7

A Windows Server 2003 machine died recently but I need some information that was contained in the now-defunct server's registry. I have a "System State" backup file created by the Windows Server 2003 built-in backup program (NTBackup.exe). Is there any way to extract a key/value out of the backup file?

I might be able do a Win2003 install on a similar machine then do a system-state restore but that's a lot of effort and I don't know for certain that the system-state restore will work on a different spec machine. (Would it work if I booted up in 'safe mode'?) But I'd really rather just get at the data straight out of the NTBackup file zip-file-esque styles if that's possible.

phoenix8
  • 213
  • 2
  • 9

2 Answers2

9

Restore the System State portion of the backup on another machine running W2K3 or Windows XP, choosing the "Single Folder" option for the "Restore files to" and picking some sensible "Alternate location" (like a directory you make for that purpose). You'll be warned about how this is an "advanced" feature and that not all files will be restore. For your purposes, that's fine.

You'll get back a lot of the "%SystemRoot%\System32" directory (a lot of DLL files, etc), and the registry, too.

From there, the instructions that Shial (who seems to look rather like SHODAN) posted are the right track. Fire up "REGEDIT", highlight "HKEY_LOCAL_MACHINE" in your local registry, then use the "File / Load hive..." option. Choose the file from the "Alternate location" corresponding to the part of the registry you want to extract data out of (these files have no extension):

  • SYSTEM - HKEY_LOCAL_MACHINE\System
  • SOFTWARE - HKEY_LOCAL_MACHINE\Software
  • SECURITY - HKEY_LOCAL_MACHINE\Security
  • SAM - HKEY_LOCAL_MACHINE\SAM
  • DEFAULT - HKEY_USERS.Default

Choose any name you want when loading the hive, so long as it isn't a name that's already used under HKEY_LOCAL_MACHINE. You're "mounting" that hive into your live registry, not unlike mounting an NTFS volume under a directory (except that you don't have to make the registry key to mount the hive into like you would an NTFS mount point).

When you're done, unload the hive by highlighting the key where it's mounted (HKEY_LOCAL_MACHINE\whatever_name_you_chose) and doing a "File / Unload hive...".

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Your the first person who actually has recognized Shodan. Thats sad, they need to put that game out again. – Shial Oct 23 '09 at 11:32
  • @Shial: A good set of games, the System Shock series. System Shock 2 absolutely scared the pants off of me, playing it in a dark room w/ headphones. I still get the willies if I think about the "Cybernetic Assasins" and the chittering little noises they make. Not to mention the spiders... oh, God, the spiders. – Evan Anderson Oct 23 '09 at 12:18
5

I havn't done much with this on server 2003 but it should be the same as in xp. The registry is the set of files stored in c:\windows\system32\config, the various files without any extension (DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM) are the actual registry hives and you can manually mount them in regedit by selecting something like HKEY LOCAL MACHINE then going to File and and selecting the option to Load Hive then select the file you extracted, it should ask you for a name to import it under then you can access it from within there. Its under a subhive so it will not actually affect your normal registry. It has to be loaded inside one of the main hives, the option will be greyed out otherwise.

Shial
  • 1,017
  • 1
  • 9
  • 14
  • cheers that worked. i voted you up :) evan's was slightly more detailed so i ticked that answer. what is the etiquette here -- it looks like only votes count towards rep and ticks are just there so the OP can say which one was used (and to 'sticky' the answer for others). It that correct? – phoenix8 Oct 23 '09 at 09:39