I have a Windows XP machine with 2 accounts:
- "User" – limited acc
- "Admin" – has strong password
User got a virus, that blocked access. I logined as Admin and launched regedit. I tried to load HKEY_CURRENT_USER for "User", using these instructions:
-
Highlight HKEY_USERS and then select Load Hive from the Registry menu.
-
Browse to their profile directory and select ntuser.dat or if you are editing a mandatory profile the file will be called ntuser.man
-
When prompted for Key Name, input their Username. The editor will insert the user's Registry data into HKEY_USERS under the user's name.
-
Make your changes to the registry located under this new key.
-
After you are finished making all of the registry changes, highlight key corresponding to the username and select the Unload Hive option from the Registry menu.
http://scilnet.fortlewis.edu/tech/Users/load_HKEY_USERS.htm
But it failed:
It says: "Can't load ntuser.dat.LOG: error while loading the hive". This file really exists and has 0 size. There is no User subtree under HKEY_USERS, so I presume, that Users hive is not loaded for Admin:
Then I started from Live CD, and launched regedit there. I was able to load ntuser.dat correctly and delete the virus from autoload for User.
- How could I do it from Admin account?
- Why did the error emerge?
Best Answer
The problem is that you are attempting to mount the LOG file. You need to mount
ntuser.dat, notntuser.dat.log.Like you said above, you were able to mount the hive successfully, so there’s no problem; there is no problem with the log file being empty, it just means that pending registry changes were flushed to the hive when you last shut down. [1][2][3][4]
Also, I prefer the command-line tool for mounting registry hives: