Dumping Registry Hives and CEDB Database Volumes

Posted by: Sue Loh

Once in a while people ask how to find out what's inside the boot.hv or other .hv files from their image or from persistent storage.  Or, less frequently, they ask how to look at the contents of a CEDB database volume on the desktop side.  You probably don't know, but internally hives and CEDB volumes share a lot of data structures.  When I was working on CEDB, at one point I needed a dump tool, so I created d_readvol.  At the time I was helping to create the guts inside the database conversion wizard power toy.  (http://www.microsoft.com/downloads/details.aspx?FamilyID=636008aa-a011-4188-a1aa-4dd723e315bf&DisplayLang=en)  I also used it to debug corrupted files.  Later when I was working on the hive-based registry, I hacked the same tool to dump hive files.

Just like perfalyzer, I have to warn you that d_readvol is only intended for internal use.  I really just made it for my own personal use a long time ago.  It is officially unsupported, and I don't even expect that to change in the future.  It might have security vulnerabilities. It might crash your hard drive. It might run up your phone bill or get you hooked on professional wrestling.   If you find bugs, well, I might have the time to help fix them, but I cannot promise anything.  You might find the tool bad enough to be completely unusable.  I make no promises.  "Most" of the time it works "well enough."

So here it is for you to play with:  http://www.thelohs.net/sue_blog/utils/d_readvol.exe  It is a desktop tool that will dump the internal contents of either a CEDB database volume or a hive file.  You use it by giving it the name of the file you want to look at:

d_readvol boot.hvd_readvol myvolume.cdb

It also has a "verbose" option that, er, sometimes crashes.  ;-)  You don't want the verbose option anyway, that's just for looking at volume corruption.

Oh and why the "d_"?  Remember I said I was working on the database converter power tool.  I was converting between CE 2.12 (code name "Birch"), 3.0 ("Cedar") and 4.0 ("DougFir") databases.  I thought a letter difference in name was an easier thing to type than a number.