3

Is there any way to get a copy of %systemroot%\system32\config\system, once the system is up and running? I know the OS puts a lock on this file to keep it from getting trashed, but all I need is to be able to read it, long enough to grab a copy. Perhaps something in the 'native API' would do it?

JustJeff
  • 295
  • 2
  • 13

3 Answers3

6

The reason you're unable to copy that file is not a permission issue, or Windows being "protective" about the file; the problem is, that file is always in use (and therefore locked) on a running system.

When loaded, the file is mapped to HKLM\System; you can use reg.exe to export its contents, both in text and binary format:

reg export HKLM\System system.reg
reg save HKML\System system.hiv

The first one can be opened using any text editor; the latter is a full binary dump, and can be opened by loading it in REGEDIT.

Also, be aware that certain subkeys of HKLM\System are not stored on disk, but are rather populated at runtime by the OS (the most notorious one is CurrentControlSet); so, dumping/saving them might make no sense at all.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Ok, so windows puts a lock on the file. I *know* there's a lock on the file. What purpose does this lock serve other than to protect the file from corruption by other processes? – JustJeff Apr 23 '12 at 22:47
  • @justjeff Re-read this answer, it explains *why* the actual file locked -- it's actively *in use* by the OS. – jscott Apr 23 '12 at 22:58
  • So is what you're trying to say here, and not saying explicitly, is that there is so much ongoing change in the file (as a result of windows using it), that there's no meaningful snapshot that can be taken of it? – JustJeff Apr 23 '12 at 23:21
  • @JustJeff If you need a place-in-time copy, PXE (or live CD/DVD) boot the computer, and grab the file. – jscott Apr 24 '12 at 00:22
  • Writes to the system hive are infrequent. I'm not sure whether the reg save command (or the equivalent API function) generates a snapshot in the strict sense, but it is certainly a usable copy under normal circumstances. If you'll tell us why you want the copy we may be able to advise you better. – Harry Johnston Apr 24 '12 at 02:47
  • 1
    In regards to your other question: in Unix, opening a file does not lock it by default, and the programmer needs to take extra steps to lock it if they want to. In Windows, opening a file locks it by default, and the programmer needs to take extra steps if they want it to remain unlocked. Now, it's trivial to open a file and leave it unlocked, but few people bother unless there's a specific reason to do so. So the system hive may just be locked by default, there doesn't need to be a purpose for the lock per se. – Harry Johnston Apr 25 '12 at 00:46
2

I think you want the Volume Shadow Copy Services.

On a server platform, the Diskshadow command-line interface is available.

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52
0

Unless you need a copy that's right up to date it can sometimes be simpler to just restore the file from backup to a different location.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108