A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

request recomendation for "offline" registry hive diff utility



 
 
Thread Tools Display Modes
  #1  
Old February 12th 10, 02:22 AM posted to microsoft.public.windowsxp.security_admin
GrandpaFerret
external usenet poster
 
Posts: 17
Default request recomendation for "offline" registry hive diff utility

I have two sets of system, system.LOG, software, and software.LOG hive files.
One set is "before", the other is "after".

I am looking for a good utility that will let me compare them, and having
trouble finding one. There are two requirements that I have having trouble
finding a tool that can fulfill:

1) I dont have a full set of registry files... just these four, basicly the
system hive and the software hive.

2) Both sets are "off-line" (not part of an actively running os.

Running WinXP Pro with current updates (SP1-3, plus 80+ wupdate updates.)

Thanks for the help.

Ads
  #2  
Old February 13th 10, 06:03 AM posted to microsoft.public.windowsxp.security_admin
John Wunderlich
external usenet poster
 
Posts: 1,466
Default request recomendation for "offline" registry hive diff utility

=?Utf-8?B?R3JhbmRwYUZlcnJldA==?=
wrote in
:

I have two sets of system, system.LOG, software, and software.LOG
hive files.
One set is "before", the other is "after".

I am looking for a good utility that will let me compare them, and
having trouble finding one. There are two requirements that I
have having trouble finding a tool that can fulfill:

1) I dont have a full set of registry files... just these four,
basicly the system hive and the software hive.

2) Both sets are "off-line" (not part of an actively running os.

Running WinXP Pro with current updates (SP1-3, plus 80+ wupdate
updates.)

Thanks for the help.



Probably the best approach is to individually load each hive into
Regedit (with the same name), then File-Export it to a .reg file.
You can then use a Text-Compare tool such as freeware "WinMerge" to
point out the differences.

WinMerge:
http://winmerge.org/

HTH,
John

  #3  
Old February 14th 10, 04:08 AM posted to microsoft.public.windowsxp.security_admin
GrandpaFerret
external usenet poster
 
Posts: 17
Default request recomendation for "offline" registry hive diff utility

John, Thank you for giving me the answer so quickly. I have no problem at
all with your approach and understand most of it... I hope you will do me
the favor of a follow up that will clarify things enough in my mind to allow
me to do as you sugested.

Its the "best approach is to individually load each hive into Regedit (with
the same name)" part I am not sure about.

Two point of confusion on my part:
1) I had already looked into trying to import a hive using regedit but the
only option I could find was to import a ".reg" (text) version, not the
actual registry file itself.
2) If you loaded the hive along the lines you are suggesting, it becomes
part of the active OS's registry, right? That sounds very dangerous to the
future integrity of the OS install in question.

The only way I have come up with to interpret your suggestion ("the best
approach is to individually load each hive into Regedit (with the same
name)") would be to bring the system up under another OS (say linux) and
replace the winXP hive file (say .../config/system) on a winXP system disk
with the system file from one of my two sets and then reboot into that winXP
OS.

I thought about a second alternative of trying to find a program that would
convert system to system.reg amd then use regedit to import it, but I see two
posable problems with that...
1) If I had a program that would export a single hive file to .reg format I
would have the answer to my original question and we would be done!
2) would not the result of the import be a murge of the active hive and the
imported hive rather than a replacement of the active hive with the imported
hive?

I am not trying to argue with someone who is trying to help me. Sorry if it
sounds like i am.... but I know very little about this area of windows, but
what I do know is that it is very dangerous to fool around with if you dont
know what you are doing....

Soooo, exactly what did you mean when you said " Probably the best approach
is to individually load each hive into Regedit (with the same name)"

By the way, I do have a scratch winXP install laying around that I can
afford to screw-up. Its just that if I am going to screw it up I would like
to get the data I need out of it before totally hosing it. :

Hope to hear back from you soon.

Thanks.
  #4  
Old February 14th 10, 04:51 AM posted to microsoft.public.windowsxp.security_admin
GrandpaFerret
external usenet poster
 
Posts: 17
Default request recomendation for "offline" registry hive diff utility

John,

I get it now. Forgot to look at changing the file type in the export dialog
box. That little weird way of thinking about stuff has always screwed me up.
I am much happier in unix land, mostly solaris, some irix, some linux.

You will probably get a grin over another screwup I made. made a restore
point, then imported/expored the two "before" hive files. Then restored to
the restore point I made in preperation for doing the two afet files. Did
the two after files and then noticed my two before .reg files were missing.

duh. (red face)

thanks for the help!

  #5  
Old February 14th 10, 07:14 AM posted to microsoft.public.windowsxp.security_admin
John Wunderlich
external usenet poster
 
Posts: 1,466
Default request recomendation for "offline" registry hive diff utility

=?Utf-8?B?R3JhbmRwYUZlcnJldA==?=
wrote in
:

John, Thank you for giving me the answer so quickly. I have no
problem at all with your approach and understand most of it... I
hope you will do me the favor of a follow up that will clarify
things enough in my mind to allow me to do as you sugested.

Its the "best approach is to individually load each hive into
Regedit (with the same name)" part I am not sure about.

Two point of confusion on my part:

[...]
2) If you loaded the hive along the lines you are suggesting, it
becomes part of the active OS's registry, right? That sounds very
dangerous to the future integrity of the OS install in question.

[...]

Soooo, exactly what did you mean when you said " Probably the best
approach is to individually load each hive into Regedit (with the
same name)"


As you've probably found out, after starting Regedit, you click once
on the HKLM key then do a File-Load Hive. Select your hive then It
will then ask you for a name to mount it as. Give it a random name.
Yes, it will become part of HKLM but since you gave it a random name,
nothing knows to look there. After exporting, you then unload the
hive and you're back to normal.

