Jump to content











Photo
- - - - -

DumpReg

registry

  • Please log in to reply
64 replies to this topic

#1 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 21 November 2015 - 02:58 PM

Posted Image

File Name: DumpReg
File Submitter: erwan.l
File Submitted: 21 Nov 2015
File Updated: 25 Nov 2015
File Category: Tools

Will save an online registry hive to an offline hive file.
Will restore an offline hive file to an online hive (a backup will be made next to the source hive file).

Needs admin rights.
Works on windows 2000 and up.

Before you restore a hive, make sure you have a backup and that you know how to boot offline and restore your system files.

/Erwan

Click here to download this file

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13329 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 November 2015 - 03:22 PM

Is it (as I seem to understand) a "better", more detailed, form of (just to understand) ERUNT:

http://www.larsheder...nline.de/erunt/

updated for use also with Vista :ph34r: and later?

 

Does it work for "online" Registry files, right?

 

Maybe adding a checkbox for "All" that autochecks/autounchecks all the various hives would be handy. :unsure:

 

Command line support? :dubbio:

 

Suggested:

Dumpreg /<option> <destination/source folder> [/<switches>]

Options:

/S Save

/R Restore

 

Switches:

/AL ALl (implied if no switch is passed)

/SA SAm

/SO SOfware

/SE SEcurity

/SY SYstem

/DU Default User

/CU Current User

 

:duff:

Wonko



#3 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 21 November 2015 - 05:18 PM

Hi Wonko,

 

I need to check this tool (ERUNT) but indeed it looks similar.

 

Dumpreg should work on windows 2000 and up.

it uses regsavekey and regrestorekey.

 

It saves an online hive to an offline hive file.

It restores an offline hive file to an online hive (needs a reboot to be effective)

 

I added a command line version to the zip file (uses the same unit code) : supports only the /S (save) for now (next version coming soon).

I added a "all" checkbox in the GUI save form.

 

Thanks for the feedback and suggestion !

 

Regards,

Erwan

 

Edit : the command line function can now save and restore.

 

command line syntax : 

dumpreg by Erwan2212@gmail.com
Save Functions:
dumpreg target_folder /S /ALL
dumpreg target_folder /S /SA
dumpreg target_folder /S /SO
dumpreg target_folder /S /SE
dumpreg target_folder /S /SY
dumpreg target_folder /S /DU
dumpreg target_folder /S /CU
Restore Functions:
dumpreg source_hive /R /SA
dumpreg source_hive /R /SO
dumpreg source_hive /R /SE
dumpreg source_hive /R /SY
dumpreg source_hive /R /DU
dumpreg source_hive /R /CU


#4 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 21 November 2015 - 06:23 PM

The DumpReg saved registry is far from complete (only 5 files), and in my Win 10 x64 DumpReg fails to save the security hive.

 

Portable Registry Backup is a good working solution - http://www.tweaking....try_backup.html

In this case the complete file based registry of 14 files is saved online in folder structure,

which allows also offline registry restore in PE by simple copy of this structure.

 

RegBackup-2015-11-21_193436.png   == RegBack-2015-11-21_194455.png



#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13329 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 November 2015 - 06:33 PM

Nice :), but wait a minute :w00t:.

 

If I Save (say) the WHOLE Registry with:

dumpreg C:\myniceFolder\ /S 

the result (should) be (in my perverted mind ;)):

C:\myniceFolder\SAM

C:\myniceFolder\software

C:\myniceFolder\SECURITY

C:\myniceFolder\system

C:\myniceFolder\default

Then in subfolders *like*:

C:\myniceFolder\Users\00000001\NTUSER.DAT

C:\myniceFolder\Users\00000002\UsrClass.dat

 

(at least this is what ERUNT does)

 

Then, when I Restore, in ERUNT (actually ERDNT) I point it to the main folder where I Saved, i.e. the command should be IMHO "symmetrical":

dumpreg source_folder /R 

 

I still believe that the command option /S or /R should go before target or source, but that is only a very minor issue, not worth the time it needs to be changed.

