Rescatux idea: Recovering Windows registry

I should add this idea to Rescatux ideas at Rescatux wiki but anyways I’m writing it here. What I’m going to describe is recovering or editing Windows registry from Gnu/Linux manually. Rescatux would be improved hopefully in 0.32 version to do this from a GUI and as automatically as possible.

Recover Windows Registry from Gnu/Linux

If you want to recover Windows registry from a former restore point you can just copy the registry file from the restore point folder to the current registry files. That’s as easy as that.

Restore point path is like this:

/media/windows/System Volume Information/_restore{xxx}/RPxxx/snapeshot/

and its files are:

_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

which need to be copied and renamed to:

/media/windows/WINDOWS/system32/config/

_REGISTRY_USER_.DEFAULT => default
_REGISTRY_MACHINE_SECURITY => security
_REGISTRY_MACHINE_SOFTWARE => software
_REGISTRY_MACHINE_SYSTEM => system
_REGISTRY_MACHINE_SAM => sam

And you are advised to force a NTFS fix and reboot Windows twice thanks to:

sudo ntfsfix /dev/<device-name>

.
Don’t think it’s needed anymore with newer NTFS mount implementation in GNU/Linux but I’ll check that anyways.

There are also some other paths:

\windows\system32\repair
/Windows/System32/config/RegBack

I have found this information in Ubuntu forums: HowTo: Fix Corrupted Windows Registry from Ubuntu partition . There’s even kind of proposed python script in the same thread.

I only need to make sure I backup the original registry files so that they can recovered them too if needed. Also, Rescatux should be able to restore these Rescatux backups.

The other idea is making a Windows registry editor in Gnu/Linux.

There is already chntpw which I use already in Rescatux for blanking Windows passwords. And that’s what it’s also advised in the same thread: Editing the registry .

So hacking chntpw I might be able to show in a GUI all the registry keys and let the user edit or remove them. Maybe running regedit.exe from WINE would also work but I’m not confident on this one.

And, even if making a GUI Windows registry editor for Gnu/Linux might be difficult (for chntpw hacking and GUI development itself) just detecting Windows registry viruses and fixing the Registry values to default ones should be straight-forward !!!

Mergeide

When you move a Windows machine to a Virtual system sometimes you need it to support IDE.

Just check: Proxmox Wiki – Migration of servers to Proxmox VE – Innaccessible boot device .

It’s a matter of adding a REG file that Microsoft advises to use. That’s just editing the registry and can be done with chntpw.

That would avoid headaches if you haven’t run it in the origin virtual or physical machine just before moving to the new virtual machine.

Possible new Rescatux options for Rescatux 0.32:

  • Recover Windows registry from Windows restore points
  • GUI for editing Windows registry
  • Windows Registry cleanup for some known Virus
  • Add IDE support to Windows system (Ideal for Virtual systems)

Additional notes

It seems that Reglookup is handy when serarching for Windows Registry registry keys and its included in Parted Magic.

Anuncios

Etiquetas: , , , , , , , , ,

2 comentarios to “Rescatux idea: Recovering Windows registry”

  1. Phil Stortz Says:

    Re: detecting encrypted volumes, cryptsetup has an “isluks”command that will tell you if a partition is encrypted. gparted will also detect luks volumes (but doesn’t know what to do with them.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s


A %d blogueros les gusta esto: