Offline Windows Registry Editing from a Linux Rescue Instance (hivex)
Offline Windows Registry Editing from a Linux Rescue Instance (hivex)
When an EC2 Windows instance cannot boot or accept RDP, you can attach its root volume to a Linux rescue instance and use hivex to read/write the registry hive files offline. Common scenarios: enable/disable storage drivers to fix BSODs, reset the RDP port, disable the firewall, or change service startup types.
Prerequisites
- An Amazon Linux 2023 rescue instance in the same AZ as the target EBS volume
- The target Windows instance is stopped
- The target root volume is detached from the original instance and attached to the rescue instance
1. Mount the target volume
# AL2023 kernel ships with the ntfs3 driver
sudo modprobe ntfs3
# Identify the device (use the SERIAL field)
sudo lsblk -o NAME,SIZE,SERIAL,MOUNTPOINT,FSTYPE
# Mount
sudo mkdir -p /mnt/win
sudo mount -t ntfs3 -o rw /dev/nvme1n1p1 /mnt/winRegistry hive files are at /mnt/win/Windows/System32/config/:
| File | Registry hive | Typical use |
|---|---|---|
| SYSTEM | HKLM\SYSTEM | Services, drivers, boot config |
| SOFTWARE | HKLM\SOFTWARE | Installed software config |
| SAM | HKLM\SAM | Local users and groups |
| SECURITY | HKLM\SECURITY | Security policy |
Backup before modifying:
sudo cp /mnt/win/Windows/System32/config/SYSTEM /tmp/SYSTEM_BACKUP2. Build and install hivex
AL2023 repos do not carry hivex; build from source:
sudo dnf install -y gcc make perl
cd /tmp
curl -sL https://download.libguestfs.org/hivex/hivex-1.3.24.tar.gz | tar xz
cd hivex-1.3.24
./configure --disable-ocaml --disable-perl --disable-python --disable-ruby
make -j$(nproc)
sudo make install
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH| Tool | Function |
|---|---|
| hivexsh | Interactive shell, supports read/write |
| hivexget | Read-only key/value query |
| hivexml | Export hive as XML |
3. Read the registry (hivexget)
# Check RDP service startup type
hivexget /mnt/win/Windows/System32/config/SYSTEM \
'ControlSet001\Services\TermService' Start
# 2=Automatic, 3=Manual, 4=Disabled
# Check RDP port
hivexget /mnt/win/Windows/System32/config/SYSTEM \
'ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp' PortNumber
# List all values under a key
hivexget /mnt/win/Windows/System32/config/SYSTEM \
'ControlSet001\Services\storahci'4. Modify the registry (hivexsh)
Use -w to enable write mode, with heredocs for batch execution:
/usr/local/bin/hivexsh -w <<'EOF'
load /mnt/win/Windows/System32/config/SYSTEM
cd ControlSet001\Services\storahci
setval 1
Start
dword:0x00000000
commit
EOFStart value meanings:
| Value | Meaning |
|---|---|
| 0 | Boot (loaded earliest during kernel boot) |
| 1 | System |
| 2 | Automatic |
| 3 | Manual |
| 4 | Disabled |
Batch-enable storage drivers (fix BSOD UNMOUNTABLE_BOOT_VOLUME)
When an EC2 Windows instance is exported to VMware and BSODs, enable SATA/SCSI drivers:
for svc in storahci intelide pciide LSI_SAS iaStorV stornvme; do
/usr/local/bin/hivexsh -w <<EOF
load /mnt/win/Windows/System32/config/SYSTEM
cd ControlSet001\Services\\$svc
setval 1
Start
dword:0x00000000
commit
EOF
doneChange the RDP port
/usr/local/bin/hivexsh -w <<'EOF'
load /mnt/win/Windows/System32/config/SYSTEM
cd ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp
setval 1
PortNumber
dword:0x00000D3D
commit
EOF0xD3D = 3389.
5. Verify and reattach
# Verify
hivexget /mnt/win/Windows/System32/config/SYSTEM \
'ControlSet001\Services\storahci' Start
# Expected: 0
# Unmount
sudo umount /mnt/win
# Reattach to the original instance
aws ec2 detach-volume --volume-id <vol-id>
aws ec2 wait volume-available --volume-ids <vol-id>
aws ec2 attach-volume --volume-id <vol-id> --instance-id <original-instance-id> --device /dev/sda1
aws ec2 start-instances --instance-ids <original-instance-id>Pitfalls
Forgot commit: hivexsh writes are in-memory; exiting without commit means no changes. The last line of a heredoc must always be commit.
Wrong ControlSet: Which ControlSet Windows boots from is determined by SYSTEM\Select -> Current. Check first:
hivexget /mnt/win/Windows/System32/config/SYSTEM 'Select' Current
# Output 1 -> ControlSet001NTFS dirty flag: Mounting after an unclean Windows shutdown fails with unclean shutdown. Clear it with ntfsfix:
sudo dnf install -y ntfsprogs
sudo ntfsfix /dev/nvme1n1p1Heredoc backslash escaping: With no variables, use <<'EOF' (single quotes) to preserve backslashes; with variables (like the loop $svc), use <<EOF and double the backslashes (\\) in registry paths.
