Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

computers / alt.comp.os.windows-10 / Re: How do I read another hive with reg.exe?

SubjectAuthor
* How do I read another hive with reg.exe?T
+* Re: How do I read another hive with reg.exe?VanguardLH
|`- Re: How do I read another hive with reg.exe?T
`* Re: How do I read another hive with reg.exe?T
 `* Re: How do I read another hive with reg.exe?T
  `- Re: How do I read another hive with reg.exe?Zaidy036

1
How do I read another hive with reg.exe?

<t0gogf$icr$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=60449&group=alt.comp.os.windows-10#60449

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: T...@invalid.invalid (T)
Newsgroups: alt.comp.os.windows-10
Subject: How do I read another hive with reg.exe?
Date: Fri, 11 Mar 2022 16:11:59 -0800
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <t0gogf$icr$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Mar 2022 00:11:59 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e4d06f4c8e1f7094d94f695bd8a76289";
logging-data="18843"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/oXWG7ToGRm6QOK3QK3ruWwSu35Hw6Rr0="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:Jyei+cqTC8119pK+Y3mptn5oKDM=
Content-Language: en-DE
 by: T - Sat, 12 Mar 2022 00:11 UTC

Hi All,

I am trying to use "reg.exe" (NOT REGEDIT!!!!) from the
command line to read the local machine's SAM hive from
rescue/troubleshooting rescue mode (booted from the
install ISO).

Would someone please correct this command line for me?

X:\> reg query
"D:\Windows\System32\config\SAM\hklm\Software\Microsoft\Windows
NT\CurrentVersion" /v "ProductName"

Many thanks,
-T

Re: How do I read another hive with reg.exe?

<wc2vaw46dnqc$.dlg@v.nguard.lh>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=60452&group=alt.comp.os.windows-10#60452

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: V...@nguard.LH (VanguardLH)
Newsgroups: alt.comp.os.windows-10
Subject: Re: How do I read another hive with reg.exe?
Date: Fri, 11 Mar 2022 19:04:39 -0600
Organization: Usenet Elder
Lines: 35
Message-ID: <wc2vaw46dnqc$.dlg@v.nguard.lh>
References: <t0gogf$icr$1@dont-email.me>
Reply-To: invalid@invalid.invalid
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 8Qq0msF+fdQllXDZkmdnGgrQqN/TDYT3GGgiYSk/7YOj8sLsLs
Keywords: VanguardLH VLH811
Cancel-Lock: sha1:+pMAjudb/xB6vO2uUfWw+QOMzY0=
User-Agent: 40tude_Dialog/2.0.15.41
 by: VanguardLH - Sat, 12 Mar 2022 01:04 UTC

T wrote:

> I am trying to use "reg.exe" (NOT REGEDIT!!!!) from the
> command line to read the local machine's SAM hive from
> rescue/troubleshooting rescue mode (booted from the
> install ISO).
>
> Would someone please correct this command line for me?
>
> X:\> reg query
> "D:\Windows\System32\config\SAM\hklm\Software\Microsoft\Windows
> NT\CurrentVersion" /v "ProductName"

reg.exe does not read files by references. Run "reg.exe query /?" to
see what are the actual parameters. None of them is a filespec. Notice
what follows as an argument after the "query" is the keyname, not a
filename.

Per your example, and altered to retrieve the registry value for the
data item, run:

reg.exe query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"

For me on the latest Windows 10 Home x64 21H2, the retrieved data value
for the "ProductName" data item is:

ProductName REG_SZ Windows 10 Home
-----.----- ---.-- -------.-------
| | |
data item data data value
type

reg.exe reads from the loaded copy of the registry loaded with the
current instance of Windows. It does not support a filespec, like to
read registry files from some non-standard location.

Re: How do I read another hive with reg.exe?

