Read Registry from Restored Backup

Mark Berry January 2, 2017

I mentioned this in an earlier thread but wanted to put it in its own short article.

Sometimes you need to get data from an earlier version of the registry. For HKEY_CURRENT_USER, that means restoring and reading C:\Users\<username>\ntuser.dat.

Note that ntuser.dat is an operating system file. To be able to see it, in File Explorer, uncheck “Hide protected operating system files.”

I found that I could not open the restored ntuser.dat with regedit.exe. I used File > Open Hive, but I kept getting the message “Cannot Load C:\Users\<username>\Desktop\ntuser.dat: Error while loading hive.”

However, I was able to export data with NirSoft’s RegFileExport. For example, to export configuration data from WinSCP, use this command:

RegFileExport ntuser.dat WinSCP.txt "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2"

To export Putty’s configuration:

regfileexport ntuser.dat Putty.txt "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions"

Open the output file in a text editor to check the data. If it looks okay, rename the file from .txt to .reg, then double-click to import the file into the live registry.


Leave a Reply





*