex-bin

Flags

-dEnable lots of debug messages for troubleshooting unparseable Registry files (hivexml)
-kKeep going even if errors are found in the Registry file (hivexml)
-uUse heuristics to tolerate corruption within hives (hivexml)
-wEnable writes to the hive file (hivexsh)
-f filenameRead commands from filename instead of stdin (hivexsh)
--mergeMerge regedit-format text file into hivefile (hivexregedit)
--exportExport registry key recursively to regedit format (hivexregedit)
--prefix prefixSpecify Windows Registry prefix like HKEY_LOCAL_MACHINE\SOFTWARE (hivexregedit)
--encoding UTF-16LE|ASCIISpecify encoding for unmarked strings when merging (hivexregedit)

Examples

Extract all key-value pairs from the specified subkey path
hivexget hivefile '\Path\To\SubKey'
Extract the single named value from the subkey (use '@' for default value)
hivexget hivefile '\Path\To\SubKey' name
Convert hive file to XML with debug output and continue on errors
hivexml -dk hivefile > output.xml
Start interactive shell loaded with the software hive file
hivexsh software
Start interactive shell and use 'load hivefile' command inside
hivexsh
Merge regedit-format changes into hivefile with specified prefix
hivexregedit --merge --prefix 'HKEY_LOCAL_MACHINE\SOFTWARE' hivefile regfile
Export Microsoft key recursively to regedit format
hivexregedit --export --prefix 'HKEY_LOCAL_MACHINE\SOFTWARE' hivefile '\Microsoft' > regfile
Updated 2026-04-16kali.org ↗