@AllI agree with the general consensus that the file is most likely irreparable. I have not used BartPE or Hiren's Boot CD (although I want to check that out now), but I think I've gone as far as I possibly can with this anyway.I've definitely learned a lot from working on this, and just like working on my car, it has been an invaluable experience. However, the gap between my knowledge/understanding of the registry hives and the forum users here is quite... well, let's just say it seems like it will be light years before I know what you guys know. Some of it is quite dense lol.Thank you all for working so diligently out of your own accord on this, I deeply appreciate it, and I apologize for any headaches/migraines this may have caused. I'll definitely check back on the off chance that a solution has been found (don't worry I won't 'rez' the thread). Lastly, I hope you all had as much fun as I did with this!
I kind of doubt we are going to be able to repair this.I think the only way is going to be by using a low level registry editor to export the data into a/many .reg file(s).Unfortunately we are at a stopping point until we can compile and test the HiveTools lib (which might work, opposed to binaries given as tests) or we can figure out how to Offline NT Registry Editor to save the .reg file onto the nonvolatile HDD. (Again its going to take linux knowledge to specify the path of the .reg file, and that is something I have no clue about.) Unless of course we can get the Offline Nt Reg editor working on windows here...@redhawkYou cannot open your software hive in system32\config into a hex editor if it is in use.When a hive is loaded the kernel maps it for exclusive access and nothing else can touch it. Everything must go through the registry APIsYou have to boot to an offline system to do so like Bart PE, or ERD Commander.redhawk - Might I recommend a windows PE system that I recently found being a lot better than Bart PE because it uses actual Windows Explorer (A rare thing as you know for PE Dics) - It is called Mini Windows XP and comes with the newest Hiren's Boot CDhttp://www.megaupload.com/?d=ESZPYMG0It is situations like these that I have 2 tools that run every other day to create a SRP, and also a backup of all registy hives (and then at the end of the month, I purge all of them except 1 at the very last day of the month, and keep as a backup just in case this one day happens to my Windows.)The registry is so fragile and so important, that you would think some forensics team would have created a tool to actually FIX registry hives, instead of companies making sh*ty software that claim they "fix" problems in the registry by cleaning out invalid references to files in hives that are already loaded.To someone that reads this years down the road: Use the source code for Offline Nt Reg Editor as a helper tool to one day create a low level registry editor & .reg exporter in a Windows GUI application, to help with problems like this.... in which case one could boot to an alternative system, startup this LL Regeditor, and then edit/export the hive's data while completely bypassing all windows registry APIs.It would seriously be nice of Microsoft if they every released the source code for the executive(kernel) component: the configuration manager just for the sake of technical users understanding registry forensics better... but we know that's never going to happen.Edited by Matts_User_Name - 27 July 2009 at 6:39pm
Topic Search Topic Options
regedit question - unable to load hive error - Sysinternals Forums - Page 4
Комментариев нет:
Отправить комментарий