request recomendation for "offline" registry hive diff utility
in [Security]
|
From: GrandpaFerret on 11 Feb 2010 20:22 I have two sets of system, system.LOG, software, and software.LOG hive files. One set is "before", the other is "after". I am looking for a good utility that will let me compare them, and having trouble finding one. There are two requirements that I have having trouble finding a tool that can fulfill: 1) I dont have a full set of registry files... just these four, basicly the system hive and the software hive. 2) Both sets are "off-line" (not part of an actively running os. Running WinXP Pro with current updates (SP1-3, plus 80+ wupdate updates.) Thanks for the help.
From: John Wunderlich on 13 Feb 2010 00:03 =?Utf-8?B?R3JhbmRwYUZlcnJldA==?= <GrandpaFerret(a)discussions.microsoft.com> wrote in news:AD7AE2EE-7E83-4CF2-8369-F3F0E1D94318(a)microsoft.com: > I have two sets of system, system.LOG, software, and software.LOG > hive files. > One set is "before", the other is "after". > > I am looking for a good utility that will let me compare them, and > having trouble finding one. There are two requirements that I > have having trouble finding a tool that can fulfill: > > 1) I dont have a full set of registry files... just these four, > basicly the system hive and the software hive. > > 2) Both sets are "off-line" (not part of an actively running os. > > Running WinXP Pro with current updates (SP1-3, plus 80+ wupdate > updates.) > > Thanks for the help. > > Probably the best approach is to individually load each hive into Regedit (with the same name), then File->Export it to a .reg file. You can then use a Text-Compare tool such as freeware "WinMerge" to point out the differences. WinMerge: <http://winmerge.org/> HTH, John
From: GrandpaFerret on 13 Feb 2010 22:08 John, Thank you for giving me the answer so quickly. I have no problem at all with your approach and understand most of it... I hope you will do me the favor of a follow up that will clarify things enough in my mind to allow me to do as you sugested. Its the "best approach is to individually load each hive into Regedit (with the same name)" part I am not sure about. Two point of confusion on my part: 1) I had already looked into trying to import a hive using regedit but the only option I could find was to import a ".reg" (text) version, not the actual registry file itself. 2) If you loaded the hive along the lines you are suggesting, it becomes part of the active OS's registry, right? That sounds very dangerous to the future integrity of the OS install in question. The only way I have come up with to interpret your suggestion ("the best approach is to individually load each hive into Regedit (with the same name)") would be to bring the system up under another OS (say linux) and replace the winXP hive file (say .../config/system) on a winXP system disk with the system file from one of my two sets and then reboot into that winXP OS. I thought about a second alternative of trying to find a program that would convert system to system.reg amd then use regedit to import it, but I see two posable problems with that... 1) If I had a program that would export a single hive file to .reg format I would have the answer to my original question and we would be done! :) 2) would not the result of the import be a murge of the active hive and the imported hive rather than a replacement of the active hive with the imported hive? I am not trying to argue with someone who is trying to help me. Sorry if it sounds like i am.... but I know very little about this area of windows, but what I do know is that it is very dangerous to fool around with if you dont know what you are doing.... Soooo, exactly what did you mean when you said " Probably the best approach is to individually load each hive into Regedit (with the same name)" By the way, I do have a scratch winXP install laying around that I can afford to screw-up. Its just that if I am going to screw it up I would like to get the data I need out of it before totally hosing it. : Hope to hear back from you soon. Thanks.
From: GrandpaFerret on 13 Feb 2010 22:51 John, I get it now. Forgot to look at changing the file type in the export dialog box. That little weird way of thinking about stuff has always screwed me up. I am much happier in unix land, mostly solaris, some irix, some linux. You will probably get a grin over another screwup I made. made a restore point, then imported/expored the two "before" hive files. Then restored to the restore point I made in preperation for doing the two afet files. Did the two after files and then noticed my two before .reg files were missing. duh. (red face) thanks for the help!
From: John Wunderlich on 14 Feb 2010 01:14
=?Utf-8?B?R3JhbmRwYUZlcnJldA==?= <GrandpaFerret(a)discussions.microsoft.com> wrote in news:21A1BDF6-64D9-4772-B5AC-08DC6E506DF2(a)microsoft.com: > John, Thank you for giving me the answer so quickly. I have no > problem at all with your approach and understand most of it... I > hope you will do me the favor of a follow up that will clarify > things enough in my mind to allow me to do as you sugested. > > Its the "best approach is to individually load each hive into > Regedit (with the same name)" part I am not sure about. > > Two point of confusion on my part: [...] > 2) If you loaded the hive along the lines you are suggesting, it > becomes part of the active OS's registry, right? That sounds very > dangerous to the future integrity of the OS install in question. [...] > > Soooo, exactly what did you mean when you said " Probably the best > approach is to individually load each hive into Regedit (with the > same name)" > As you've probably found out, after starting Regedit, you click once on the HKLM key then do a File->Load Hive. Select your hive then It will then ask you for a name to mount it as. Give it a random name. Yes, it will become part of HKLM but since you gave it a random name, nothing knows to look there. After exporting, you then unload the hive and you're back to normal. When you mount the "after" hive, you need to mount it with the same name you used for the "before" hive because this name becomes part of the export and a different name will cause everything to mismatch. -- John |