QEMU/KVM查看虚拟机系统注册表

在QEMU/KVM的虚拟化环境中,如果想要操作Windows虚拟机的注册表,原来的理解是不可以的,最近查资料发现其实有工具可以做到的。

libguestfs-tools套件提供了一个基于QEMU的磁盘映像去查找这个磁盘映像中安装的Windows操作系统的具体注册表信息,甚至是进行改动(当然不安全,目前可能不成熟,可能损坏映像文件)。

这个套件目前我只在centos和redhat的虚拟化环境中找到了,具体安装方法很简单:

yum install libguestfs libguestfs-tools libguestfs-winsupport

安装完成之后,使用virt-win-reg既可以对已经安装操作系统的虚拟机映像文件进行注册表的读取操作,不过要注意的是目前只推荐在虚拟机停止状态下获取注册表的信息,如果在启动模式下获取注册表或者修改注册表信息都可能导致虚拟机映像文件损坏。

具体使用方法如下:

virt-win-reg win9-clone 'HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall'

其中win9-clone是虚拟机的名字,可以通过libvirt的virsh list –all命令查询得出,不过一定确保虚拟机已经是停止的状态,否则可能造成磁盘损坏

上面的命令最终执行的结果如下:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallAddressBook]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallBranding]
"QuietUninstallString"=hex(1):52,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,20,00,49,00,65,00,64,00,6b,00,43,00,53,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,42,00,72,00,61,00,6e,00,64,00,43,00,6c,00,65,00,61,00,6e,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,53,00,74,00,75,00,62,00,73,00,00,00
"RequiresIESysFile"=hex(1):31,00,30,00,30,00,2e,00,30,00,00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallConnection Manager]
"SystemComponent"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallDXM_Runtime]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallDirectAnimation]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallDirectDrawEx]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallFontcore]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallICW]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIE40]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIE4Data]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIE5BAKEX]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallIEData]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallMPlayer2]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallMobileOptionPack]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNetMeeting]
"RequiresIESysFile"=hex(1):34,00,2e,00,37,00,31,00,00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallOutlookExpress]
@=hex(1):00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallPCHealth]
"QuietUninstallString"=hex(1):72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2e,00,64,00,6c,00,6c,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,49,00,4e,00,46,00,5c,00,50,00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,2e,00,69,00,6e,00,66,00,00,00
"UninstallString"=hex(1):72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2e,00,64,00,6c,00,6c,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,49,00,4e,00,46,00,5c,00,50,00,43,00,48,00,65,00,61,00,6c,00,74,00,68,00,2e,00,69,00,6e,00,66,00,00,00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSchedulingAgent]
@=hex(1):00,00

该命令的其他用法可以使用man virt-win-reg获取相关帮助信息,用法还是很多的哦

  1. 火车列车时刻表

    分析的很透彻,很欣赏你的看法,学习了。

  2. 人生多风雨,快乐常相伴!

  3. 过来看一下学习了

Leave a Comment

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>