April 1st, 2009 05:32 PM
Knoppix live CD and recovering reg files
Hi Guys (& Girls)
Just have a query at the moment used a knoppix live cd to recover some files on a corrupt windows install, well my supplier told me to go inside the system volume, and extracted some registry hives (is that correct name or terminology) anyhow the files are structed for example
The reason I need these hive or keys whatever you want to call them is that I have reinstalled xp on the machine in question using a new hdd.
There is a specific registry key I need to recover from the old hard drive unfortunately I couldn't export it from the old machine using convenisional methods i.e. regedit as even safe mode didn't work on this machine due to cluster damage I pressume (the supplier knew about this but still supplied it). So I used the knoppix live cd, which is bloody fanstatic even though my knowledge on linux is quite limited.
Anyhow the key question I require is HKEY_LOCAL_MACHINE\Software\Aberlink 3D the supplier has a copy however the calibrations sets may be slighty out and the guys on the shopfloor said they can't take the risk.
Now I usually only deal with machines that are on the network and are fully backed up, this machine is a standlone machine with no backup (I known very frightening) Once I repair this machine I will advise them to back it up occassionally or advise me when any changes have been done so I may back it up for them.
I would appreaciate any advise on this matter or if anyone could point me to sites that will enable me to resolve it myself then please do.
April 1st, 2009 06:42 PM
Not sure if this answers your questions, but you can recover the registry entries by using regedit to edit the registry files "offline".
The registry hive files are saved in c:\WINDOWS\System32\Config folder.
HKEY_LOCAL_MACHINE\SYSTEM is saved as SYSTEM.
HKEY_LOCAL_MACHINE\SOFTWARE is saved as SOFTWARE (this also contains HKEY_CLASSES_ROOT).
HKEY_CURRENT_USER is saved in %USERPROFILE%\NTUSER.DAT.
Mount the old hdd as a slave to a windows Xp machine. e.g. drive = x:
Select the root of HKEY_LOCAL_MACHINE.
In the menu click File -> Load Hive....
Browse to x:\WINDOWS\System32\Config\SOFTWARE
When prompted for Key Name enter anything. It's just a temp name.
Expand HKEY_LOCAL_MACHINE\Software\Aberlink 3Dd to locate the Keys
You can export what you need e.g. File -> Export
When finished, click on the Key Name and in the menu choose File -> Unload Hive.... Note: Failing to unload the hive will have consequences such as preventing other processes from opening the file! Dont forget this step.
In God We Trust....Everything else we backup.
April 2nd, 2009 09:15 AM
Dam problem there I formatted the old drive dam it. The reason I took this action was at the time I didn't realise the hard drive was knacked I thought Windows had just corrupted. I had tried the old recovery console but that failed. So I was forced to format the drive, I just backed up using Knoppix as advised by the supplier
Oh dear am I knacked now
April 2nd, 2009 10:32 AM
Oh I think I have the solution http://wiki.lunarsoft.net/wiki/Syste...me_Information
just off to try that now, will keep everyone posted on my success. I think I should be able to follow your steps and rename the files registry hive _REGISTRY_MACHINE_SOFTWARE rename that to software then inport it. Lets see if I can break the machine now
April 2nd, 2009 10:45 AM
April 2nd, 2009 01:11 PM
Just found out from the supplier that the machine will need calibrated again, even with the calibration settings from the registery key. So I ain't going to bother sorry for wasting everyone's time but it was an education lesson for me.
By Tiger Shark in forum The Security Tutorials Forum
Last Post: January 12th, 2007, 09:44 PM
By Nokia in forum Tips and Tricks
Last Post: June 22nd, 2004, 12:21 AM
By Nokia in forum Tips and Tricks
Last Post: June 12th, 2004, 05:36 PM
By symtech in forum Microsoft Security Discussions
Last Post: March 7th, 2004, 02:23 PM
By Abtronic in forum Computer Forensics
Last Post: June 5th, 2003, 05:04 PM