Results 1 to 6 of 6

Thread: Knoppix live CD and recovering reg files

  1. #1
    Senior Member Zorolord's Avatar
    Join Date
    Sep 2001
    Posts
    142

    Knoppix live CD and recovering reg files

    Hi Guys (& Girls)

    Just have a query at the moment used a knoppix live cd to recover some files on a corrupt windows install, well my supplier told me to go inside the system volume, and extracted some registry hives (is that correct name or terminology) anyhow the files are structed for example

    _REGISTRY_USER_NTUSER_S-1-5-20
    _REGISTRY_USER_USRCLASS_S-1-5-21-1123561945-507921405-839522115-500
    _REGISTRY_MACHINE_SYSTEM
    _REGISTRY_MACHINE_SOFTWARE

    The reason I need these hive or keys whatever you want to call them is that I have reinstalled xp on the machine in question using a new hdd.

    There is a specific registry key I need to recover from the old hard drive unfortunately I couldn't export it from the old machine using convenisional methods i.e. regedit as even safe mode didn't work on this machine due to cluster damage I pressume (the supplier knew about this but still supplied it). So I used the knoppix live cd, which is bloody fanstatic even though my knowledge on linux is quite limited.

    Anyhow the key question I require is HKEY_LOCAL_MACHINE\Software\Aberlink 3D the supplier has a copy however the calibrations sets may be slighty out and the guys on the shopfloor said they can't take the risk.

    Now I usually only deal with machines that are on the network and are fully backed up, this machine is a standlone machine with no backup (I known very frightening) Once I repair this machine I will advise them to back it up occassionally or advise me when any changes have been done so I may back it up for them.

    I would appreaciate any advise on this matter or if anyone could point me to sites that will enable me to resolve it myself then please do.

    Many thanks
    ZL

  2. #2
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Not sure if this answers your questions, but you can recover the registry entries by using regedit to edit the registry files "offline".

    The registry hive files are saved in c:\WINDOWS\System32\Config folder.
    HKEY_LOCAL_MACHINE\SYSTEM is saved as SYSTEM.
    HKEY_LOCAL_MACHINE\SOFTWARE is saved as SOFTWARE (this also contains HKEY_CLASSES_ROOT).
    HKEY_CURRENT_USER is saved in %USERPROFILE%\NTUSER.DAT.

    Mount the old hdd as a slave to a windows Xp machine. e.g. drive = x:
    run regedit
    Select the root of HKEY_LOCAL_MACHINE.
    In the menu click File -> Load Hive....
    Browse to x:\WINDOWS\System32\Config\SOFTWARE
    When prompted for Key Name enter anything. It's just a temp name.
    Expand HKEY_LOCAL_MACHINE\Software\Aberlink 3Dd to locate the Keys
    You can export what you need e.g. File -> Export
    When finished, click on the Key Name and in the menu choose File -> Unload Hive.... Note: Failing to unload the hive will have consequences such as preventing other processes from opening the file! Dont forget this step.
    In God We Trust....Everything else we backup.

  3. #3
    Senior Member Zorolord's Avatar
    Join Date
    Sep 2001
    Posts
    142
    Dam problem there I formatted the old drive dam it. The reason I took this action was at the time I didn't realise the hard drive was knacked I thought Windows had just corrupted. I had tried the old recovery console but that failed. So I was forced to format the drive, I just backed up using Knoppix as advised by the supplier

    Oh dear am I knacked now

  4. #4
    Senior Member Zorolord's Avatar
    Join Date
    Sep 2001
    Posts
    142
    Oh I think I have the solution http://wiki.lunarsoft.net/wiki/Syste...me_Information
    just off to try that now, will keep everyone posted on my success. I think I should be able to follow your steps and rename the files registry hive _REGISTRY_MACHINE_SOFTWARE rename that to software then inport it. Lets see if I can break the machine now

  5. #5
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Wink

    Quote Originally Posted by Zorolord View Post
    Oh I think I have the solution http://wiki.lunarsoft.net/wiki/Syste...me_Information
    just off to try that now, will keep everyone posted on my success. I think I should be able to follow your steps and rename the files registry hive _REGISTRY_MACHINE_SOFTWARE rename that to software then inport it. Lets see if I can break the machine now
    Indeed good luck and do keep us updated

    and hopefully you don't destroy it to much, but if the PC happens to burst into flames, then you really should take pictures of it, and post 'em

  6. #6
    Senior Member Zorolord's Avatar
    Join Date
    Sep 2001
    Posts
    142
    Just found out from the supplier that the machine will need calibrated again, even with the calibration settings from the registery key. So I ain't going to bother sorry for wasting everyone's time but it was an education lesson for me.

    Cheers all

Similar Threads

  1. Forensic Process and Tricks
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 3
    Last Post: January 12th, 2007, 10:44 PM
  2. Windows 98 Tips
    By Nokia in forum Tips and Tricks
    Replies: 5
    Last Post: June 22nd, 2004, 12:21 AM
  3. Genral Windows Tips
    By Nokia in forum Tips and Tricks
    Replies: 0
    Last Post: June 12th, 2004, 05:36 PM
  4. Recovering deleted files from XP
    By symtech in forum Microsoft Security Discussions
    Replies: 9
    Last Post: March 7th, 2004, 02:04 PM
  5. Recovering information on deleted files
    By Abtronic in forum Computer Forensics
    Replies: 5
    Last Post: June 5th, 2003, 05:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •