Windows XP - view HKCU registry entries?

garryshape
garryshape used Ask the Experts™
on
If I open Registry and Load Hive and open the ntuser.dat file of a profile from another computer, that won't import those registry entries into my system will it? It will just let me view/edit/make changes to it, right?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2011
Commented:
You can export it, but it will be exported in a format like "hklm/temp hive/software" etc...

Has no bearing on hkcu.....

So editing directly, no problem. If you export to import to another profile, use notepad to search and replace th proper key names in the exported .reg files...
Most Valuable Expert 2011
Top Expert 2011

Commented:
And remember, that user profile needs to be logged off, preferably after a reboot....

Otherwise you will not be able to load the hive, as it will be locked by the os....

Author

Commented:
Okthanks
I basically just made a copy of it to research for malware
so I'm working with a copy. I deleted their original so next time they logon it will be new.
We use Citrix foreverything so nothing important's in there.
Most Valuable Expert 2011
Top Expert 2011

Commented:
Should be perfectly safe.... You can learn a lot about how the current malwares prevent you from removal and cleanup. Pay special attention to the 2 Policies keys.

If you remove these policies from across the network using Remote Regostry, you can get to the Task Manager, Cmd prompt etc. (assuming your file associations aren't hosed)... Which you can also remove from across the network by accessing their hkey_users hive, that corresponds to their hkcu hive....

Manual malware removal does take some poking around, and learning where they alter the registry, based on the symptom you see. It can be a valuable method, when traditional scanners do not load/run/work at all.... You can get yourself to a somewhat stable point for removal....

Some will argue that there is no need for it, but I do disagree with that, as you have to know what parts of the registry get modified, to recover your system enough for mainstream tools to be effective....

"I basically just made a copy of it to research for malware"

Maybe you would like to try out the free and standalone program named "Windows Registry Recovery" by Michal Mutl:
http://www.mitec.cz/
http://www.mitec.cz/wrr.html

His previous "Registry File Viewer" (no longer with its own visible page on his site but still downloadable - http://www.mitec.cz/Downloads/RFV.zip) all provided a Regedit-like interface that you had to drill down through, but the latest WRR program groups data into quick and easy categories.

Just though I would mention this, because I have found both versions very handy from time to time.
Author of the Year 2011
Top Expert 2006
Commented:
"Some will argue that there is no need for it, but I do disagree with that, as you have to know what parts of the registry get modified, to recover your system enough for mainstream tools to be effective...."

I strongly disagree with this statement - and am one of those who "will argue that there is no need for it".

Making a copy and poking around in the file is a great idea and a good way to learn more about Windows - but anyone not fully trained in the entire scope of the process should NOT be attempting to manually modify the registry when fighting malware.

One of the top Experts on EE (Thermoduric) has spent many years on the programming side of fighting malware and he thoroughly debunks this idea of "MANUAL REMOVAL OF INFECTIONS" here:
Malware Fighting – Best Practices
Most Valuable Expert 2011
Top Expert 2011

Commented:
Glad we could be of help. If you have any further quesitons about malware in the registry, dont hesitate to ask....

John
Thank you Garry

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial