Read the Windows registry in Linux

Originally thoughtLinuxLower readWindowsOfRegistryIt is a whimsical and unfeasible idea, but the author of this article has implemented it. Want to know how the author implements it? Continue reading!

In order to be able to interpret the Registry File in linux, you need a few gadgets: First is a Pascal Language dumphive, responsible for converting the windows registry file into text format; also need Win32-Registry-File-1.10, this is a tool written in perl that analyzes and reads the registry, while the Win32-Registry-File-1.10 also relies on another perl tool Tie-IxHash-1.22.

Dumphive is http://gitorious.com/canaima-gnu-linux/dumphive/commits/upstream;

Win32-Registry-File-1.10 for http://search.cpan.org /~ Avatar/Win32-Registry-File-1.10/File. pm;

Tie-IxHash-1.22 for http://search.cpan.org /~ Chorny/Tie-IxHash-1.22/lib/Tie/IxHash. pm.

Before getting started, install the tool software. First, decompress the dumphive package. Because it is written in Pascal, download the free Pascal Compiler. In Ubuntu, run apt-get install fpc and enter the src directory to directly make the dumphive executable program. Install the Win32-Registry-File-1.10 and Tie-IxHash-1.22 again, the installation method of these two perl programs is similar, first decompress, run the perl MakeFile. pl to generate the makfile, then run make, and finally make install

The real work is ready to begin.

1. First, mount the partition of windows to the/mnt/directory. If the partition cannot be mounted, download and install ntfsprogs)

2. cp/mnt/WINDOWS/system32/config/SYSTEM/tmp/system copy the Registry file to the tmp directory.

3. dumphive/tmp/system. reg: Convert the Registry file to text format.

4. Write another test. pl script, for example:

use Win32::Registry::File;$reg = new Win32::Registry::File();$reg->open('system.reg');use Data::Dumper;print Dumper($reg->get(['system\ControlSet001\Control']));

Then perl test. pl can view the structure under ControlSet001 \ Control. Note that the system in the get parameter is related to the file name generated in step 3. If you copy the Registry File in windows to aaa, use dumphive to convert it, the generated registry text files start with aaa. When you run cat system. reg, you can see it clearly.

In addition, the Windows 7 and xp registry files are quite different in linux. Each field has a value similar to UUID.