3

I am trying to view registry items in a saved copy of NTUSER.DAT; how can I do so?

I want to do this because I had a crashed hard drive and want to get all my programs running again. I reinstalled Win10 and all programs from a USB drive backup, but now some programs refuse to run because they can't find their registry settings; I have a pre-crash backup of NTUSER.DAT and want to view it so I can find the missing items.

John Wilson
  • 141
  • 1
  • 1
  • 8
  • "reinstalled Win10 and all programs from a USB drive backup" Could you accurately describe your method for us. True backup restore, or piecemeal copy? – Tetsujin Jun 25 '20 at 15:46
  • What you're trying to do will likely not work, as while programs do store _user-specific_ information/settings in the `HKCU` store, they usually store information relative to the program operating correctly within the `HKLM` hybrid-store _(it's made up of several separate hives located within `%WinDir%\System32\config`)_, and it's highly unlikely info exported from the backup user hive [`NTUSER.DAT`] and imported into the `HKCU` store would fix what you're trying to fix, nor would it be an efficient means of doing so - simply uninstall/reinstall the applications. – JW0914 Jun 25 '20 at 16:29
  • @JohnWilson - Why don't you simply reinstall the applications? Most applications don't even use the registry to store their settings. Even when they do store the settings, most applications, are smart enough to create the required keys before using them. – Ramhound Jun 25 '20 at 17:06
  • I can't reinstall the app - the CD was damaged in the last hurricane and the vendor no longer supports the (very old) version. – John Wilson Jun 25 '20 at 17:15
  • @JohnWilson Without access to the previous install's `%WinDir%\System32\config\SOFTWARE` hive, it's unlikely the registry keys you'd be looking for exists. Did you choose to format the partition during the reinstall; if not, the previous install will have been moved to `C:\Windows.old`? While it doesn't help at the moment, prior to formatting, especially when no longer supported software versions are involved, creating a [WIM](https://superuser.com/a/1544563/529800) _(ignore Creating Partitions section)_ of the partition would be recommended so you can pull any info needed after the reinstall. – JW0914 Jun 25 '20 at 17:25
  • I do have a copy of ntuser.dat from the previously working drive and copies to new sysrem – John Wilson Jun 29 '20 at 15:00
  • I solved problem by running program in win7 compatibility mode. See my answer. I suspect some funky registry handling in win 10. – John Wilson Jun 29 '20 at 15:09

3 Answers3

8

Registry hives, such as NTUSER.DAT, are a bespoke file format, with a number of ways of viewing them:

  • Perhaps the cleanest is to use a third-party application such as:
    1. Ease of use: MiTeC's Windows Registry Recovery
    2. Forensic analysis: Eric Zimmerman's Regisrty Explorer

  • If you don't want third-party tools, you can mount a registry hive using regedit:
    (You probably don't want to do this and requires local Administrator privileges)
    1. From Start Menu, find Registry Explorer/regedit
    2. In the left-hand tree pane select HKEY_USERS
    3. From the File menu, select Load hive...
    4. Select the file you want to mount [NTUSER.DAT]
    5. Give it a name [OLD] and you will now see the mounted hive under HKEY_USERS
    6. To unmount it, select the name you gave it [OLD], and from the File menu, select Unload hive

  • Google search results
JW0914
  • 7,052
  • 7
  • 27
  • 48
Bridgey
  • 221
  • 1
  • 4
  • Why would you not want to mount a registry hive via the native means of doing so, `regedit`? Why is there a disclaimer about messing up the registry when the `NTUSER.DAT` file is a user hive, not a system hive, and, specific to the author's question, is a backup, so any changes made to it wouldn't affect anything? – JW0914 Jun 25 '20 at 16:02
  • 1
    I felt the nature of the OP's question suggested they were perhaps inexperienced in Windows administration. Therefore, I thought it was reasonable to offer a warning about the dangers of the registry and suggested third-party apps as that would allow them to "see" the hive with very little risk. Yes, I agree that if they confined their edits to the hive they'd loaded they couldn't damage the live system, but if they got tempted to "explore" the other loaded hives, they might be tempted to make some tweaks. – Bridgey Jun 25 '20 at 16:51
  • You can safely mount `NTUSER.DAT` within the registry editor since it won't and cannot actually be used by Windows. You would simply browsing the contents of the NTUSER registry hive. – Ramhound Jun 25 '20 at 17:05
  • Eric Zimmerman's Regisrty Explorer is great. I've managed to recover the keys from the corrupted drive which regedit refused to open. – CrazyCoder May 23 '22 at 19:53
3

To load the NTUSER.DAT hive:

  • GUI:
    1. WinKey+RRegEdit → OK
    2. Highlight HKEY_USERSFile: Load Hive... → Select NTUSER.DAT
    3. Arbitrarily name it → OK → Browse as normal

  • CLI:
    1. Load hive: 
      Reg Load HKU\temp "C:\Path\to\NTUSER.dat"
    2. Export key: 
      Reg Export HKU\temp\Path\to\Key "C:\Path\to\Save\Exported.reg"
    3. Unload hive: 
      Reg Unload HKU\temp
JW0914
  • 7,052
  • 7
  • 27
  • 48
0

I appreciate the suggestions but I couldn't get any to work as I wanted. However, I did find a work-around: I created a shortcut to the troublesome EXE and changed its Properties (Compatibility Mode) to Windows 7. I also set Shortcut->Advanced->Run as Administrator. This did not actually answer my question as originally asked, but it did solve my problem.

John Wilson
  • 141
  • 1
  • 1
  • 8
  • The second portion sounds like a registry key permissions issue, especially if running the program as Admin fixes it _(if the program is not meant to be run as Admin, it should not be)_... I'd ask the developer what registry keys the program needs access to, which should resolve that issue. – JW0914 Jun 29 '20 at 13:03
  • Product is no longer supported by developer especially since absorbed by mega-firm. I don't think it was permission issue rather the compatibility mode setting. – John Wilson Jun 30 '20 at 16:46
  • If running it as Admin fixed the issue, it's a permissions issue... If it runs when not launched as Admin, then it just requires compatibility mode – JW0914 Jun 30 '20 at 23:10
  • I cleared Run As Administrator and it still works fine, so I'm pretty sure that the Compatibility Mode setting was the magic bullet. – John Wilson Jul 04 '20 at 15:52