原本以为Linux下读取Windows的注册表是个异想天开、无法实现的想法,忽然发现了老外写的一段小文章 http://www.linuxidc.com/Linux/2011-04/34100p2.htm,才知道原来早就有人做过了。
为了在linux下能够解读注册表文件,需要几个小工具:首先是一个Pascal语言写的dumphive,负责将windows注册表文件转换为文本格式;另外还需要Win32-Registry-File-1.10,这是一个用perl语言写的,分析、读取注册表的工具,同时Win32-Registry-File-1.10还依赖另外一个perl工具Tie-IxHash-1.22。
dumphive的下载地址为http://gitorious.com/canaima-gnu-linux/dumphive/commits/upstream,Win32-Registry-File-1.10为http://search.cpan.org/~avatar/Win32-Registry-File-1.10/File.pm,Tie-IxHash-1.22为http://search.cpan.org/~chorny/Tie-IxHash-1.22/lib/Tie/IxHash.pm
在正式开始工作前,先要将工具软件安装好,首先解压缩dumphive包,由于它是由Pascal语言写出的,所以要下载free Pascal的编译器,在Ubuntu下,用apt-get install fpc即可,然后进入src目录下,直接make就可以获得dumphive可执行程序了。再安装Win32-Registry-File-1.10和Tie-IxHash-1.22,这两个perl程序的安装方法类似,先解压,在运行perl MakeFile.pl 生成makfile,再运行make,最后make install
真正的工作就可以开始了
1.首先将windows所在分区挂载到/mnt/目录上,(如果挂载不了,需要下载并安装ntfsprogs)
2.cp /mnt/WINDOWS/system32/config/SYSTEM /tmp/system 将注册表文件拷贝到tmp目录下
3.dumphive /tmp/system /tmp/system.reg 将注册表文件转换为文本格式
4.再编写一个test.pl脚本 ,比如:
use Win32::Registry::File;
$reg = new Win32::Registry::File();
$reg->open(‘system.reg’);
use Data::Dumper;
print Dumper($reg->get([‘system\ControlSet001\Control’]));
然后perl test.pl就可以看的ControlSet001\Control下的结构了。注意这里的get后的参数中的system,跟第2步时生成的文件名有关,如果将windows下的注册表文件拷贝成aaa,再用dumphive去转换,则生成的注册表文本文件都是以aaa开头的。当执行用cat system.reg,后就可以明显的看出来。
另外Win7跟xp的注册表文件,在linux下解读出来还是有很大差异的,每一个字段前都有一个类似UUID的值。
Reading Windows Registry from Linux
Since I’m involved in Live CD projects like Metadistros, I’ve been thinking about making easier to setup systems after they come up.
Many LiveCD systems are used onWindows installed machines, so why not to “steal” all this information from Windows registry to setup our Linux system? The idea is straight forward: e.g. take network configuration from Windows and boot a Live system which can connect directly to the Internet, without prompting users about IP confs.
Today I’ve been collecting base tools to do it:
dumphive: a tool written in Pascal to get a Windows registry binary hive file and dump it to a text file
Win32::Registry::File, a Perl library to access a text .reg file
To dump the hardware hive from my Thinkpad Windows XP partition:
$ dumphive /mnt/winxp/WINDOWS/system32/config/SYSTEM /tmp/system.reg
And to read SYSTEM\ControlSet001\Control (I don’t know what the hell is this) using Win32::Registry::File:
use Win32::Registry::File;
$reg = new Win32::Registry::File();
$reg->open(‘/tmp/system.reg’);
use Data::Dumper;
print Dumper($reg->get([‘SYSTEM\ControlSet001\Control’]));
Now, the only thing left is to find the information we’re looking for among all those nightmare registry entries, and make it work on every Windows host.
Ho, ho, ho