When you mount the "after" hive, you need to mount it with the same
name you used for the "before" hive because this name becomes part of
the export and a different name will cause everything to mismatch.

-- John

  #6  
Old February 14th 10, 07:20 AM posted to microsoft.public.windowsxp.security_admin
John Wunderlich
external usenet poster
 
Posts: 1,466
Default request recomendation for "offline" registry hive diff utility

=?Utf-8?B?R3JhbmRwYUZlcnJldA==?=
wrote in
:

John,

I get it now. Forgot to look at changing the file type in the
export dialog box. That little weird way of thinking about stuff
has always screwed me up.
I am much happier in unix land, mostly solaris, some irix, some
linux.

You will probably get a grin over another screwup I made. made a
restore point, then imported/expored the two "before" hive files.
Then restored to the restore point I made in preperation for doing
the two afet files. Did the two after files and then noticed my
two before .reg files were missing.

duh. (red face)

thanks for the help!


Glad you got it working. Probably a better way to get a copy of the
registry than creating Restore points is to use the freeware program
"ERUNT" which will backup your registry to an easy-to-get-to folder.

ERUNT: http://www.larshederer.homepage.t-online.de/erunt/

HTH,
John

  #7  
Old February 14th 10, 05:10 PM posted to microsoft.public.windowsxp.security_admin
Jim[_30_]
external usenet poster
 
Posts: 812
Default request recomendation for "offline" registry hive diff utility


"GrandpaFerret" wrote in message
...
I have two sets of system, system.LOG, software, and software.LOG hive
files.
One set is "before", the other is "after".

I am looking for a good utility that will let me compare them, and having
trouble finding one. There are two requirements that I have having
trouble
finding a tool that can fulfill:

1) I dont have a full set of registry files... just these four, basicly
the
system hive and the software hive.

2) Both sets are "off-line" (not part of an actively running os.

Running WinXP Pro with current updates (SP1-3, plus 80+ wupdate updates.)

Thanks for the help.

The five hive files are SYSTEM, SOFTWARE, SAM, SECURITY and HARDWARE. These
files have no extension.

The HARDWARE hive is manufactured new at each boot of the computer. It may
be super hidden.

The contents of the SAM hive are not documented as far as I know. It may be
super hidden anyway. I have no knowledge about the contents of the SECURITY
hive.

The files with the .LOG extension are transaction logs of the changes to a
hive.

Files with the SAV extension contain a copy of a hive made at the end of the
text mode phase of the Windows setup program.

It may be possible to compare versions of the SYSTEM and SOTWARE hives.
But, it is pointless to try to compare the SYSTEM and the SYSTEM.LOG files
(for example).

You can find lots and lots of interesting information in "Microsoft Windows
Registry Guide" by Jerry Hunnicutt. This book is published by Microsoft
Press.

Jim



  #8  
Old February 15th 10, 06:02 PM posted to microsoft.public.windowsxp.security_admin
GrandpaFerret
external usenet poster
 
Posts: 17
Default request recomendation for "offline" registry hive diff utility

John/Jim,

Thank both of you for your help and for the references (utilities and book.)

I did the comparison on the system.before/system.after and and the
software.before/software.after files.

Interestingly, although the XP "DOS" FC command said there were lots of
differences, windiff on the exported .reg files said they were identical.

I actually went back and re-did the procedure to make sure I was exporting
and comparing the correct sets of files and got the same result.

I am a little puzzled over this.

A little regression might be of intrest at this point.

So, what is "before" and "after" you may be wondering?

I wanted to get a "not hot" backup of my winXP install. Something I learned
the hard way from my VMS days and have had confirmed in my life in the
beastie called UNIX.

So after I did the first ("real") install of winXP, I booted off of a
"Fedora Live" cd and made copies of the hive files. These became my "before"
set.

I then did a (almost) unatted(ed) install of winXP ("scratch") into a
different partition.

Then I booted Fedora Live again and made the "after" copy of the hive files.

Then I booted into the 2nd winXP ("scratch") install, installed PQ's
DriveImage 7 and made a backup of the 1st winXP ("real") install.

I had actually done this whole process before except that instead of backing
up the hives I simply did a recursive directory listing (with date and size).
I was expecting there to be no differences in these listings as the 2nd
winXP ("scratch") install should not have any effect on the first ("real").

Wrong! There was the overlooked modification to boot.ini. Okay. That one
I get.

There were also changes in the directory listings indicating that the
install of the 2nd winXP OS ("scratch") had caused the addition of restore
points TO THE FIRST winXP OS's ("real") "root drive" (C: in this case)...
(totally unexpected) as well as modifying the first winXP ("real") OS's
"software" and "system" hives (again, totally unexpected.)

So when I had to redo all of this for an unrelated reason, I did the above
mentioned saves of the two hive files.

I then did comparisons of the before and after system and software hive
files, and got the results I mentioned at the beginning of this post.

I would love to know why in the world the 2nd install of winXP ("scratch")
is effecting the first ("real"). I get boot.ini mod; its the restore points
and the hive changes I am asking about. As well as why that change shows up
only in the actual hive files but not in the "reg" exports.

Thanks guys.
  #9  
Old February 15th 10, 06:09 PM posted to microsoft.public.windowsxp.security_admin
GrandpaFerret
external usenet poster
 
Posts: 17
Default request recomendation for "offline" registry hive diff utility

Amendment to my last post.

Sorry... I goofed one point in my last post. I get the addition of the
restore files on the "real" "root drive" (C by the install of the "scratch"
version of winXP on the L: drive. Its the mod's to the "real" OS's hive
files that I am interested in.

Thanks.
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 04:22 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.