hivexsh

hivexsh [-options] [hivefile]

Provides a simple shell for navigating Windows Registry 'hive' files

options

-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry hive file in your bug report.
-f filename # Read commands from "filename" instead of stdin. To write a hivexsh script, use: #!/usr/bin/hivexsh -f
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.
-w # If this option is given, then writes are allowed to the hive (see "commit" command below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)). Important Note: Even if you specify this option, nothing is written to a hive unless you call the "commit" command.  If you exit the shell without committing, all changes will be discarded. If this option is not given, then write commands are disabled.

commands

add name # Add a subkey named "name" below the current node.  The name may contain spaces and punctuation characters, and does not need to be quoted.
cd path # Change to the subkey "path".  Use Windows-style backslashes to separate path elements, and start with a backslash in order to start from the root of the hive.  For example:
close | unload # Close the currently loaded hive. If you modified the hive, all uncommitted writes are lost when you call this command (or if the shell exits).  You have to call "commit" to write changes.
commit [newfile] # Commit changes to the hive.  If the optional "newfile" parameter is supplied, then the hive is written to that file, else the original file is overwritten.
del # Delete the current node and everything beneath it.  The current directory is moved up one level (as if you did "cd ..") after this command.
exit | quit # Exit the shell.
load hivefile # Load the binary hive named "hivefile".  The currently loaded hive, if any, is closed.  The current directory is changed back to the root node.
ls # List the subkeys of the current hive Registry key.  Note this command does not take any arguments.
lsval [key] # List the (key, value) pairs of the current hive Registry key.  If no argument is given then all pairs are displayed.  If "key" is given, then the value of the named key is displayed.  If "@" is given, then the value of the default key is displayed.
setval nrvals # This command replaces all (key, value) pairs at the current node with the values in subsequent input.  "nrvals" is the number of values (ie. (key, value) pairs), and any existing values at this node are deleted.  So "setval 0" just deletes any values at the current node.

hivexget

hivexget hivefile PATH [NAME]

Get subkey from a Windows Registry binary "hive" file

example

hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" V

hivexml

hivexml [-dk] HIVE > FILE

Convert Windows Registry binary "hive" into XML

options

-d # Enable lots of debug messages.  If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry file in your bug report.
-k # Keep going even if we find errors in the Registry file.  This skips over any parts of the Registry that we cannot read.
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.

Install

sudo apt install -y libhivex-bin

start

log mimikatz.log

lsadump

cd {$path_hive}
log c:\lsadump.log
lsadump::sam /system:SYSTEM /sam:SAM
exit