Registry Tips & Tricks
Posted by William Diaz on September 1, 2011
Opening multiple instances of the registry
I often find myself needing to compare registry data between different workstations using the remote registry but you cannot simply run regedit.exe more than once to open multiple regedit windows. To work around this, run regedit –m or /m to your heart’s content to open multiple registry edit windows.
Connect to the registry of another computer or an online user
You probably already know this one. In case you don’t, File > Connect Network Registry. You won’t see the same hive you do on the local computer and there is no HKCU. Not to worry, HKCU is a subkey of HKEY_USERS. It contains the active profile on the remote computer. The profile name is based on its security identifier, or SID, e.g. S-1-5-21-156…
There is also a Classes key of the same SID, which is the HKCR of the local computer.
Load the registry for an offline user
You can’t view the user registry of an offline user from the remote registry. However, you can load the the HKCU for that user from their ntuser.dat. To do this:
Select HKLM or HKU and from the File menu select Load Hive.
Browse to the user profile to locate the ntuser.dat.
Name it and do your thing.
When you are done, unload it.
Changes made to ntuser.dat will be reflected when the user logs on.
In Windows XP, the ntuser.dat can be found in \Documents and Settings\Username. In Windows Vista/7 it is \Users\Username. Use the UNC naming convention for remote systems.
The other registry databases:
HKLM\Software – %windir%/system32/config/software
HKLM\System – %windir%/system32/config/system
HKU\.Default – %windir%/system32/config/default
XP’s includes a Registry Repair and Recovery feature, which may be able to correct damaged registry databases by simply loading the registry file by using the load hive feature. If you don’t have another system to perform this on, try using BartPE. There are several guides on the Internet and here is one.
Last time a registry key was modified
This might come in handy when troubleshooting recent changes and whether the key you are focused on was recently modified. Right-click the key, select Export, choose text file as the output type, and open with Notepad:
View hidden areas of the registry
Some areas of the registry are hidden, e.g. HKLM\Security and HKLM\SAM. Ever wanted to explore these keys? Open the registry, right-click the parent key that you can see and add the administrators group to the permissions.
Alternatively, you can use PsExec (psexec.exe -s -i regedit.exe) or any other number of 3rd party utilities.
Find unicode strings in binary values
This can come in quite handy. Unfortunately, the Windows Registry Editor does not search for Unicode strings in binary values. Unicode strings are just the readable parts of these binary data values and can contain important clues when troubleshooting. Here is an example:
There is an app from NirSoft called RegScanner that does search for Unicode strings and this would have saved me a lot of time in resolving a case of workstation hangs I encountered some time ago and posted here.