Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed: regedit question - unable to load hive error
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

regedit question - unable to load hive error
 Post Reply Post Reply Page  <12345>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
redhawk View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 14 September 2005
Location: United Kingdom
Online Status: Online
Posts: 1049 		  Quote redhawk Quote  Post ReplyReply Direct Link To This Post Topic: regedit question - unable to load hive error
    Posted: 26 July 2009 at 12:38pm
Matts thanks for the correction I Google for SAM I was wasn't sure about the correct acronym for it. :)

Having a look at the registry file seems like the next step I am also curious about this problem.
Gatts.casca if you decide to upload please password the ZIP or send the link privately.

Richard S.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 26 July 2009 at 5:09pm
Originally posted by gatts.casca

So... no luck, then? I'm stuck?
I'd suggest comparing the bytes that regedit (RegLoadKey) is reading, in the corrupted hive, to a hive that's not corrupted, and seeing what you may be able to determine.  Is there obvious corruption, or is it perhaps more subtle?
Daily affirmation:
net helpmsg 4006
Back to Top
gatts.casca View Drop Down
Newbie
Newbie


Joined: 16 July 2009
Online Status: Offline
Posts: 15 		  Quote gatts.casca Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 12:49am
Matts_user_name

To be honest, I think the ek command is my best shot. I've tried using the command, although I can't ever seem to find the exported file, if it was ever exported. Perhaps I'm not using the command correctly, it specifies:
ek <filename> <prefix> <keyname>
but I'm not familiar with linux commands, let alone PNH's custom commands, so I don't know what <prefix> means. Also, I can't specify a path because any input is taken as part of the filename, so if I write ek c:\microsoft.reg Microsoft, the filename would be 'c:\microsoft.reg'. Just FYI, I used Search to try to find it and came up with nothing too, so... yeah, can't find the file if it exists. Perhaps the key to using the command is the <prefix>...

Matts / Redhawk (Richard)

I will try to upload the hive as suggested.

Molotov,

Obvious corruption vs subtle corruption... what do you mean, and how can I tell the difference? I suppose more importantly, when I do find corruption (which I'm pretty certain I will, lol.. Ouch) would there be any way to fix it? For example, if data was corrupted, I wouldn't be able to repair it... would I? Or if it was something with the parameters (as the evidence suggests) how would I edit/repair that?
Back to Top
gatts.casca View Drop Down
Newbie
Newbie


Joined: 16 July 2009
Online Status: Offline
Posts: 15 		  Quote gatts.casca Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 1:26am
Thanks to all (again) btw
Back to Top
gatts.casca View Drop Down
Newbie
Newbie


Joined: 16 July 2009
Online Status: Offline
Posts: 15 		  Quote gatts.casca Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 1:57am
http://www.mediafire.com/?sharekey=32ed690f7cacd14abda4076e811714c83c16fc26d334b00cb8eada0a1ae8665a

Hopefully that link works. I zipped the corrupt software hive without password protection. It should be 6.42 mb, unzipped ~28.7 mb.
Back to Top
Matts_User_Name View Drop Down
Senior Member
Senior Member
Avatar

Joined: 10 August 2006
Location: USA
Online Status: Offline
Posts: 610 		  Quote Matts_User_Name Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 3:17am

It is hard to say how to repair it because of the undocumented nature of the windows registry, and since we dont really have the windows source code, we can not really be sure why the kernel sees this hive as being corrupted, and then fix it.

If we cannot get the ek command to work on that offline NT reg editor, then I am curious if the hive can be read from Hive tools - http://lilith.tec-man.com/hivetools

If so then I guess if I get some time I can use those alternative APIs to enumerate every subkey in that hive, and have the app manually create a .reg file.

EDIT: It appears that these .c and .h files need to be compiled into a .dll first, although I seem unable to with VS2005, DevC++ or Jgrasp (I cannot say I have much C/C++ experience) so I guess if someone compiles this into a .dll and then uploads it, then I can work on a application that can read data from that software hive (if in fact this works the same way that the Offline Nt Registry editor does, and is able to read the hive)



As for the Offline NT reg editor:
I do see what you mean with not knowing how to exactly save the file because of the linux system.
I tried just the file name itself, ex:
ek test.reg HKEY_LOCAL_MACHINE\Software Microsoft


This works, but the file is not there when rebooting (must be created in the RAM disc, and cleared on restart)

Also tried
ek /dev/sda/windows/t.reg
ek /dev/sda/WINDOWS/t.reg
ek /dev/sda1/WINDOWS/t.reg
ek /mnt/hda1/WINDOWS/t.reg
ek WINDOWS/t.reg
ek /dev/sda1/t.reg

but these and similar ones kept giving file/directory not found =(


The only issue is that you would have to do this for all the subkeys under the software hive, but atleast it does indeed work, we just need to figure out how to save the file to the HDD.




So basically if we find a way to:
1. Use a wildcard to export all keys in the software hive
2. Save the .reg file to the HDD

Then everything will work great.


Edited by Matts_User_Name - 27 July 2009 at 3:43am


My PE Fix - Run On Startup
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 10:52am
Obvious corruption vs subtle corruption... what do you mean, and how can I tell the difference?

Obvious may mean a string of 'b' bytes in the middle of one of the segments, where the "good" hive has nothing of the sort.  Even then, it may be difficult to determine that the data that is present is not accurate.

I suppose more importantly, when I do find corruption (which I'm pretty certain I will, lol.. Ouch) would there be any way to fix it? For example, if data was corrupted, I wouldn't be able to repair it... would I?
It would be a manual process, likely, involving manual parsing of the registry hive to attempt to determine where the corruption is, and then trying to find a way to address it.  Perhaps the fix is to truncate some reference to other data in the hive, which may restore integrity to the structure of the hive, but still not fully take care of the problem since it essentially results in data loss.  Structural corruption, vs. content corruption - you seem to be dealing with at least structural corruption at this point, but recovering the structure may still leave behind corrupted content.

Or if it was something with the parameters (as the evidence suggests) how would I edit/repair that?
The invalid parameter result is likely a result of the corruption - a value read from the hive was used to attempt to do something, and the value made no sense in the context of the activity.
Daily affirmation:
net helpmsg 4006
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17287 		  Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 10:55am
This works, but the file is not there when rebooting (must be created in the RAM disc, and cleared on restart)
Any chance of copying it from the RAM drive to another disk, or e.g. a flash drive?

It appears that these .c and .h files need to be compiled into a .dll first
Did you check out the Win32 binaries available for download on the page?
Daily affirmation:
net helpmsg 4006
Back to Top
redhawk View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 14 September 2005
Location: United Kingdom
Online Status: Online
Posts: 1049 		  Quote redhawk Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 11:10am
I can see the start of the file has been damaged with random $E5 which probably explains why regedit couldn't load the hive since the names have been corrupted.



It appears the corrupted has stopped short of $01C0 however to repairing this section could be tricky though.
I've compared your file against the software hive from Home Edition and Pro both look slight different each time which means I cannot simply cut and paste chunks of data.

Richard S.

Edited by redhawk - 27 July 2009 at 4:46pm
Back to Top
redhawk View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 14 September 2005
Location: United Kingdom
Online Status: Online
Posts: 1049 		  Quote redhawk Quote  Post ReplyReply Direct Link To This Post Posted: 27 July 2009 at 12:14pm
I've tried to patch softeware.bak as best as I could however regedit still refuses to load the hive.
So I experimented with a working hive, changed the value at $0020 and regedit now refuses to load this too.
It appears regedit performs some checks to validate the registry hive before it actually opens which is unfortunately undocumented as well as reading the contents.
Next thing I tried was to patched software.bak with the start of my working hive just to see if I could create a valid header for regedit.
Oh dear, load hive = instant blue screen of death
REGISTRY_ERROR (51)
Something has gone badly wrong with the registry. If a kernel debugger
is available, get a stack trace. It can also indicate that the registry got
an I/O error while trying to read one of its files, so it can be caused by
hardware problems or filesystem corruption.
Bottom line I have my doubts whether this could be repaired there's still also the possibility more corruption exists further into the file.
Your best bet would be to extract the registry hive from the product recovery disc or try and re-install the damaged software.

Edit:
@Matts I've tried the hivetools Windows binaries and it appears to work however I'm getting "Hash mismatch on key" for every scanned item.
Unfortunately this program lacks the ability to save data to file or allow diverting the screen to file too.
Even if I could save the scanned results there's no way to reconstruct a registry hive file as far as I can tell so it's pretty much useless.
I've also tried and tested a handful of so called registry repair tools but they don't work which isn't surprising they use the load hive function much like regedit.

@Anyone
I tried to open my Home Edition SOFTWARE hive with XP Pro I got "Access Denied", however loading the same file with BartPE (also based on XP Pro) no problem.
Do I need to tweak a security permission in XP Pro to get it to open or does BartPE have some trick to bypass security permissions??

Richard S.

Edited by redhawk - 27 July 2009 at 4:59pm
Back to Top
 Post Reply Post Reply Page  <12345>

Forum Jump Forum Permissions View Drop Down

Privacy Statement