 

:duff:

Wonko



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 21 November 2015 - 06:50 PM

The /S has the option to save ALL.

Output will look like this

C:\dumpreg>dumpregcmd "C:\dumpreg" /s /all
SAM dumped
Software dumped
System dumped
Security not dumped
Default dumped
Current_User dumped

The /R does not have the option to restore all but on the contrary needs to be told which hive to restore where (as I wanted to be safe).

Command line would be

dumpreg c:\dumpreg\sam /R /SA


#7 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 21 November 2015 - 06:55 PM

The DumpReg saved registry is far from complete (only 5 files), and in my Win 10 x64 DumpReg fails to save the security hive.

 

Portable Registry Backup is a good working solution - http://www.tweaking....try_backup.html

In this case the complete file based registry of 14 files is saved online in folder structure,

which allows also offline registry restore in PE by simple copy of this structure.

 

attachicon.gifRegBackup-2015-11-21_193436.png  == attachicon.gifRegBack-2015-11-21_194455.png

 

Hi Wimb,

 

In red below the 6 registry hives I save.

Far indeed from the 14 you mentions - if I can find them in regedit, then I can back them up I guess...

 

The SID under HKEY_USERS is the HKEY_CURRENT_USER = ntuser.dat

 

Regards,

Erwan

 

0xtjP9w.png



#8 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 21 November 2015 - 06:58 PM

About ntuser.dat, is not this the current user hive?

If yes, I save it using the current user SID in the form of 'S-1-5-21-2427513087-2265021005-1965656450-1001'.

 

usrclass.dat is actually included in the current user hive.

 

HKEY_USERS\[SID] -> %userprofile%\Ntuser.dat
HKCU\[SID]\Software\Classes -> %userprofile%\AppData\Local\Microsoft\Windows\Usrclass.dat



#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13329 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 November 2015 - 07:59 PM

The /R does not have the option to restore all but on the conrary needs to be told which hive to restore where (as I wanted to be safe).

I understand that, but I (personally) would assume that:

dumpreg /R c:\dumpreg\sam

would Restore the SAM file only (not needing the /SA switch), and that:

dumpreg /R C:\dumpreg\ /SA

would ONLY restore the SAM file inside C:\dumpreg\

(just ideas, mind you :), the issue is only about the command(s) being as "symmetrical" as possible).

 

Cannot say about where/what the hives (both the ones you save/restore, the ones ERUNT "manages" and the 14 :w00t: the tool mentioned by wim_B) correspond to, the "new entry" (XP vs. rest of the world) seems like being only the "Components" one, the other ones seem like being "other users", i.e. "Default", "NetworkService" and "LocalService", the "mapping" according to the good MS guys is (was) for 6 files :

https://msdn.microso...7(v=vs.85).aspx

https://support.micr...en-us/kb/256986

but it is entirely possible that it changed in later versions (but I seem to find not any docs about this change :unsure:)

 

:duff:

Wonko



#10 ady

ady

    Frequent Member

  • Advanced user
  • 129 posts

Posted 21 November 2015 - 09:00 PM

http://nirsoft.net/w...stry_tools.html


http://nirsoft.net/windows_registry_tools.html
The list includes at least 2 relevant programs with optional access to off-line registry.

Also FWIW:

http://blog.nirsoft....soft-utilities/
 
http://blog.nirsoft.net/2009/10/22/how-to-connect-a-remote-windows-7vistaxp-computer-with-nirsoft-utilities/


#11 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 21 November 2015 - 10:35 PM

Based on Wonko's post and after reading this url, I will indeed go for the following syntax

dumpreg /S folder /ALL
dumpreg /S folder /SA -> will output a SAM file
dumpreg /S folder /SO -> will output a Software file
dumpreg /S folder /SE -> will output a Security file
dumpreg /S folder /SY -> will output a System file
dumpreg /S folder /DU -> will output a Default file
dumpreg /S folder /CU -> will output a ntuser.dat file

and

dumpreg /R folder /SA -> will look for a SAM file
dumpreg /R folder /SO -> will look for a Software file
dumpreg /R folder /SE -> will look for a Security file
dumpreg /R folder /SY -> will look for a System file
dumpreg /R folder /DU -> will look for a default file
dumpreg /R folder /CU -> will look for a ntuser.dat file


#12 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 07:18 AM

The new version still failed to save the security hive of my Win10 x64 system.

