Most computer users fall into to 2 different categories, those that regularly make file or system backups and those that don’t, ever. There doesn’t seem to be many people that fall in between the two. Unfortunately, when there is a system crash and Windows becomes inoperable it can be quite difficult to recover certain parts of the data. Getting things like a user’s personal data is pretty easy and most people with a bit of common sense can do a simple copy and paste with things like documents, media files and favourites etc.
There is one area of the system which is usually a lot more difficult to recover data or information from, and that is the Windows Registry. I’ve come across loads of users through the years that have lost data like serial numbers for their software or certain program or setting information because they had no idea how to get it out of the registry.
More savvy users will know that the Windows Registry Editor has an option to load external registry hives from an offline registry using File -> LoadHive…, but it doesn’t handle things in the easiest of ways. Firstly, you have to load the offline registry file into either HKEY_LOCAL_MACHINE or HKEY_USERS and then give it a custom name. Then you have to remember to click on the hive and choose File -> Unload Hive… when finished or Regedit will attempt to load the custom hive every time it starts.
The biggest problem is when you are doing this and export the needed keys to a .REG file, the custom name given to the loaded hive will be inserted throughout all the key paths in the file. They will also be preceded by whichever of HKEY_LOCAL_MACHINE or HKEY_USERS the hive was imported into. This can lead to confusion and would cause issues in a registry you import the .REG file into it without making changes first.
As a simple demonstration, the above registry keys were taken from an offline USER.DAT file which is responsible for HKEY_CURRENT_USER in the registry. But as you can see, Regedit has exported all key paths not as HKEY_CURRENT_USER\ but HKEY_LOCAL_MACHINE\customname\. This is not ideal if there are several or even hundreds of entries and would need changing manually or with very careful use of search and replace.
There is a much better and easier way than using Regedit to get data from external registry files, and that is with a little program called RegistryViewer. This utility does away with the odd behaviour of the Windows Registry Editor and allows the quick loading of one or all offline registry hives without forcing you to load them through your local registry to do it. And also, an exported registry .REG file will have the correct key paths already inserted. If the key is in HKEY_CURRENT_USER, that’s what will be in the file. Definitely a safer solution.
RegistryViewer is completely portable, under a Megabyte in size and downloads as a rar archive. It can read NT5 Registry files which are used in windows 2000 and above although it’s not designed to and cannot read the local running registry, only offline hives.
To open one or more registry hives in the program, simply drop them onto the window or go to File -> Open registry files where you can load hives individually from separate locations.
Here’s a brief description of where each registry hive is located in the local registry. The hives are usually found in \Windows\System32\Config\.
SYSTEM – HKEY_LOCAL_MACHINE\SYSTEM
SOFTWARE – HKEY_LOCAL_MACHINE\SOFTWARE
SAM – HKEY_LOCAL_MACHINE\SAM
%USERPROFILE%\NTUSER.DAT - HKEY_CURRENT_USER
SECURITY – HKEY_LOCAL_MACHINE\SECURITY
DEFAULT – HKEY_USERS\.DEFAULT
USERDIFF – Not needed. Only used for upgrading user from NT to NT 4.0
For a simple example, if I want to get a Glary Utilities registry key from the old registry, there is one located in HKEY_CURRENT_USER. The NTUSER.DAT file would need to be dropped onto the window, opened up, and then navigate to Software -> Glarysoft. From there right click on the key (or press Ctrl+E) and then choose where to export the key. If the .REG file is opened up in Notepad, you can see below the correct paths are already there and no editing needs to be done. Quite different from the Regedit output in the top image.
As with all tools that involve entering or editing the registry, a degree of experience and care is needed. It also obviously helps a great deal if you know where any keys are kept in the registry that you are trying to recover. RegistryViewer does have a useful search option (Ctrl+F or File -> Search…) and all matches will be displayed in the lower window and can’t be navigated to directly by clicking the entries.
I’ve been using RegistryViewer for a few years and it’s been a great help in retrieving a specific key or group of keys from unbootable systems. It’s also very handy for quickly extracting data from old or redundant backups and other installs on a multi boot system.
Compatible with Windows 2000, XP, 2003, Vista and 7 32bit and 64bit.
I would also look into this program, it’s larger though.
Windows Registry Recovery
The best tool for crashed machine registry configuration data recovery
mitec.cz/wrr.html
No hard feelings, Hal,
but people who do not know how to load a RegHive into regedit should really not fight with the registry…
Frank
No problem Frank, I know what you mean. That’s why I put in “As with all tools that involve entering or editing the registry, a degree of experience and care is needed.”. I wouldn’t advise complete noobs to jump in there.
The thing about those not knowing how to load hives in regedit shouldn’t go into the registry is only partly true. You’d be surprised how many people don’t even know the option’s there, even experienced users…
Great find as always. Other programs from the developer are also interesting.
Good Tool
Hal9000 . . . this stuff is a bit technical. However, NO complaints here as I love a challenge – - This is how we learn from you!
So I am going to go back and review this article until I get it.
We thank you again for our edification and enlightenment.
TheRube
Brooklyn, New York USA