I'm working on making a recovery environment complete with AV/Malware scanning automation, and one problem I run into is that they want to scan the active registry & Windows instead of an offline install --- especially free versions (and ones like Combofix). After some research I found one freeware file redirection driver of dubious capability, but then figured out one could use a "shim" from the Application Compatibility Toolkit (ACT) to use the VirtualRegistry and File Redirection Filter already built-in to the Windows Vista and up kernel for UAC. So this works on a full version of Windows, but both WinPE and Win8.1SE seemingly lack the support for ACT databases...
Anyone ever looked into this at all?
Anyway, for those who don't know what a "shim" is, it basically sits in-between applications and what they think they're accessing, so that in the case of the VirtualRegistry, the a configured application thinks it's reading/writing to HKLM\SOFTWARE\Foo (which a standard user can't write to) when it's really writing to HKCU\SomeVirtualRegistryPath\SOFTWARE\Foo (the user's registry). I can use this to load up an offline registry and then re-direct something like ComboFix to think it's looking at HKLM\Foo when it's really looking at HKLM\TempHive\Foo.