Is there a tool or technique that would allow a user to browse the contents of the registry captured within a Ghost 10 image (Windows XP Pro SP2) that is mounted as virtual volume?  In other words, can one examine the contents of the registry as it existed at the time the image was created?

Thank you for your assistance.

Based on its description, the Registry Tool utility might be able to accomplish the objective.

Anyone have experience with this utility?

Pleonasm,

I did a trial run with RegistryEditorPE and it looks promising. The plugin download and instructions are on

http://regeditpe.sourceforge.net/

You only need RegistryEditorPE.exe. Run this file (from WinXP, not BartPE) and direct it to the Windows folder of your mounted image.

Brian, thanks for the post.

In Step #10 where it says “Registry Editor PE will begin loading the registry hives”, what does that really mean?  Is Registry Editor PE loading the ‘remote’ hives into the current and active Windows registry?  (Sounds dangerous.)

In Step #13 where it says “Registry Editor PE will then begin the clean-up process, which involves unloading the registry hives and user profiles and writing them back to disk,” wouldn’t this fail because the Ghost 10 image is read-only?  Would the solution be to copy the folder “\WINDOWS\system32\config” (Windows XP Pro SP2) from the Norton Ghost 10 image to a temporary folder on the hard disk drive and ‘point’ Registry Editor PE to it?

Pleonasm, perhaps I misread your initial post. You can browse the registry of the mounted image and you can edit the registry or make changes to files and folders in the virtual drive but any edits or changes are ephemeral and will disappear when the image is dismounted. When the image is mounted again it’s the same image you originally created.

I’ve used RegistryEditorPE (from BartPE) to delete the [MountedDevices] registry entries from a partition I had deliberately made non bootable by doing Copy Drive into a partition. The test was successful as the partition then booted.

I don’t understand how the program loads registry hives.

Pleonasm, while you can certainly use some other software (such as RegistryEditorPE or Registry Tool) to access a remote registry, it's really not necessary.

mount your ghost c: backup as virtual drive (e.g. f:)
start
run
regedit
select/navigate to the HKEY_LOCAL_MACHINE key
File/Load Hive
 f:\windows\system32\config\
Pick the hive file (e.g. SOFTWARE) you want to load and proceed.  You'll be prompted for a keyname to use.  Use REMOTE_SOFTWARE for example.

http://regeditpe.sourceforge.net/images/11_HIves_in_regedit75.jpg

You don't have to "unload hive" if you don't want to save anything, which you can't do anyway into the virtual mouted drive.  To actually modify/save anything you need bartPE boot cd.

Always best to completely backup your registry before doing anything, of course.

Ghost4me, thanks for providing an excellent solution!

Brian, thank you for your helpful posts, too.

Ghost4me,

Thanks. Your technique helped me find some registry entries which disappeared this morning. They were in last night's backup image so I'll restore it now.

The ability to “look back in time” at the registry (and optionally copy selected keys) is a nice ancillary benefit of using Ghost 10.

It is nice. I wouldn't have thought of searching the registry of a backup image if you hadn't started this thread.