Friday, July 06, 2007

How to recover windows registry keys from NTUSER.DAT

Have you ever experienced crashed windows? Crashed so badly so you have to reinstall it almost from scratch with simple file copy as the only mean for backup your precious files. Even if documents can be successfully retrieved by copying HDD contents from another (or even from the same) station, there is no way to get back precious customizations and passwords previously hidden in the depth of windows registry. Well, unless you haven't forgot to copy your NTUSER.DAT from within your profile located in "Documents and Settings".

There are two ways to get back missed registry keys. Manual and automated. Before starting with manual bot instruction of doing things let me introduce some concepts. NTUSER.DAT is a registry hive. Windows allows to temporary mount hives into subkey of HKLM or HKU root entries either manually with regedt32.exe tool or in batch mode with reg.exe (standard utility in WinXP and part of SUPPORT\TOOLS of Win2000 installation CD). Then hive is mounted it could be accessed by other tools, such as regedit.exe

The process of manual export of registry keys from backuped NTUSER.DAT:
1. start regedt32
2. select HKEY_LOCAL_MACHINE window and root key
3. Registry->Load Hive... specify your NTUSER.DAT
4. enter new key name to place registry tree under (I chose temphive)
5. now launch regedit and navigate to the same entry (i.e. HKEY_LOCAL_MACHINE\temphive)
6. Registry->Export Registry File... specify .reg file name
7. make sure temphive is not accessed by regedit.exe and switch back to regedt32.exe
8. make sure temphive is selected and issue Registry->Unload Hive...
That's all.

Automatic export with reg.exe is governed by the following ntuset.dat.export.bat:

reg.exe load HKLM\temphive NTUSER.DAT
regedit.exe /e regexport.reg HKEY_LOCAL_MACHINE\temphive
reg.exe unload HKLM\temphive

This .bat file creates regexport.reg file with contents of NTUSER.DAT from current directory.