1
I accidently deleted the keys of my loaded NTUSER.dat file instead of unloading it.
The file is still about 15mb big, even though all the keys are gone.
Is there any way I can recover the keys?
Zulakis
Posted 2012-09-13T09:52:34.633
Reputation: 1 316
0
Looks like it isn't possible. If anyone has other ideas, feel free to post them!
Zulakis
Posted 2012-09-13T09:52:34.633
Reputation: 1 316
what would be interesting to know, is how windows store key/value pairs in registry. if registry is doing similar to what most file systems do when they delete stuff (removing entries in a TOC instead of removing the values themselves), there is a chance to recover the deleted keys. one possibility is that NTUSER.DAT grows over the time but don't shrink immediately (the extra space would contain deleted values). one way to quick check that is to open NTUSER.DAT in a hex editor and search for a particular string or hex string that was in the deleted keys. – tigrou – 2012-09-15T12:15:05.413
0
Perhaps with some registry forensic tool, but AFAICS the chances are rather slim.
Ansgar Wiechers
Posted 2012-09-13T09:52:34.633
Reputation: 4 860
2The only way I know is to use the built in ability for Windows to roll back to a recovery point. This is the reason people who don't know what they are doing should not modify the registry by hand. – Ramhound – 2012-09-13T10:30:15.597
since it was a loaded external registry hive, no recovery is possible, unless it was backed up by you somewhere else. – Moab – 2012-09-13T19:08:54.420