Comprehensive List of DumpHive Commands with Descriptions

Comprehensive List of DumpHive Commands with Descriptions - Printable Version

+- WildlandsTech (https://wildlandstech.com)
+-- Forum: Programming (https://wildlandstech.com/forumdisplay.php?fid=3)
+--- Forum: Batch & Shell Scripting (https://wildlandstech.com/forumdisplay.php?fid=42)
+--- Thread: Comprehensive List of DumpHive Commands with Descriptions (/showthread.php?tid=143)

Comprehensive List of DumpHive Commands with Descriptions - Sneakyone - 09-03-2024

Comprehensive List of DumpHive Commands with Descriptions

**DumpHive** is a command-line utility used to extract and analyze the contents of Windows registry hive files. Below is a detailed list of DumpHive commands, along with descriptions and examples.

1. Dumping a Hive File
Description: Extracts the contents of a specified registry hive file and dumps it into a text file.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath]

Example: To dump the contents of the SYSTEM hive into a text file:

Code:
dumphive.exe C:\Windows\System32\config\SYSTEM C:\output\system_dump.txt

2. Dumping a Specific Key
Description: Extracts the contents of a specific registry key within a hive file.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] [RegistryKey]

Example: To dump the `HKLM\Software\Microsoft` key from the SOFTWARE hive:

Code:
dumphive.exe C:\Windows\System32\config\SOFTWARE C:\output\microsoft_dump.txt "Microsoft"

3. Displaying Help Information
Description: Displays the help information for the DumpHive command.

Code:
dumphive.exe -h

Example: To display help information for DumpHive:

Code:
dumphive.exe -h

4. Parsing a SAM Hive
Description: Extracts and displays user account information from the SAM (Security Account Manager) hive.

Code:
dumphive.exe C:\Windows\System32\config\SAM C:\output\sam_dump.txt

Example: To extract user account information from the SAM hive:

Code:
dumphive.exe C:\Windows\System32\config\SAM C:\output\sam_dump.txt

5. Extracting Security Descriptors
Description: Extracts and displays the security descriptors from a registry hive.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] -sd

Example: To extract security descriptors from the SECURITY hive:

Code:
dumphive.exe C:\Windows\System32\config\SECURITY C:\output\security_sd.txt -sd

6. Extracting Last Written Time of Keys
Description: Extracts the last written time of registry keys within a hive.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] -lastwritten

Example: To extract the last written time for all keys in the SYSTEM hive:

Code:
dumphive.exe C:\Windows\System32\config\SYSTEM C:\output\system_lastwritten.txt -lastwritten

7. Dumping All Subkeys of a Specific Key
Description: Dumps all subkeys of a specific key in a hive to a text file.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] -subkeys [RegistryKey]

Example: To dump all subkeys under `HKLM\System\CurrentControlSet` in the SYSTEM hive:

Code:
dumphive.exe C:\Windows\System32\config\SYSTEM C:\output\ccs_subkeys.txt -subkeys "CurrentControlSet"

8. Dumping Values Only
Description: Dumps only the values (and not the keys) from a registry hive to a text file.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] -values

Example: To dump only the values from the SOFTWARE hive:

Code:
dumphive.exe C:\Windows\System32\config\SOFTWARE C:\output\software_values.txt -values

9. Extracting Data in Hexadecimal Format
Description: Extracts and displays the data from the registry hive in hexadecimal format.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] -hex

Example: To extract data from the SYSTEM hive in hexadecimal format:

Code:
dumphive.exe C:\Windows\System32\config\SYSTEM C:\output\system_hex.txt -hex

10. Extracting Binary Data from Registry Values
Description: Extracts binary data from specific registry values within a hive.

Code:
dumphive.exe [HiveFilePath] [OutputFilePath] -binary [RegistryKey] [ValueName]

Example: To extract binary data from the `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters` key:

Code:
dumphive.exe C:\Windows\System32\config\SYSTEM C:\output\tcpip_parameters.bin -binary "Tcpip\Parameters" "BinaryValueName"

Conclusion

DumpHive is a powerful tool for extracting and analyzing the contents of Windows registry hive files. By mastering these commands, you can efficiently gather important information from registry hives for forensic analysis or system administration purposes.

Happy Scripting!