Offline Registry -- How to use it?

[Jeong-hun Sin]

That feature seems to be the feature I wanted, but I am not sure how to use it. I expected that it would let me open an existing ".DAT" file, but it just let me choose a directory. I created an empty directory and copied "NTUSER.DAT" into it, and then selected that directory. RegistryFinder opened a new tab with an empty "Registry" tree. I cannot add a new entry there to load hive there. It seems that there is nothing I can do with that tab.

What is exactly am I supposed to do? Again, what I want to do is opening an "NTUSER.DAT" from another Windows installation. Do I have to find all registry DAT files of that installation and place them into the directory? But I only need to view the USER tree; I don't need to see the data like LOCAL_MACHINE or something.

Did I misunderstand or something?

[Sergey Filippov (Registry Finder)]

Hm, indeed.

I never thought of using that feature to open NTUSER.DAT. The main goal of offline registry feature was to simulate a live registry of some system that currently is offline. I just implemented a straightforward model where offline system does not have logged in user, so NTUSER.DAT is not used.

In the future, I will possibly add ability to open NTUSER.DAT from the specified folder along with other registry hives, but currently you have the followings options:

1. Mount NTUSER.DAT file to your live registry as a subkey of HKEY_LOCAL_MACHINE or HKEY_USERS.

This requires that you run Registry Finder as administrator.

Click File/Load Hive.

Browse your ntuser.dat file.

Type subkey name.

Select root key under which the subkey will be created.

When you finished with that ntuser.dat, select it in the tree and invoke File/Unload Hive.

2. Rename NTUSER.DAT to a name that is recognized as a registry hive. That is SAM, SECURITY, SOFTWARE, SYSTEM, .DEFAULT. Then open that directory as offline registry.

вторник, 17 ноября 2020 г. в 09:29:24 UTC+3, Jeong-hun Sin:

[Jeong-hun Sin]

Thanks, but the second method does not seem to work. I changed the name to DEFAULT and then tried to open the directory, but the "Registry" node is empty. Do you mean that I have to have all of SAM, SECURITY, SOFTWARE, SYSTEM, .DEFAULT in the same directory, not just DEFAULT?

[Sergey Filippov (Registry Finder)]

Directory may contain any of these files. (I was wrong with ".DEFAULT". It should read "DEFAULT".) So, you did the right thing.

Make sure you restarted Registry Finder after you renamed the file. (Don't ask me why. That is surprising me too :) )

If that does not help and you need that to work, please write me a private message and I'll try to troubleshoot.

среда, 18 ноября 2020 г. в 02:45:21 UTC+3, Jeong-hun Sin:

[Jeong-hun Sin]

It worked when I restarted the programme. The tree node's name was ".DEFAULT".