Results 1 to 6 of 6
  1. #1
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    59
    Posts
    7,289

    Remote Registry Editing and Registry Recovery

    This is a short guide on how to edit the registry hives for an installation of Windows (XP or 2000) that is not currently active (running). All due care should be taken to ensure that a mistake doesn't require a complete re-installation of Windows (or the need to employ the 12 Easy Steps to Registry Recovery). This method can also be used to edit the HKEY_CURRENT_USER (HKCU) key on a running installation of Windows for a user that is not currently logged in, providing, of course, that the current user has administrator privileges. Further, this method can be employed on a drive that is either remotely connected, with proper shares, or directly connected to the machine used for the editing process. Although Windows 2000 can be used for the editing (at least of another Windows 2000 registry hive), Regedt32's display is quite ugly and cumbersome on W2k, so I highly recommend the use of XP. I am going to make the dangerous presumption that you know what you are doing while editing a registry hive. If you do not, you should not perform any of the following. You are solely responsible for any damage you cause. Finally, you might ask: Why would I want to do this anyway? If you need to ask this, you probably don't need to do it at all.

    Everything contained in this post has been tried and verified by the Author during the daily execution of his vocation (and avocation). However, you use this information at your own risk.

    Remote Registry Editing

    1. Connect the drive that contains the registry you want to edit to a machine as a data drive.
    2. On the machine used for the editing, start regedit.exe (regedt32.exe if using Windows 2000 as the host for editing).
    3. Highlight the HKEY_LOCAL_MACHINE (HKLM) key and click File->Load Hive. For all keys/files being edited, HKLM, on the host machine, is the key under which to load.
    4. Navigate to the registry hive you wish to edit on the drive you connected in step 1 and double click the hive. Although you can edit any of the 5 (at least theoretically), the useful hives to edit are: SOFTWARE, SYSTEM, DEFAULT and for the HKCU key, NTUSER.DAT. The first three files will be located in %windir%\system32\config. As mentioned in the preamble, for NTUSER.DAT, you can, if you choose, edit any user while this drive is connected as a data drive (as it is now) or while the target installation is actually running. %windir% is normally \Windows.
    5. You will be prompted for a name for the hive. I use the letter "a" so that the new key (under HKLM) will be listed first.
    6. Edit to your heart's content.
    7. When finished, move to the top level of the named key ("a"), and click File->Unload Hive. DO NOT SKIP THIS STEP.

    Edit: You can use the above method, coupled with this utility: http://www.ac2tech.com/tools/keyview...gitalProductId to retrieve the Product Key from a non-functional installation of Windows 2000 or XP.

    Edit2: This procedure also works well when booting from Bart's PE environment.


    12 Easy Steps to Registry Recovery - These steps only work for Windows XP (or later) and only if you have System Restore active.

    Symptoms of a corrupted registry:
    A) You see a message similar to this at startup:
    Code:
     missing or corrupt c:\windows\system32\config\system
     missing or corrupt c:\windows\system32\config\software
    B) You get a blue screen with something similar to:
    Code:
    STOP 0xC0000218...
    1. Connect hard drive with bad registry file as a slave on working XP or 2k machine.
    2. Make sure that folder options are set to show all files, file extensions and not hide protected OS files.
    3. Navigate to %windir%\system32\config folder on sick hd and move DEFAULT, SOFTWARE, SECURITY, SYSTEM and SAM registry hives to a temporary folder.
    4. Navigate to System Volume Information folder on sick hd (located in the root directory of the boot partition) and take ownership of folder. If necessary, See Take Ownership.. (below) for instructions as to how to do this.
    5. Navigate into System Volume Information folder and you will find a folder that starts out _restore and has a lot of hex digits after it.
    6. Navigate into this folder and you will see some folder that are named rpXX where XX is a number.
    7. Change the view to details view. Pick an rpXX folder near the end datewise. I don't pick the latest one just in case XP managed to back up a bad set of registry hives. I usually pick the 3rd one from the latest.
    8. Navigate into this directory and then into the directory named Snapshot.
    9. You will find roughly 20 files (and a directory) in this folder. You want the 5 that are named _REGISTRY_USER_.DEFAULT, _REGISTRY_MACHINE_SAM, _REGISTRY_MACHINE_SOFTWARE, _REGISTRY_MACHINE_SECURITY and _REGISTRY_MACHINE_SYSTEM.
    10. Pick these files and copy them to the %windir%\system32\config folder.
    11. You should now be back in the %windir%\system32\config folder. Rename these files to DEFAULT, SAM, SOFTWARE, SECURITY and SYSTEM, respectively.
    12. Put drive back in original machine. If that was all that was wrong, you should be able to boot now. If it was not all that was wrong, you should be able to run a repair install now.

    Take Ownership of those files

    1. If using Windows XP Pro, open an folder view windows, click on Tools->Folder Options->View, scroll to the last item and make sure "Use Simple File Sharing" is unchecked. Apply changes if necessary.
    1a. If you're using Windows XP Home Edition, you have two choices: you can either boot to Safe Mode so that the file Security Tab will be available to you, or you can download and install scesp4i.exe - which is the NT 4.0 Security Configuration Editor - and have the capability even in Normal Mode. I had to Google this file since it appears to be a dead link (at least for me, today) on MS' site. Download this file, unpack to a temporary directory, right-click the setup.inf file and pick install. After rebooting, the file Security Tab will be available to you in Normal Mode. Disclaimer: You do this at your own risk. I tried it on an installation of XP Home and it worked without issue. Make a System Restore point for insurance.
    2. Navigate to the file or folder you wish to take ownership.
    3. Right click the file/folder->Properties->Security and click the Advanced button.
    4. Click the Owner Tab, highlight Administrators (this is my personal recommendation for owner), check the box that says "Replace owner on subcontainers and objects" (if present). Apply your changes.
    5. Answer the subsequent prompt by clicking Yes. The files now belong to you.
    Last edited by Sick Willie; 04-05-2011 at 07:45 PM. Reason: update

  2. #2
    Joined
    Jun 2004
    Posts
    331

    Re: Remote Registry Editing and Registry Recovery

    Really good info and I noticed it all depends on drive being put into another machine or slaved. Some people may not have that option or if the drive is in a laptop it may not be possible without messing up the warranty.

    Those people could make a BartPE bootable disk then include the Registry Editor PE plugin on the disk they make.

  3. #3
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    59
    Posts
    7,289

    Re: Remote Registry Editing and Registry Recovery

    Good addition. And the basic logic remains the same.

    Luckily, with the majority of laptops, the drive is removable without there being any residual signs of having been removed. I loathe working on the ones that I have to disassemble the case in order to remove the drive.

  4. #4
    Joined
    Jun 2003
    Location
    Chicago
    Posts
    6,589

    Re: Remote Registry Editing and Registry Recovery

    garg. I tried following both prompts. As to how to take ownership. But I get an "error whie deleting key" message each time.

    You say spysweeper deletes it. But each and everytime it says. There's a threat running in memory that can't be removed unless you restart the computer. Would you like to restart now.. I click ok and.. i believe it's suppose to run before everything starts up but it doesen't.. it just runs normally while everything loads up again and I get that same message... the cycle repeats itself. I must have gone through this at least 7 times

  5. #5
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    59
    Posts
    7,289

    Re: Remote Registry Editing and Registry Recovery

    See reply in your thread.

  6. #6
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    59
    Posts
    7,289

    Re: Remote Registry Editing and Registry Recovery

    Bump due to new information concerning Bart's PE.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •