Monday, March 21, 2011

Mounting a Windows User Hive in Regedit

Ever need information from a user registry hive but could not successfully boot up the computer?  Here is a quick tip that you may not know about.  You can mount a single users registry hive (commonly seen as HKEY_CURRENT_USER when they're logged in and you launch regedit) outside of that users profile.

A few things you will need before you can mount the hive:

-Access to the NTUSER.dat file in question

-Windows Explorer must be set to "Show hidden files, folders, and drives"

-Windows Explorer must be set to NOT "Hide protected operating system files"

Open regedit (start > run > regedit), select either HKEY_LOCAL_MACHINE or HKEY_USERS, then hit File > Load Hive.  When it asks you to browse to a file, be sure you select All Files as the file type (or *.*), and browse to the users directory (commonly C:\Documents and Settings\username\ in XP or C:\users\username\ in 7) and choose the NTUSER.DAT file.  You can enter whatever name you want for the Key name - that will not save anywhere in the hive.

Once loaded, you can now browse the hive for any data you may need, such as mapped printers or network drives.


No comments:

Post a Comment