hive-file
Parses a Windows registry hive file and queries registry keys and values. Supports hive files such as SAM, SECURITY, SOFTWARE, SYSTEM, and NTUSER.DAT.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the hive file. Use this when querying a hive file directly from inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries. (Default:
utf-8) raw=BOOL- When set to
t, includes theraw_valuefield in the output. Use this to inspect the raw byte data of registry values. (Default:f)
Target
FILE_PATH- Path to the registry hive file to query. You can use wildcards (
*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_file | string | Hive file name |
key | string | Registry key path (e.g., ROOT\Microsoft\Windows\CurrentVersion) |
type | string | Registry value data type. One of: NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE, LINK, MULTI_SZ, RESOURCE_LIST, FULL_RESOURCE_DESCRIPTOR, RESOURCE_REQUIREMENTS_LIST, QWORD |
name | string | Registry value name. Null for the default value of a key. |
value | - | Registry value. Returned as string, integer, long, array, binary, etc., depending on the data type. |
last_written | timestamp | Last write time of the registry key |
raw_value | binary | Raw byte data of the registry value. Included only when the raw=t option is specified. |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | cannot load hive file | The hive file could not be read | Aborts query execution |
Description
The hive-file command parses the binary structure (REGF format) of a Windows registry hive file and queries all keys and values. Each value entry under a registry key is output as a record, and the key path includes the full path from the root.
Registry values are automatically converted based on their data type. SZ and EXPAND_SZ types are converted to strings, DWORD to 32-bit integer, QWORD to 64-bit integer, and MULTI_SZ to a string array. BINARY and other types are returned as raw byte arrays.
When raw=t is specified, the raw byte data is also output in the raw_value field alongside the converted value.
To query a hive file inside a ZIP archive, specify the ZIP file path in the zippath option and the path to the hive file within the ZIP as the target.
Examples
-
Query a registry hive file
hive-file /opt/logpresso/evidence/SYSTEMQueries all registry keys and values from the SYSTEM hive file.
-
Query with raw byte data included
hive-file raw=t /opt/logpresso/evidence/SOFTWAREQueries registry keys and values from the SOFTWARE hive file and also outputs the raw byte data.
-
Query a hive file inside a ZIP archive
hive-file zippath=/opt/logpresso/evidence/registry.zip NTUSER.DATQueries registry keys and values from the
NTUSER.DAThive file inside the ZIP archive. -
Filter specific registry keys
hive-file /opt/logpresso/evidence/SOFTWARE | search key == "ROOT\\Microsoft\\Windows\\CurrentVersion\\Run*"Filters registry keys related to autorun entries from the SOFTWARE hive file.