Skip to content

sebafvs/hivex

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
common.c
common.c
 
 
common.h
common.h
 
 
hivex.slnx
hivex.slnx
 
 
hivex.vcxproj
hivex.vcxproj
 
 
hivex.vcxproj.filters
hivex.vcxproj.filters
 
 
main.c
main.c
 
 

Repository files navigation

Hivex

Windows registry hive dumper for SAM, SYSTEM, and SECURITY.

Saves the three hives required for offline credential extraction to disk using the backup privilege API, bypassing the DACL on protected hives without touching LSASS or any in-memory credential store.

Part of a layered Windows credential research series.

Usage

Dumps all three hives to the current working directory.

hivex.exe

Dumps to a specified directory.

hivex.exe C:\tmp\

Output files

File Contains Typical size
sam.hiv Local account NT hashes ~36 KB
system.hiv Bootkey (SYSKEY), required by all tools ~14 MB
security.hiv LSA secrets, cached credentials ~28 KB

Sample output

[*] hivex - dump SAM + SYSTEM + SECURITY to disk
[+] Output: C:\tmp

[+] Enabled: SeBackupPrivilege
[+] Enabled: SeSecurityPrivilege

[+] Saved sam.hiv
[+] Saved system.hiv
[+] Saved security.hiv

[*] Files written:
    sam.hiv
    system.hiv
    security.hiv

Cross-validation with Impacket

The output files can be verified against Impacket secretsdump on a Linux machine:

impacket-secretsdump -sam sam.hiv -system system.hiv -security security.hiv LOCAL

If Impacket decrypts NT hashes and LSA secrets correctly from the same files, the dump is valid.

Build

Requirements: Visual Studio 2022/2026, Windows SDK, x64 target

  1. Open hivex.slnx in Visual Studio
  2. Set configuration to Release / x64
  3. Build → Build Solution (Ctrl+Shift+B)
  4. Output: x64\Release\hivex.exe

Project settings:

  • Runtime Library: /MT, fully static, no runtime DLL dependency
  • Precompiled Headers: disabled
  • No external dependencies beyond the Windows SDK

Files

File Description
main.c Entry point and hive dump logic
common.h Shared declarations used across all research tools
common.c Shared implementations (privileges, registry, crypto helpers)

How it works

Uses RegSaveKeyA with REG_OPTION_BACKUP_RESTORE to open protected hives, the same mechanism backup software uses. This requires SeBackupPrivilege and SeSecurityPrivilege in the process token, which are held by any elevated administrator account in a disabled state and enabled at startup. The DACL on HKLM\SAM and HKLM\SECURITY is bypassed entirely through this mechanism.

The output files are standard Windows hive format, identical to the physical files in C:\Windows\System32\config\, and are directly consumable by any offline hive parsing tool.

About

Windows registry hive dumper for SAM, SYSTEM, and SECURITY using the backup privilege API.

Topics

c windows registry hive credentials winapi offensive-security red-team security-research windows-internals

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages