Thread: request recomendation for "offline" registry hive diff utility
View Single Post
  #8  
Old February 15th 10, 05:02 PM posted to microsoft.public.windowsxp.security_admin
GrandpaFerret
external usenet poster
  
Posts: 17
Default request recomendation for "offline" registry hive diff utility
John/Jim,

Thank both of you for your help and for the references (utilities and book.)

I did the comparison on the system.before/system.after and and the
software.before/software.after files.

Interestingly, although the XP "DOS" FC command said there were lots of
differences, windiff on the exported .reg files said they were identical.

I actually went back and re-did the procedure to make sure I was exporting
and comparing the correct sets of files and got the same result.

I am a little puzzled over this.

A little regression might be of intrest at this point.

So, what is "before" and "after" you may be wondering?

I wanted to get a "not hot" backup of my winXP install. Something I learned
the hard way from my VMS days and have had confirmed in my life in the
beastie called UNIX.

So after I did the first ("real") install of winXP, I booted off of a
"Fedora Live" cd and made copies of the hive files. These became my "before"
set.

I then did a (almost) unatted(ed) install of winXP ("scratch") into a
different partition.

Then I booted Fedora Live again and made the "after" copy of the hive files.

Then I booted into the 2nd winXP ("scratch") install, installed PQ's
DriveImage 7 and made a backup of the 1st winXP ("real") install.

I had actually done this whole process before except that instead of backing
up the hives I simply did a recursive directory listing (with date and size).
I was expecting there to be no differences in these listings as the 2nd
winXP ("scratch") install should not have any effect on the first ("real").

Wrong! There was the overlooked modification to boot.ini. Okay. That one
I get.

There were also changes in the directory listings indicating that the
install of the 2nd winXP OS ("scratch") had caused the addition of restore
points TO THE FIRST winXP OS's ("real") "root drive" (C: in this case)...
(totally unexpected) as well as modifying the first winXP ("real") OS's
"software" and "system" hives (again, totally unexpected.)

So when I had to redo all of this for an unrelated reason, I did the above
mentioned saves of the two hive files.

I then did comparisons of the before and after system and software hive
files, and got the results I mentioned at the beginning of this post.

I would love to know why in the world the 2nd install of winXP ("scratch")
is effecting the first ("real"). I get boot.ini mod; its the restore points
and the hive changes I am asking about. As well as why that change shows up
only in the actual hive files but not in the "reg" exports.

Thanks guys.
Ads