regedit question - unable to load hive error

Richard - does the tool give any indication about what may be corrupted?

Richard!!
Where the hell did you find a tool like this ???

WOW is all I have to say.
This is a tool I shall make note of next time something like this happens!

Wish there would have been a more positive outcome, gatts.casca, but that's the way it sometimes goes, it seems... 

I kind of doubt we are going to be able to repair this.

I think the only way is going to be by using a low level registry editor to export the data into a/many .reg file(s).
Unfortunately we are at a stopping point until we can compile and test the HiveTools lib (which might work, opposed to binaries given as tests) or we can figure out how to Offline NT Registry Editor to save the .reg file onto the nonvolatile HDD. (Again its going to take linux knowledge to specify the path of the .reg file, and that is something I have no clue about.) Unless of course we can get the Offline Nt Reg editor working on windows here...


@redhawk
You cannot open your software hive in system32\config into a hex editor if it is in use.
When a hive is loaded the kernel maps it for exclusive access and nothing else can touch it. Everything must go through the registry APIs

You have to boot to an offline system to do so like Bart PE, or ERD Commander.
redhawk - Might I recommend a windows PE system that I recently found being a lot better than Bart PE because it uses actual Windows Explorer (A rare thing as you know for PE Dics) - It is called Mini Windows XP and comes with the newest Hiren's Boot CD
http://www.megaupload.com/?d=ESZPYMG0





It is situations like these that I have 2 tools that run every other day to create a SRP, and also a backup of all registy hives (and then at the end of the month, I purge all of them except 1 at the very last day of the month, and keep as a backup just in case this one day happens to my Windows.)

The registry is so fragile and so important, that you would think some forensics team would have created a tool to actually FIX registry hives,  instead of companies making sh*ty software that claim they "fix" problems in the registry by cleaning out invalid references to files in hives that are already loaded.

To someone that reads this years down the road: Use the source code for Offline Nt Reg Editor as a helper tool to one day create a low level registry editor & .reg exporter in a Windows GUI application, to help with problems like this.... in which case one could boot to an alternative system, startup this LL Regeditor, and then edit/export the hive's data while completely bypassing all windows registry APIs.

It would seriously be nice of Microsoft if they every released the source code for the executive(kernel) component: the configuration manager just for the sake of technical users understanding registry forensics better... but we know that's never going to happen.



Edited by Matts_User_Name - 27 July 2009 at 6:39pm

I can see the start of the file has been damaged with random $E5 which probably explains why regedit couldn't load the hive since the names have been corrupted.



It appears the corrupted has stopped short of $01C0 however to repairing this section could be tricky though.
I've compared your file against the software hive from Home Edition and Pro both look slight different each time which means I cannot simply cut and paste chunks of data.

Richard S.

Edited by redhawk - 27 July 2009 at 4:46pm