10

I need to make changes on my registry without using the OS software, and need to do it with WINPE. However when WINPE is ready to work and I am trying to open regedit.exe it shows me only current OS information, actually the WINPE information.

So how to use WinPE as an offline registry editor?

wonea
  • 1,817
  • 1
  • 23
  • 42

1 Answers1

16

Load the necessary registry hives:

  • in Registry Editor (regedit), select either HKEY_LOCAL_MACHINE or HKEY_USERS, then click File → Load Hive, open the hive file, and input a temporary name for it;

  • in command line, use reg load HKLM\temp-name path-to-hive
    or reg load HKU\temp‑name path-to-hive.

The hive files are located in:

  • most of HKEY_LOCAL_MACHINE corresponds to files in %SystemRoot%\system32\config:
    • HKLM\SAM – file SAM
    • HKLM\SECURITY – file SECURITY
    • HKLM\Software – file software
    • HKLM\SYSTEM – file system
    • the special "system" user's registry (e.g. login screen, etc.) – file default
  • each user's personal registry (i.e. their HKEY_CURRENT_USER) is located in file NTUSER.DAT in their profile directory (e.g. C:\Users\grawity\NTUSER.DAT);
    • however, HKCU\Software\Classes is stored in the file AppData\Local\Microsoft\Windows\UsrClass.dat.

A list of currently loaded hives is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • what about HKEY_CLASSES_ROOT ? Can't we load it ? – Haplo Nov 03 '14 at 15:55
  • I found that HKCR is actually `classes` key under `software` hive. – Haplo Nov 03 '14 at 17:00
  • @Haplo: On Windows XP and later, it's a merged view of `HKCU\Software\Classes` _and_ `HKLM\Software\Classes`. The former is a separate hive, the latter isn't. – u1686_grawity Nov 04 '14 at 05:32
  • 1
    You don't mention HKEY_USERS that contains default values for all users. I read it corresponds to NTUSER.dat, but not the one in the user directory. Is it correct? – FarO Nov 05 '15 at 09:26
  • 1
    @OlafM: Not quite. HKEY_USERS doesn't have any information by itself, all it has is sub-hives for each user. For example, `HKU\S-1-5-21-…-1103` corresponds to `C:\Users\grawity\ntuser.dat`, and `HKU\.default` corresponds to `C:\Windows\System32\config\DEFAULT`. (Note that [`.default` **is not** the default user](http://blogs.msdn.com/b/oldnewthing/archive/2007/03/02/1786493.aspx) and **does not** contain "default values for all users". It's actually the "system" user.) – u1686_grawity Nov 05 '15 at 09:40