We help IT Professionals succeed at work.

Retrieving registry data from a slave drive

Medium Priority
Last Modified: 2011-05-19
Hi Guys
I've tried looking through previous posts but none of them seem to work.
I've got a clients drive that is currently set as a slave in another system due to booting problems and he's requested i wipe the drive and re-install all the software.
I have the media but need the serial keys from various programs but as the drive is a slave i cannot seem to access the hive.
Can anyone tell me how to access the registry on the slave drive so that i can retireve the keys and also if there's any way of getting the Outlook account settings (username, pop and smtp server details etc).

Thanks in advance.
Watch Question

I have used a UBCD4WIN Disk for this, boot the PC with the external drive from the CD. Now run the System Information for Windows "System Info" remote from the CD. It'll show you the keys of the installed software.

To save all the Outlook data, files are stored in two locations. Copy these two folders from the external drive and when the computer has been reformatted, copy them back into their respective locations.

C:\Documents and Settings\User Name\Application Data\Microsoft\Outlook\
C:\Documents and Settings\User Name\Local Settings\Application Data\Microsoft\Outlook\

As far as reading the registry, I am a huge fan of UBCD4Win and second cpottercpotter's recommendation. It takes a little bit to build a disk, but worth the time.
Author of the Year 2011
Top Expert 2006

That has been asked a lot here on EE.
Do a site search for "offline registry editing".

I know that there are a couple of posts from "Krompton" and (I think) LeeTutor that do a great job of explaining.

Here is one sample I found:

Author of the Year 2011
Top Expert 2006
If either of these guys check in - they get the points, not me.

Review these former posts from LeeTutor and Krompton - they really know what they're talking about.

Also, if you can mount a non-booting drive as a secondary drive on a functioning XP computer, you can use the Load Hive and Unload Hive options to edit the registry on the secondary drive's registry.  The technique is this:  Boot up in a parallel copy of XP.


If the information you want to access was in HKEY_CURRENT_USER: Highlight HKEY_USERS, choose "Load hive" from the File menu, open

X:\Documents and settings\<UserProfileName>\ntuser.dat.

(where X: should be replaced by the drive letter corresponding to the secondary slaved drive you have mounted from the nonfunctional computer.)

When asked for a name, choose "OldProfile" (or whatever other easily remembered name you choose).  Access/backup the keys you're interested in. Once you're done, highlight the "OldProfile" key, choose "Unload hive" from the file menu.

If the information you want to access was in HKEY_LOCAL_MACHINE\System or in HKEY_LOCAL_MACHINE\Software: Highlight HKEY_LOCAL_MACHINE, choose "Load hive" from the File menu, open




(no extension). When asked for a name, choose "OldSystem" or "OldSoftware" (or whatever). Access/backup the keys you're interested in. Once you're done, highlight the "OldSystem" or "OldSoftware" key, choose "Unload hive" from the file menu

Open Regedit. When you look at the keys you see the following

All of these KEYS are properly called HIVES and there are in reality only two keys or hives - HKEY_LOCAL_MACHINE and HKEY_USERS. The other three are just "sub keys" of the other two.

Each user profile has it's own NTUser.dat file (unless a roaming profile). NTUser.dat is loaded at login and is presented as HKEY_CURRENT_USER. So if you want to make a change to the HKEY_CURRENT_USER you must login in as that user. Since you cannot login as Default User you need another way to make changes to sub keys that are displayed in HKEY_CURRENT_USER. That is why you use the process of loading a hive. You can load the NTUser.dat file from Default User make the changes then unload the hive and now all of the changes will be pass along to new profiles as the starting defaults for that user.
I would agree that if you find anything from LeeTutor on this, follow his recommendations. That guy is the EE God!  =)
loading remote hives is probably the biggest pain in the ass the M$ ever dreamed up.  Still, that's what they want, they don't really want you to recover a setup.  Pay more to install, that is their revenue mantra.

Anyway, this will NOT help you one bit.  All the logins and passwords to any and all programs that are stored in the registry are almost always encrypted.  Getting the hive loaded will probably a royal waste of time.  Try it if you want.  I'll bet you will be disappointed.  The program directories or emails are likely to have PW data more easily available than the registry.

Go to C:\Documents and Settings\user name\Start Menu\Programs  copy all there to another locale.
Go to C:\Documents and Settings\All USers\Start Menu\Programs    copy all there to another locale
Go to C:\Documents and Settings\username\Application Data  copy all there to another locale.
That will tell you what software to install.
Then copy all his My Documents directory to another place for safe keeping.

Now reinstall the OS, and rebuild the programs based on what you copied

Did you know, you can recover his setup from the restore points in System Volume information????

ALL of what you need to can get from the hard drive directories. The remote REG is almost useless.
Most Valuable Expert 2011
Top Expert 2011

I beg to differ....

If you load a reg hive, you can extract software serials AND passwords, yes I said passwords, by vewing Protected Storage....

Protected Storage PassView v1.63: Recover Protected Storage passwords

You can have it open other users reg hives to extract data....

NOTE, you should be able to get Outlook, OE, and stored IE passwords with no effort...


Many Thanks,
This will solve all my problems. Not sure who will get the points but this is the solution i've used.
Many Thanks again !!!
Your welcome!