Read Registry from Restored Backup

I mentioned this in an earlier thread but wanted to put it in its own short article.

Sometimes you need to get data from an earlier version of the registry. For HKEY_CURRENT_USER, that means restoring and reading C:\Users\<username>\ntuser.dat.

Note that ntuser.dat is an operating system file. To be able to see it, in File Explorer, uncheck “Hide protected operating system files.”

I found that I could not open the restored ntuser.dat with regedit.exe. I used File > Open Hive, but I kept getting the message “Cannot Load C:\Users\<username>\Desktop\ntuser.dat: Error while loading hive.”

However, I was able to export data with NirSoft’s RegFileExport. For example, to export configuration data from WinSCP, use this command:

RegFileExport ntuser.dat WinSCP.txt "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2"

To export Putty’s configuration:

regfileexport ntuser.dat Putty.txt "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions"

Open the output file in a text editor to check the data. If it looks okay, rename the file from .txt to .reg, then double-click to import the file into the live registry.

1 thought on “Read Registry from Restored Backup

  1. Lorenz Vauck

    Amazing idea with the RegFileExport, just saved my life while trying to load a HIVE from a backup that was done during a running system (via DriveSnapShot). Regedit generally refuses to load hives from such a backup, most likely because they are in an “open” state or something, because of the live backup. RegFileExport did the job just fine. Thanks a lot!

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.