Windows – How to create a registry hive file from a .reg backup

bsodwindowswindows 10windows-registry

Long story short, I accidentally royally screwed up my HKLM\SYSTEM registry directory trying to fix WinApps permissions that were changed with a Windows security patch.

As of right now, my system is completely unable to boot with a BSOD message of "inaccessible boot device" caused by my changes. I've tried

changing values of registry keys to enable AHCI
Safe Mode
sfc /scannow + chkdsk
Checking for pending packages in DISM
Moving files from Regback to /config
importing my working backup of SYSTEM.reg into the registry under windows recovery command prompt and WinPE

One of those would normally work, but my issue is caused by a junk SYSTEM registry.

I need to create a SYSTEM HIVE file from my .REG backup of the HKLM\SYSTEM directory.

I thought this would be a very simple solution, but the only thing that I've managed to find on this topic is a random MSDN post from years ago that seems like it would accomplish what I want, but I can't get the script to work. (https://blogs.msdn.microsoft.com/sergey_babkins_blog/2014/11/10/how-to-create-a-brand-new-registry-hive/)

Trying to run his script as a .bat returns an error stating:function' is not recognized as an internal or external command, operable program or batch file.
Trying to run the .bat in powershell returns: merge.bat : The term 'merge.bat' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

If anyone knows how to get the above powershell script to work, please let me know.

Best Answer

The script you have linked is a PowerShell script, it needs to be saved with a .ps1 extension and executed in PowerShell.

Can you try saving it as a .ps1 file and running it, does this resolve your issues?

Edit:

The contents of your .ps1 file should be:

function ConvertTo-RegistryHive
{
<#
.SYNOPSIS
Convert a registry-exported  text (contents of a .reg file) to a binary registry hive file.

.EXAMPLE
PS> ConvertTo-RegistryHive -Text (Get-Content my.reg) -Hive my.hive
#>
    param(
        ## The contents of registry exported (.reg) file to convert into the hive.
        [string[]] $Text,
        ## The hive file name to write the result to.
        [parameter(Mandatory=$true)]
        [string] $Hive
    )

    $basefile = Join-Path ([System.IO.Path]::GetTempPath()) ([System.IO.Path]::GetRandomFileName())
    $regfile = $basefile + ".reg"
    $inifile = $basefile + ".ini"
    $subkey = [System.Guid]::NewGuid().ToString()

    &{
        foreach ($chunk in $Text) {
            foreach ($line in ($chunk -split "`r")) {
                $line -replace "^\[\w*\\\w*","[HKEY_LOCAL_MACHINE\$subkey"
            }
        }
    } | Set-Content $regfile

    # Since bcdedit stores its data in the same hives as registry,
    # this is the way to create an almost-empty hive file.
    bcdedit /createstore $Hive
    if (!$?) { throw "failed to create the new hive '$Hive'" }

    reg load "HKLM\$subkey" $Hive
    if (!$?) { throw "failed to load the hive '$Hive' as 'HKLM\$subkey'" }

    try {
        # bcdedit creates some default entries that need to be deleted,
        # but first the permissions on them need to be changed to allow deletion
@"
HKEY_LOCAL_MACHINE\$subkey\Description [1]
HKEY_LOCAL_MACHINE\$subkey\Objects [1]
"@ | Set-Content $inifile
        regini $inifile
        if (!$?) { throw "failed to change permissions on keys in 'HKLM\$subkey'" }
        Remove-Item -LiteralPath "hklm:\$subkey\Description" -Force -Recurse
        Remove-Item -LiteralPath "hklm:\$subkey\Objects" -Force -Recurse

        # now import the file contents
        reg import $regfile
        if (!$?) { throw "failed to import the data from '$regfile'" }
    } finally {
        reg unload "HKLM\$subkey"
        Remove-Item -LiteralPath $inifile -Force
    }

    Remove-Item -LiteralPath $regfile -Force
}

ConvertTo-RegistryHive -Text (Get-Content C:\MyHive.reg) -Hive HiveName

And then just change this C:\MyHive.reg to point to your .reg file and HiveName to the name of the Hive to be created.

Related Solutions

Windows – Invoke-Sqlcmd not working after PowerShell 4 install

I had similar issues getting invoke-sqlcmd to work without installing SQL Server Management Studio. What I found is that the bare minimum (without SSMS) needed to run invoke-sqlcmd are three files:

Microsoft® Windows PowerShell Extensions for SQL Server® 2008 R2

Microsoft® SQL Server® 2008 R2 Shared Management Objects

Microsoft® System CLR Types for SQL Server® 2008 R2

found here: http://www.microsoft.com/en-us/download/details.aspx?id=16978

Then open up Powershell and enter:

set-alias installutil $env:windir\Microsoft.NET\Framework\v2.0.50727\installutil

installutil -i "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\Redist\Microsoft.SqlServer.Management.PSProvider.dll"
installutil -i "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\Redist\Microsoft.SqlServer.Management.PSSnapins.dll"

Add-PSSnapin -Name SqlServerProviderSnapin100
Add-PSSnapin -Name SqlServerCmdletSnapin100

If you installed the 64-bit files you will need to run:

set-alias installutil $env:windir\Microsoft.NET\Framework\v2.0.50727\installutil

installutil -i "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\Redist\Microsoft.SqlServer.Management.PSProvider.dll"
installutil -i "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\Redist\Microsoft.SqlServer.Management.PSSnapins.dll"

Add-PSSnapin -Name SqlServerProviderSnapin100
Add-PSSnapin -Name SqlServerCmdletSnapin100

Also, make sure you are using the correct version of Powershell as the 64-bit version of Powershell cannot use the 32-bit version of "Microsoft.SqlServer.Management.PSSnapins.dll" and "Microsoft.SqlServer.Management.PSProvider.dll"

Windows – How to open a raw registry file (taken from another computer)

I have a raw image (.dd) from a Windows (NTFS) partition. I have to find out when a specific file was created.

To that end I am trying to find the correct timezone that is used on the system.

There should be no need to determine the configured time zone, if your goal is simply to get the file creation time.

NTFS stores file timestamps in UTC. UTC, in turn, has the nice property of being monotonically increasing, and convertible to any known time zone simply by adding or subtracting the time zone offset for the subject's geographical and political location at the time (which you would need to establish through other means).

Also note that any time zone configuration value that you extract from the registry will almost certainly show the currently configured (as of the time of the disk image) time zone, not the time zone configured at the time the file was created. Unless Windows keeps some sort of history of time zone settings, the latter won't be obtainable through the operating system's facilities, including deep digging through the registry.

Just present the file and state that file system metadata for the file in question indicates that when it was created, the computer's real-time clock was set to such-and-such UTC. You can also state that at that time, other evidence links the subject to a certain location, and present that evidence separately. That would establish the subject's location at the time, in turn establishing a reasonable local time zone for the subject at the time, which would allow you to state that in that location at that UTC time, local time was so-and-so.

If your role is simply in digital forensics, I would suggest that you simply present the UTC time as recorded in the file system metadata, and let someone else make any interpretation.

Do note however that any competent attorney would likely quickly point out that file system metadata timestamps do not imply that the file action indicated took place at that specific real-world time. The computer's real-time clock could have been set to literally any value within its valid range at the time the file action took place, and that arbitrary value would be recorded in the file system metadata.

Best Answer

Related Solutions

Windows – Invoke-Sqlcmd not working after PowerShell 4 install

Windows – How to open a raw registry file (taken from another computer)

Related Question