Jaa


Dumping Registry Hives and CEDB Database Volumes

Posted by: Sue Loh

Once in a while people ask how to find out what's inside the boot.hv or other .hv files from their image or from persistent storage.  Or, less frequently, they ask how to look at the contents of a CEDB database volume on the desktop side.  You probably don't know, but internally hives and CEDB volumes share a lot of data structures.  When I was working on CEDB, at one point I needed a dump tool, so I created d_readvol.  At the time I was helping to create the guts inside the database conversion wizard power toy.  (https://www.microsoft.com/downloads/details.aspx?FamilyID=636008aa-a011-4188-a1aa-4dd723e315bf&DisplayLang=en)  I also used it to debug corrupted files.  Later when I was working on the hive-based registry, I hacked the same tool to dump hive files.

Just like perfalyzer, I have to warn you that d_readvol is only intended for internal use.  I really just made it for my own personal use a long time ago.  It is officially unsupported, and I don't even expect that to change in the future.  It might have security vulnerabilities. It might crash your hard drive. It might run up your phone bill or get you hooked on professional wrestling.   If you find bugs, well, I might have the time to help fix them, but I cannot promise anything.  You might find the tool bad enough to be completely unusable.  I make no promises.  "Most" of the time it works "well enough."

So here it is for you to play with:  https://www.thelohs.net/sue_blog/utils/d_readvol.exe  It is a desktop tool that will dump the internal contents of either a CEDB database volume or a hive file.  You use it by giving it the name of the file you want to look at:

d_readvol boot.hvd_readvol myvolume.cdb

It also has a "verbose" option that, er, sometimes crashes.  ;-)  You don't want the verbose option anyway, that's just for looking at volume corruption.

Oh and why the "d_"?  Remember I said I was working on the database converter power tool.  I was converting between CE 2.12 (code name "Birch"), 3.0 ("Cedar") and 4.0 ("DougFir") databases.  I thought a letter difference in name was an easier thing to type than a number.

Comments

  • Anonymous
    January 31, 2006
    Congratulation for producing the most un-readable Blog in history!
    Red and Blue text on a Black background! Haven't you guys ever heard of "accessability"?
  • Anonymous
    February 01, 2006
    Hi Martin, what browser are you using? It's black text on a white background in Internet Explorer. I haven't tried any other browsers. In truth most of the colors are set by a "theme" that we selected from a preset group rather than designing ourselves. So it'd be tough to change. But I could send feedback to our blog hosting folks.
  • Anonymous
    February 01, 2006

    Does this tool apply to CEDB only? Not EDB? Can you elaborate a little on CEDB vs. EDB? Is there an "upgrade" tool from CEDB to EDB?


    > Red and Blue text on a Black background

    It looks black on white to me, maybe you need a new browser.

  • Anonymous
    February 02, 2006
    This tool only applies to CEDB. EDB is a completely different format that those of us on this team don't know. I just posted a bit more on your CEDB vs. EDB questions:
    http://blogs.msdn.com/ce_base/archive/2006/02/02/523243.aspx

    Sue