Also the DumpReg software hive seems to be very small (5248 kB) as compared to the file found in config (59904 kB).

Inspection shows that a lot of keys are missing in the DumpReg software hive ......

 

TweakingRegistryBackup.exe creates in folder RegBackup a software hive of 59888 kB which corresponds good with the C:\Windows\System32\config\software file.

 

DumpReg_SecFailed-2015-11-22_074919.png == RegBack-Dump-2015-11-22_075713.png == Regedit-2015-11-22_090539.png

 

Why not backup components and drivers hives, and may be also the less important Local Service and Network Service hives ?

Will the system boot when you remove or corrupt these hives ?

It might be that a backup of these hives is needed or can be handy in some occasion ......

 

A folder structure like being used by Registry Backup can be handy for restore of files to the right location,

which will allow in PE environment restore by simple copy of the complete folder structure.

Free choice of drive location for RegDump folder might be desired, since now it is fixed to system drive.

You might wish to save registry in folder on other drive e.g. on USB-Stick.

 

:cheers:



#13 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 11:50 AM

version 0.2 uploaded.

 

 

 

The new version still failed to save the security hive of my Win10 x64 system.

 

For the security hive, you need to run as system (default account under winpe but requires one extra step under windows).

I see ERUNT thus manages the same without the need to run as system : will need to work this out.

 

EDIT : dumpreg can now dump security.

and may be also the less important Local Service and Network Service hives ?
Will the system boot when you remove or corrupt these hives ?
It might be that a backup of these hives is needed or can be handy in some occasion ......

No idea :)

Why not backup components and drivers hives

I believe they are included in the system hive. Not?

Also the DumpReg software hive seems to be very small (5248 kB) as compared to the file found in config (59904 kB).
Inspection shows that a lot of keys are missing in the DumpReg software hive ......

dumpreg uses regsavekey and saves only nonvolatile keys. It does not save volatile keys.

Also, there are different format of registry (w2k, xp, not compressed, ...) so before comparing size, we would need to be sure we are comparing the same formats.

 

I will double check there for sure as indeed I suspect there is something wrong around the software dump (current user vs system one?).

A folder structure like being used by Registry Backup can be handy for restore of files to the right location,
which will allow in PE environment restore by simple copy of the complete folder structure.
Free choice of drive location for RegDump folder might be desired, since now it is fixed to system drive.
You might wish to save registry in folder on other drive e.g. on USB-Stick.

I am not sure I get it but now dumpreg and dumpregcmd are based against a folder to save/restore.



#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13329 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 November 2015 - 12:45 PM

On XP the list of hives composing the Registry is given (see comments in):

https://msdn.microso...7(v=vs.85).aspx

 

Hive list

A list of all active hives can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist


HKEY_LOCAL_MACHINE\HARDWARE has no corresponding file because it is a volatile key that is created (and built) by the kernel at system start.

 

The list in XP is the one already mentioned, it seems that Vista :ph34r: or 7 and later add several  keys, one is for the BCD (obviously), one is the "components" and the other two are actually "LocalService" and "NetworkService", maybe there are other ones:

 

http://www.thewindow...registry-basics

reg2.jpg

 

Parsing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist and then save all the corresponding items seems like a good idea, personally (but I am notoriously picky ;) besides old and grumpy) I would dump the hivelist to a text file and use those paths for the restore (and also to "document" what has been saved in the folder and/or subfolders).

