How to load and search Registry from USB flash drive of an inactive, offline-Windows on hard disk partition E:?
18 views
Skip to first unread message
cls...@gmail.com
Mar 4, 2020, 5:03:00 AM3/4/20
to RegistryFinder
When I start Registry Finder, then it uses and searches always the currently active Registry of the running Windows.
That fine for most of the cases.
However sometimes I want to boot from USB flash drive and investigate another, inactive, offline windows installation on lets say the hard disk partition E:
How can I tell RF to use and inspect the Registry for this Offline-Windows (instead)?
I don't want to fiddle around with manual search and load of Registry files (Hives) of this offline Windows.
I just want to say "check partition E: for corresponding Registry files and use them".
And RF should use all the multiple Registry files (Hives) in parallel(!)
How can I achieve this?
Claudia
That fine for most of the cases.
However sometimes I want to boot from USB flash drive and investigate another, inactive, offline windows installation on lets say the hard disk partition E:
How can I tell RF to use and inspect the Registry for this Offline-Windows (instead)?
I don't want to fiddle around with manual search and load of Registry files (Hives) of this offline Windows.
I just want to say "check partition E: for corresponding Registry files and use them".
And RF should use all the multiple Registry files (Hives) in parallel(!)
How can I achieve this?
Claudia
Sergey Filippov (Registry Finder)
Mar 4, 2020, 3:35:04 PM3/4/20
to RegistryFinder
This is an interesting scenario I never thought of before.
Unfortunately, there is no way to do that in Registry Finder directly. And I cannot propose any full fledged workaround. Just an idea that may or may not be useful to you.
Briefly, the idea is to load hives with "reg load" command line and search in the root key where the hives are loaded into.
The problem is that a hive can be loaded into a unique immediate subkey of HKLM or HKU.
That is, you can load the offline SOFTWARE hive into, say, HKLM\offline-software and the offline SYSTEM into HKLM\offline-system, but you cannot load them into HKLM\offline\software and HKLM\offline\system respectively.
Nevertheless you can search in all that subkeys at once by separating them with semicolon: "HKLM\offline-software;HKLM\offline-system".
That is all that RF can do right now. Fully supporting your scenario by Registry Finder would be a major feature for for I have no time to implement. And I doubt I will have it in the nearest half-year, sorry.
Unfortunately, there is no way to do that in Registry Finder directly. And I cannot propose any full fledged workaround. Just an idea that may or may not be useful to you.
Briefly, the idea is to load hives with "reg load" command line and search in the root key where the hives are loaded into.
The problem is that a hive can be loaded into a unique immediate subkey of HKLM or HKU.
That is, you can load the offline SOFTWARE hive into, say, HKLM\offline-software and the offline SYSTEM into HKLM\offline-system, but you cannot load them into HKLM\offline\software and HKLM\offline\system respectively.
Nevertheless you can search in all that subkeys at once by separating them with semicolon: "HKLM\offline-software;HKLM\offline-system".
That is all that RF can do right now. Fully supporting your scenario by Registry Finder would be a major feature for for I have no time to implement. And I doubt I will have it in the nearest half-year, sorry.
Sergey
cls...@gmail.com
Mar 12, 2020, 5:28:06 AM3/12/20
to RegistryFinder
Hello Sergey,
thank you for your answer.
I cannot imagine that the implementation would be so difficult.
All core components and functions are already built-in in your RF.
You simple need to find and switch the Registry files.
RegAlyzer (from year 2008!) already support this feature:
https://www.safer-networking.org/products/regalyzer/
Furthermore
OfflineRegistryFinder and OfflineRegistryView ffrom
https://www.nirsoft.net/utils/offline_registry_finder.html
https://www.nirsoft.net/utils/offline_registry_view.html
... but I would prefer your tool
I suggest to re-think again to implement this feature
Thank you
Claudia
thank you for your answer.
I cannot imagine that the implementation would be so difficult.
All core components and functions are already built-in in your RF.
You simple need to find and switch the Registry files.
RegAlyzer (from year 2008!) already support this feature:
https://www.safer-networking.org/products/regalyzer/
Furthermore
OfflineRegistryFinder and OfflineRegistryView ffrom
https://www.nirsoft.net/utils/offline_registry_finder.html
https://www.nirsoft.net/utils/offline_registry_view.html
... but I would prefer your tool
I suggest to re-think again to implement this feature
Thank you
Claudia
Sergey Filippov (Registry Finder)
Mar 28, 2020, 4:23:54 AM3/28/20
to RegistryFinder
Hello Claudia,
This feature was very interesting for me. While being on vacation I did some research and now I'm completely realizing what changes are required in code base and determined to do it. Especially as that will help to support editing reg files in the future.
Thank you for the suggestion
Sergey
Reply all
Reply to author
Forward
0 new messages