Windows server 2012...
 
Notifications
Clear all

Windows server 2012 - registry file

4 Posts
2 Users
0 Reactions
651 Views
(@john-stockton)
Posts: 3
Active Member
Topic starter
 

Hello,

I exported all registry (.reg) files from Windows server 2012, but when trying to load them in Registry Explorer v2.0, I failed. Can someone help me and advise me on how I can load this file for analysis?

Regards

 

 
Posted : 02/06/2023 1:36 pm
(@athulin)
Posts: 1157
Noble Member
 

Registry Explorer loads registry hive files.  Those are the registry files in the file system. If you know what you are doing, you can also use the Registry Editor to export them, but chances are fairly good that you'll mess things up.  On a live system, use a tool such as FTKImager and the Obtain Protected Files command (I'm fairly certain Lite has that too), or something with the comparable functionality.

.reg files are registration files, not registry files.  It is an alternate format, and as far as I can remember, has the same content, as a hive file.  But Registry Explorer can't handle them.

 
Posted : 04/06/2023 5:03 pm
(@john-stockton)
Posts: 3
Active Member
Topic starter
 

@athulin Do I well understand the story...

The whole registry (file .reg) can not export without tools and doing analyse?!

 
Posted : 05/06/2023 7:35 am
(@athulin)
Posts: 1157
Noble Member
 

The whole registry (file .reg) can not export without tools and doing analyse?!

I don't understand your question. Are you familiar with Windows Registry, how it is divided into  hives/files, and so on? Or how a Windows system administrator uses system tools to manipulate registry data?  You need to be.  If you are working from some particular sources in Registry forensics, please mention them: it makes it easier to say if you are the right track or not.

.reg files are mainly used by system admins, not forensic analysts.  But if you for any reason need to use them, you already should know if you are able to analyze them in the tools you have available.  Forensic registry analysis tools tend to focus on the raw registry files, not on any transcription of them into textual form, which may or may not be forensically clean. (I can't remember seeing any analysis of .reg files vs. registry files, so I regard .reg files as less desirable to use than the raw files.)

If you aren't  familiar with registry, I recommend Jerry Honeycutt's book Windows Registry Guide, as well as some good handbook in forensic registry analysis.  Honeycutt's book is a bit old, though, and it looks like Microsoft Press has published a few more titles on the topic since I last reviewed it.

Or is it just Registry Explorer that you aren't familiar with?

 
Posted : 05/06/2023 5:17 pm
Share: