REGISTRY | Accessing/Editing offline registry hives

With REGEDT32 one can load and edit offline registry databases:

   1. Start REGEDT32
   2. Highlight the HKEY_LOCAL_MACHINE-window and select the root of the tree
   3. In the menu select "Registry" -> "Load Hive"
   4. Select the wanted registry database file:
          * [HKEY_LOCAL_MACHINE \SYSTEM] (%windir%/system32/config/system)
          * [HKEY_LOCAL_MACHINE \SOFTWARE] (%windir%/system32/config/software)
          * [HKEY_USERS \.Default] (%windir%/system32/config/default)
          * [HKEY_CURRENT_USER] (%userprofile%/ntuser.dat)
   5. When prompted for a name give it whatever name you like (etc. test1). The name will be used to create a new node in the tree so one can browse the offline registry.
   6. Go to the newly created node and edit whatever you like (The changes are written immediately to the offline registry database). One can import/export between the newly created node and the current registry just browse between the corresponding keys.
          * To export a single key(with subkeys) into a file: Select the wanted key and in the menu "Registry" use "Save Key".
          * To import a single key or tree from a file: Select the location where the key should be imported and in the menu "Registry" use "Restore". Be very careful to select the same location from which is was exported as the restore will erase everything below the import location and replace with the contents of the file.
   7. When finished editing select the newly created node and in the menu select "Registry" -> "Unload Hive"
This method can be useful in numerous scenarios as follows:
    * Load another users HKEY_CURRENT_USER (ntuser.dat) and change the users settings without logging in with the user.
    * Load an offline registry database and extract settings to import in the current registry database.
    * Load an offline [HKEY_USERS \.Default] and change the login screensaver to Reset Administrator Password
    * Load and edit the registry database on a parallel installation without needing to boot it first.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s