Monday, March 21, 2011

Mounting a Windows User Hive in Regedit

Ever need information from a user registry hive but could not successfully boot up the computer?  Here is a quick tip that you may not know about.  You can mount a single users registry hive (commonly seen as HKEY_CURRENT_USER when they're logged in and you launch regedit) outside of that users profile.

A few things you will need before you can mount the hive:

-Access to the NTUSER.dat file in question

-Windows Explorer must be set to "Show hidden files, folders, and drives"

-Windows Explorer must be set to NOT "Hide protected operating system files"

Open regedit (start > run > regedit), select either HKEY_LOCAL_MACHINE or HKEY_USERS, then hit File > Load Hive.  When it asks you to browse to a file, be sure you select All Files as the file type (or *.*), and browse to the users directory (commonly C:\Documents and Settings\username\ in XP or C:\users\username\ in 7) and choose the NTUSER.DAT file.  You can enter whatever name you want for the Key name - that will not save anywhere in the hive.

Once loaded, you can now browse the hive for any data you may need, such as mapped printers or network drives.