Load registry hive for offline registry editing

28 February 2003 by Snakefoot | Comment » | Trackback Off
If needing to access the registry database on a system that is no longer bootable, then one should use Windows PE or a Linux Live CD.

With REGEDT32 one can load and edit offline registry databases:
  1. Start REGEDT32
  2. Highlight the HKEY_LOCAL_MACHINE-window and select the root of the tree
  3. In the menu select "Registry" -> "Load Hive"
  4. Select the wanted registry database file:
    • [HKEY_LOCAL_MACHINE \SYSTEM] (%windir%/system32/config/system)
    • [HKEY_LOCAL_MACHINE \SOFTWARE] (%windir%/system32/config/software)
    • [HKEY_USERS \.Default] (%windir%/system32/config/default)
    • [HKEY_CURRENT_USER] (%userprofile%/ntuser.dat)
  5. When prompted for a name give it whatever name you like (etc. test1). The name will be used to create a new node in the tree so one can browse the offline registry.
  6. Go to the newly created node and edit whatever you like (The changes are written immediately to the offline registry database). One can import/export between the newly created node and the current registry just browse between the corresponding keys.
    • To export a single key(with subkeys) into a file: Select the wanted key and in the menu "Registry" use "Save Key".
    • To import a single key or tree from a file: Select the location where the key should be imported and in the menu "Registry" use "Restore". Be very careful to select the same location from which is was exported as the restore will erase everything below the import location and replace with the contents of the file.
  7. When finished editing select the newly created node and in the menu select "Registry" -> "Unload Hive"
This gives some possibilities:
  • Load another users HKEY_CURRENT_USER (ntuser.dat) and change the users settings without logging in with the user.
  • Load an offline registry database and extract settings to import in the current registry database.
  • Load an offline [HKEY_USERS \.Default] and change the login screensaver to Reset Administrator Password
  • Load and edit the registry database on a parallel installation without needing to boot it first.
  • Repair the registry without using a parallel installation:
    • Use the Recovery Console to recover from faulty registry
    • Boot Windows in safemode using the restored registry database
    • Start REGEDT32 and load the faulty registry and edit away the faults
    • Boot into the Recovery Console again to exchange the now hopefully fixed registry database back (winnt/system32/config)
    • Boot Windows and it will now be using the fixed registry database
Note WinXP has a new feature called Registry Repair and Recovery (MS KB Q815011) and it is usually activated when starting WinXP. But it is also activated when loading an offline hive, which can have the undesired effect that the loaded hive is modifying behind your back. One can disable this feature in WinXP SP1 in case one is afraid that the "Repair" feature will do more harm than good:

[HKEY_LOCAL_MACHINE\ System \CurrentControlSet \Control \Session Manager \Configuration Manager]
SelfHealingEnabled = 0

More Info MS KB Q146050

Credits jsifaq.com
Tags:
Category:

Updated: 27 November 2008

Comments:

Comment by Ruebenkind - 17 March 2008 @ 23:05 Reply

Hey Man!
You saved my day!
Got an Win2K PC with a corrupt registry. Copy back the old SOFTWARE Database from the repair folder worked, but it was an old version. So I took the corrupt File and imported the hive with my XP machine. XP repaired the file and i copied it back to the win2k PC. IT WORKED !!! Thanx !! Axel

Comment by Basavaraj - 7 October 2008 @ 18:44 Reply

Hello Sir good Work Thanks For Sharing This artical

Comment by Basavaraj Gowda - 8 October 2008 @ 18:05 Reply

How to edit the registry offline using BartPE boot CD ?
1. Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible
2. Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
3. From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\
4. Select the file named SOFTWARE (the file without any extensions), and click Open
5. Type a name for the hive that you’ve loaded now. (Example: MyXPHive)
6. Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
7. In order to fix the Userinit value in the loaded hive, navigate to the following location:
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
8. Double-click Userinit and set it’s value correctly. Example: Set it’s data as follows:
C:\Windows\System32\Userinit.exe,
(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)
9. After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It’s important to note that you’ll need to select the MyXPHive branch first, before unloading it.
10. Quit BartPE and restart Windows. See if you’re able to logon to your profile.

Leave a comment


NB! Use the Forum for computer help and off-topic questions.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>