regedit question - unable to load hive error

It is hard to say how to repair it because of the undocumented nature of the windows registry, and since we dont really have the windows source code, we can not really be sure why the kernel sees this hive as being corrupted, and then fix it.

If we cannot get the ek command to work on that offline NT reg editor, then I am curious if the hive can be read from Hive tools - http://lilith.tec-man.com/hivetools

If so then I guess if I get some time I can use those alternative APIs to enumerate every subkey in that hive, and have the app manually create a .reg file.

EDIT: It appears that these .c and .h files need to be compiled into a .dll first, although I seem unable to with VS2005, DevC++ or Jgrasp (I cannot say I have much C/C++ experience) so I guess if someone compiles this into a .dll and then uploads it, then I can work on a application that can read data from that software hive (if in fact this works the same way that the Offline Nt Registry editor does, and is able to read the hive)



As for the Offline NT reg editor:
I do see what you mean with not knowing how to exactly save the file because of the linux system.
I tried just the file name itself, ex:
ek test.reg HKEY_LOCAL_MACHINE\Software Microsoft


This works, but the file is not there when rebooting (must be created in the RAM disc, and cleared on restart)

Also tried
ek /dev/sda/windows/t.reg
ek /dev/sda/WINDOWS/t.reg
ek /dev/sda1/WINDOWS/t.reg
ek /mnt/hda1/WINDOWS/t.reg
ek WINDOWS/t.reg
ek /dev/sda1/t.reg

but these and similar ones kept giving file/directory not found =(


The only issue is that you would have to do this for all the subkeys under the software hive, but atleast it does indeed work, we just need to figure out how to save the file to the HDD.




So basically if we find a way to:
1. Use a wildcard to export all keys in the software hive
2. Save the .reg file to the HDD

Then everything will work great.


Edited by Matts_User_Name - 27 July 2009 at 3:43am

Thanks to all (again) btw

Originally posted by gatts.casca So... no luck, then? I'm stuck?

I'd suggest comparing the bytes that regedit (RegLoadKey) is reading, in the corrupted hive, to a hive that's not corrupted, and seeing what you may be able to determine.  Is there obvious corruption, or is it perhaps more subtle?

@Redhawk
Actually SAM = Security Accounts Manager but your expanded acronym sound more technical :P haha

@gats.casca
Could you upload the this software hive? (you might want to do it at MediaFire.com since it is probably around 50 MB)

Also: Looking at the source for that offline registry editor it appears to support exporting keys into .reg file formats using the ek command... have you tried that?
If not then, I would suggest doing so, or upload the hive and I try it for you.


Edited by Matts_User_Name - 26 July 2009 at 9:32am

I think the registry events are included, as well as filesystem events.

Resetting the filter and choosing to only display registry events, when checking out corruptsofthive.PML, resulted in no events displaying.

In corruptswlog2...
Hmm...

regedit.exe    4652    6096    RegLoadKey    HKLM\123    REGISTRY CORRUPT    Hive Path: C:\Users\fatcat\Desktop\software.bak        Registry 0.0032917

Followed by...

regedit.exe    4652    6096    IRP_MJ_READ    C:\Users\fatcat\Desktop\software.bak    SUCCESS    Offset: 0, Length: 512, Priority: Normal    Read    File System regedit.exe    4652    6096    IRP_MJ_READ    C:\Users\fatcat\Desktop\software.bak    SUCCESS    Offset: 4,096, Length: 512, Priority: Normal    Read    File System regedit.exe    4652    6096    <Unknown>    C:\Users\fatcat\Desktop\software.bak    INVALID PARAMETER    Type: <Unknown : 20 >    Read Metadata    File System

So, something in bytes 1-512, or bytes 4096-4608, would seem to be being used to determine that that hive is corrupt...

Edited by molotov - 25 July 2009 at 5:16pm