Loading offline registry files

February 11, 2011

Windows stores its registry information in a set of files known as hives.
You can access the registry of a running computer via the registry editor (run…->regedit), pretty obvious yeah?
But what if your pc is toast? how do you access the registry of it then? (maybe you got too many viruses, maybe you have a product key you want to extract, maybe you’re just a curious little bastard)

Interestingly you can use regedit still to look at offline hives.

select hkey_local_machine or hkey_users

then on the file menu, select load hive… (note,if one of the two root hives above are not selected, this option is disabled)

navigate to the hive files stored in
{drive}:\windows\system32\config

the files being SAM SYSTEM SOFTWARE SECURITY

for user hives the files are in

{drive}:\documents and settings\{user}, (XP and before) or
{drive}:\users\{user} (vista or after)

the file is called ntuser.dat

A name for the Hive is asked for, and then it will appear as a sub item of the root hive you selected at the start.

something to note, you can now access this hive both via regedit, as well as via scripts and applications.

IT: Systems & Code, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">