"Mike Blomgren" <mike.blomgrenat_private> writes: > No - but I'd like a tool that can decipher the 'ntuser.dat' file, so we > don't have to log on as the specific user that caused the problems. > Does anyone known of a way of 'reading'/enumerating a users own > registryfile (HKCU)? There is supposedly a driver for Linux, to mount > the registryfile - and browse everything like a directory. But that > seems to be like crossing the river for water... Well, first off you can probably find the user's tree sitting under the registry entry HKEY_USERS\S-{whatever}\ on any machine they've logged into. But, assuming that you just have the ntuser.dat file (say you ftp'ed it over, or carried it on floppy to an unaffected machine), then the easiest thing to do is to load the registry hive contained in that file into your registry, say as the key HKEY_USERS\ProblemGuy This is, in concept, very similar to mounting a filesystem on a unix machine - you can tell NT that all the registry entries under that key will refer to entries in the ntuser.dat file that you copied over. To do this, start up regedt32 and, if it's not already open, open the local registry. (From the Registry menu) Then go to HKEY_USERS from the Window menu, and select HKEY_USERS in the window that pops up. Then select "Load hive" from the Registry menu and choose the file you want to examine; when asked for the key name say "ProblemGuy". You can then examine the registry tree under HKEY_USERS\ProblemGuy to your hearts content with your favorite registry examination tools; just don't forget to unload the hive when finished. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 08:30:04 PDT