 

BUT (open question/doubt :dubbio: ) maybe after all command line isn't *needed* at all for RegDump, that is if the same can be done with a small batch and REG.EXE :unsure: :
https://helgeklein.c...ith-hive-files/

 

 

:duff:

Wonko



#15 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 01:00 PM

Parsing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist definitely seems as a good idea !

 

Still, I still miss drivers and components in this hivelist which I do see in my system32\config folder.

 

About using reg.exe as a batch, you would still miss the security bits : you need special privileges (i dont mean rights there) that erunt, dumpreg, ... take care off.

 

My hives on windows 8.1 :

 

9LL6GL4.png



#16 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 01:14 PM

dumping current user will now dump ntuser.dat and usrclass.dat



#17 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 01:31 PM

Download Link for DumpReg does not work.

 

http://reboot.pro/fi...le/566-dumpreg/



#18 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 01:35 PM

thanks for this !

fixed.

my ftp is case sensitive...



#19 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 01:56 PM

DumpReg saves now 7 hives including security.

 

May be you can add OK button when program finishes, since at present you don't know what occurs and keep waiting ....

 

The software hive is still far too small (about 10% is saved).

 

DRIVERS and COMPONENTS are NOT part of SYSTEM hive and are visible in Regedit , and may be useful to be saved ....

 

Regedit-2015-11-22_090539.png



#20 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 02:04 PM

DumpReg saves now 7 hives including security.

 

May be you can add OK button when program finishes, since at present you don't know what occurs and keep waiting ....

 

The software hive is still far too small (about 10% is saved).

 

DRIVERS and COMPONENTS are NOT part of SYSTEM hive and are visible in Regedit , and may be useful to be saved ....

 

attachicon.gifRegedit-2015-11-22_090539.png

 

There is an issue with the software hive indeed : investigating currently.

Dumpreg saves the software hive from hkey_current_user despite being instructed to save the one from hkey_local_machine.

ERUNT has that bug too on my win 8.1 system.

 

Will add a "ok" button indeed.

 

Will also look at drivers and components.

 

Thanks a lot for the detailed feedback !

 

Side note : also looking for feedback for the restore function (more difficult to test i believe).

 

EDIT : just added the "ok" message after save/restore.



#21 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13329 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 November 2015 - 02:05 PM

"Components" more or less is connected with Windows Update/SFC/SxS/CBS, seemingly, it also seems that is not on *all* installs, and that you can "generate it" by launching "Windows package manager UI":

http://d3dal3.blogsp...in-windows.html

 

:duff:

Wonko



#22 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 02:32 PM

"Components" more or less is connected with Windows Update/SFC/SxS/CBS, seemingly, it also seems that is not on *all* installs, and that you can "generate it" by launching "Windows package manager UI":

http://d3dal3.blogsp...in-windows.html

 

:duff:

Wonko

 

indeed, tested 2 computers at home (win8.1 & win7) and cannot find the hive in regedit despite having the files (component and drivers) and harddrive...

will look at your link.



#23 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 02:33 PM

uploaded dumpreg 0.3 : was able to test with success a restore of the system hive on windows 7.



#24 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1857 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 03:20 PM

uploaded dumpreg 0.4.

 

-tested on xp, win7 and win8.1.

-the gui will propose to save/restore COMPONENTS & DRIVERS if the hives are seen in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

-the cmd support /CO for COMPONENTS, /DR for drivers

 

About HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist, components and drivers are not listed on my system.

Thus, the files exist.

 

I am wondering if adding the entries manually in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist would do the trick, i.e, have the files mounted as hives at next reboot ?

 

Edit : tried the aboved i.e adding a COMPONENTS entry, modification is lost after a reboot...



#25 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 03:34 PM

Version 0.4

- COMPONENTS is not visible in hivelist and is NOT saved by DumpReg, allthough visible in regedit as shown earlier ...

 

Hivelist showing DRIVERS hive

Hivelist-2015-11-22_162605.png

 

 

 

 







Also tagged with one or more of these keywords: registry

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users