Manipulate Registry Hive files from C#

Question

1.) How do Load, Edit and Save binary Hive files for registry from C#?

I found this Win32 api. http://msdn.microsoft.com/en-us/library/ee210770%28VS.85%29.aspx

This guy shared the code to dump the content of binary Hive files to text. http://www.codeproject.com/KB/recipes/RegistryDumper.aspx

2.) In addition to manipulating the Hive files, I also search for a method to load the Hive file into registry at runtime using C# (similar to the Load Hive and Unload Hive commands on the File many in regedit)

/Thanks

There's a .NET wrapper for the win32 api: https://github.com/LordMike/OffregLib — mirh, Nov 04 '20 at 13:42

score 1 · Answer 1 · answered Apr 25 '11 at 19:35

Have you looked at the Registry and RegistryKey classes in Microsoft.Win32?

http://msdn.microsoft.com/en-us/library/microsoft.win32.aspx

It sounds like you may need to create your own representation to read the hive file and either queue up or immediately make the corresponding registry changes. Likewise you would need to write your own converter back to disk.

score 1 · Answer 2 · answered Jun 14 '20 at 16:09

This is 9 years old, but I figured this could help someone else. I wrote this class that allows you to do something like this:

Hive.AcquirePrivileges() // Acquires the privileges necessary for loading the hive
Hive myregistryhive = Hive.LoadFromFile("hivepathhere") // Loads the hive
// use myregistryhive.RootKey (a RegistryKey), read and/or write to it and its sub keys
myregistryhive.SaveAndUnload() // Unloads the hive
Hive.ReturnPrivileges() // De-elevate back to normal privileges.

The code for the class:

class Hive
{
    [DllImport("advapi32.dll", SetLastError = true)]
    static extern int RegLoadKey(IntPtr hKey, string lpSubKey, string lpFile);

    [DllImport("advapi32.dll", SetLastError = true)]
    static extern int RegSaveKey(IntPtr hKey, string lpFile, uint securityAttrPtr = 0);

    [DllImport("advapi32.dll", SetLastError = true)]
    static extern int RegUnLoadKey(IntPtr hKey, string lpSubKey);

    [DllImport("ntdll.dll", SetLastError = true)]
    static extern IntPtr RtlAdjustPrivilege(int Privilege, bool bEnablePrivilege, bool IsThreadPrivilege, out bool PreviousValue);

    [DllImport("advapi32.dll")]
    static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, ref UInt64 lpLuid);

    [DllImport("advapi32.dll")]
    static extern bool LookupPrivilegeValue(IntPtr lpSystemName, string lpName, ref UInt64 lpLuid);

    private RegistryKey parentKey;
    private string name;
    private string originalPath;
    public RegistryKey RootKey;

    private Hive() { }

    public static Hive LoadFromFile(string Path)
    {
        Hive result = new Hive();

        result.parentKey = RegistryKey.OpenBaseKey(RegistryHive.Users, RegistryView.Default);
        result.name = Guid.NewGuid().ToString();
        result.originalPath = Path;
        IntPtr parentHandle = result.parentKey.Handle.DangerousGetHandle();
        RegLoadKey(parentHandle, result.name, Path);
        //Console.WriteLine(Marshal.GetLastWin32Error());
        result.RootKey = result.parentKey.OpenSubKey(result.name, true);
        return result;
    }
    public static void AcquirePrivileges()
    {
        ulong luid = 0;
        bool throwaway;
        LookupPrivilegeValue(IntPtr.Zero, "SeRestorePrivilege", ref luid);
        RtlAdjustPrivilege((int)luid, true, false, out throwaway);
        LookupPrivilegeValue(IntPtr.Zero, "SeBackupPrivilege", ref luid);
        RtlAdjustPrivilege((int)luid, true, false, out throwaway);
    }
    public static void ReturnPrivileges()
    {
        ulong luid = 0;
        bool throwaway;
        LookupPrivilegeValue(IntPtr.Zero, "SeRestorePrivilege", ref luid);
        RtlAdjustPrivilege((int)luid, false, false, out throwaway);
        LookupPrivilegeValue(IntPtr.Zero, "SeBackupPrivilege", ref luid);
        RtlAdjustPrivilege((int)luid, false, false, out throwaway);
    }
    public void SaveAndUnload()
    {
        RootKey.Close();
        RegUnLoadKey(parentKey.Handle.DangerousGetHandle(), name);
        parentKey.Close();
    }
}

Edit: Note that this requires administrator privileges.

score 1 · Answer 3 · answered Feb 02 '12 at 14:40

The article below explains how to analyze the registry file without using WinAPI (advapi32.dll). In this particular case the guy is using Mono:

http://volatile-minds.blogspot.com/2011/01/analyzing-windows-nt-registry-without.html

using (FileStream fs = File.OpenRead (path)) {
 var data = new byte[checked((int)fs.Length)];
 int i = 0;
 int read;

 using (var ms = new MemoryStream (checked((int)fs.Length))) {

  while ((read = fs.Read (data, 0, data.Length)) > 0) {
   ms.Write (data, 0, read);
   i += read;
  }

  byte[] hive = ms.ToArray ();
  char[] cList = new char[fs.Length];

  i = 0;
  foreach (byte b in hive)
   cList[i++] = (char)b;

         string d = new string (cList);


  int all = 0;

  foreach (Match mx in lf.Matches (d)) { //you can change out the regex you want here.
   byte[] bb = new byte[mx.Value.Length];
   char[] cb = new char[mx.Value.Length];

   for (int k = 0; k < mx.Value.Length; k++) {
    bb[k] = (byte)mx.Value[k];
    cb[k] = (char)bb[k];

   }

   all++;

   //Console.WriteLine (new string (cb));
  }

  Console.WriteLine (all.ToString ());
  all = 0;
 }
}

I actually wrote the above code, that is my blog. That code is really piss-poor and I don't recommend using it. I did write a [real offline registry reading library in Ruby](https://github.com/brandonprry/ntreg-ruby), and a tool consuming it is in the Metasploit framework (tools/reg.rb). Eventually I will be implementing this library in C# as well, but not any time soon. — , Aug 05 '12 at 22:00
well.. this is not any time soon... did you?? :) @user1577946 — crankedrelic, Apr 01 '21 at 15:11

Manipulate Registry Hive files from C#

3 Answers3

Linked