copying the SYSTEM registry hive

Is it possible to cleanly copy the SYSTEM registry hive (e.g. a simple copy and paste) onto an external storage drive, or as its in use would you need to take a copy some other way. We need to copy it as it has some information about attached USB drives that some software can parse if you supply the SYSTEM file, but we need a clean copy of it first in order to provide it to our HR department.
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Do a partial restore from your last full backup of the Windows folder onto a scratch drive or scratch folder.  Then copy out the desired hive files.  If you are doing daily backups (as you should be) then this will be current to -- at worst -- 23 hours and 59 minutes ago.

This approach eliminates dealing with the live hive files and the risk of associated tragedy by somebody missing a keystroke is small.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
I do not think you can just copy a registry hive to a different computer.

Open Regedit and Export the Keys you need to a .REG file. That can be moved to another computer. Make sure it is safe (locations, names and so on) to import on the other computer.
0
☠ MASQ ☠Commented:
Parts of the System Hive are R/W locked while the system is running with access only to System.
Restoring a backup as described is probably safest, otherwise you could slave that drive and export it using a different live machine.

"we need a clean copy of it first in order to provide it to our HR department"
If this is part of a forensic investigation then make sure it is safely imaged as well to avoid any suggestion things have been edited - including the registry.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

fred hakimRetired ITCommented:
Copy/clone the drive to a backup drive, then you can do whatever is required from the backup.  Or, if they need access to the original drive (to investigate the unused sectors, you can switch them and do what ever you want with the original.   There are a number of ways to do this.  My favorite utilities are...

Lazesoft Suite (its free for home use).   http://www.lazesoft.com/lazesoft-recovery-suite.html 

Minitool Partition Wizard Pro.  https://www.minitool.com/partition-manager/partition-software-comparison.html  

Or, for about $40 you can buy a dual dock USB dock with off line cloning.  The off line clone does a sector by sector copy (to a same size or larger backup disk).    
See:  
     http://www.microcenter.com/product/486120/dual-bay-docking-station
     https://www.newegg.com/Product/Product.aspx?Item=9SIA6PF5VW0783&cm_re=sata_dock-_-9SIA6PF5VW0783-_-Product
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
There's no need to clone anything.  But you do have to boot the system offline with another OS.

HKLM Registry hive is located in c:\Windows\System32\Config - the file is just "SYSTEM".  You can copy it, but you need an appropriate tool to read it.

Some instructions for offline viewing:
https://4sysops.com/archives/regedit-as-offline-registry-editor/
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
You can copy it from %SystemRoot%\System32\Config with Hobocopy (just hobo not robo)  from a SYSTEM shell.

You can also run Regedit as SYSTEM and just export it to reg file.

https://www.experts-exchange.com/articles/30792/How-to-run-commands-using-SYSTEM-account.html
0
fred hakimRetired ITCommented:
Point is if this is part of an investigation, subsequent examination of the drive may also be needed.  Its also possible to disturb what currently exists, in the course of any live activities, so a good copy makes more sense to me.    

To see the USB history, last access times,  a simple utility like USBDeview will do that, but these sorts of utilities also have options to manipulate the data.  See:  https://www.nirsoft.net/utils/usb_devices_view.html  

Note that along with the ability to list that data, also exists the ability to remove (uninstall) USB drives (and associated data).  Same is true for most forensic utilities.
0
MiamiCoCommented:
If you want to copy registry files you need a tool with raw disk access.
For this purpose you can use FTK Imager Lite, it is a free tool, download here

If you want just get information about used USB devices you have more options:
1, use USBDeview, like Fred suggested
2, check if your AV software doesn't has such functionality (as example, Eset has such option).
3, use WMI / Powershell to list attached USB devices. There are plenty links on internet ( example 1, example 2)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.