<t0gs7d$3oi$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=60454&group=alt.comp.os.windows-10#60454

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: T...@invalid.invalid (T)
Newsgroups: alt.comp.os.windows-10
Subject: Re: How do I read another hive with reg.exe?
Date: Fri, 11 Mar 2022 17:15:25 -0800
Organization: A noiseless patient Spider
Lines: 40
Message-ID: <t0gs7d$3oi$1@dont-email.me>
References: <t0gogf$icr$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Mar 2022 01:15:25 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e4d06f4c8e1f7094d94f695bd8a76289";
logging-data="3858"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Sf4oux51QYFCga/T3yRKD6DQqWkS0LIw="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:PGRNnbH0+ypn9RzQvoosEIwqPQ4=
In-Reply-To: <t0gogf$icr$1@dont-email.me>
Content-Language: en-DE
 by: T - Sat, 12 Mar 2022 01:15 UTC

On 3/11/22 16:11, T wrote:
> Hi All,
>
> I am trying to use "reg.exe" (NOT REGEDIT!!!!) from the
> command line to read the local machine's SAM hive from
> rescue/troubleshooting rescue mode (booted from the
> install ISO).
>
> Would someone please correct this command line for me?
>
> X:\> reg query
> "D:\Windows\System32\config\SAM\hklm\Software\Microsoft\Windows
> NT\CurrentVersion" /v "ProductName"
>
> Many thanks,
> -T

Figured it out

Offline (from the diagnostics cmd shell):

First find the drive letter of the Windows installation:

diskpart
-> List vol

Presuming it is D:

Note: DO NOT USE THE NAME OF THE HIVE. Just use xxxx or zzzz

reg load hklm\zzzz "D:\Windows\System32\config\Software"
The operation completed successfully.

reg query "hklm\zzzz\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
HKEY_LOCAL_MACHINE\zzzz\Microsoft\Windows NT\CurrentVersion
ProductName REG_SZ Windows 10 Pro

reg unload hklm\zzzz
The operation completed successfully.

Re: How do I read another hive with reg.exe?

<t0gvcm$dph$2@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=60458&group=alt.comp.os.windows-10#60458

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: T...@invalid.invalid (T)
Newsgroups: alt.comp.os.windows-10
Subject: Re: How do I read another hive with reg.exe?
Date: Fri, 11 Mar 2022 18:09:26 -0800
Organization: A noiseless patient Spider
Lines: 48
Message-ID: <t0gvcm$dph$2@dont-email.me>
References: <t0gogf$icr$1@dont-email.me> <wc2vaw46dnqc$.dlg@v.nguard.lh>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Mar 2022 02:09:27 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e4d06f4c8e1f7094d94f695bd8a76289";
logging-data="14129"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+0juSKwffB/VXofEuZWO/1pSvPZCk0J34="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:AQTdWz9m6Qh1hKo58J8UtbakAwk=
In-Reply-To: <wc2vaw46dnqc$.dlg@v.nguard.lh>
Content-Language: en-DE
 by: T - Sat, 12 Mar 2022 02:09 UTC

On 3/11/22 17:04, VanguardLH wrote:
> T wrote:
>
>> I am trying to use "reg.exe" (NOT REGEDIT!!!!) from the
>> command line to read the local machine's SAM hive from
>> rescue/troubleshooting rescue mode (booted from the
>> install ISO).
>>
>> Would someone please correct this command line for me?
>>
>> X:\> reg query
>> "D:\Windows\System32\config\SAM\hklm\Software\Microsoft\Windows
>> NT\CurrentVersion" /v "ProductName"
>
> reg.exe does not read files by references. Run "reg.exe query /?" to
> see what are the actual parameters. None of them is a filespec. Notice
> what follows as an argument after the "query" is the keyname, not a
> filename.

You have to lead the hive and use the name you loaded
it under.

>
> Per your example, and altered to retrieve the registry value for the
> data item, run:
>
> reg.exe query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"

That is for on line, not off line

>
> For me on the latest Windows 10 Home x64 21H2, the retrieved data value
> for the "ProductName" data item is:
>
> ProductName REG_SZ Windows 10 Home
> -----.----- ---.-- -------.-------
> | | |
> data item data data value
> type
>
> reg.exe reads from the loaded copy of the registry loaded with the
> current instance of Windows. It does not support a filespec, like to
> read registry files from some non-standard location.

See my other post and how to do it correctly.

Re: How do I read another hive with reg.exe?

<t0hr3a$3g6$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=60469&group=alt.comp.os.windows-10#60469

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: T...@invalid.invalid (T)
Newsgroups: alt.comp.os.windows-10
Subject: Re: How do I read another hive with reg.exe?
Date: Sat, 12 Mar 2022 02:02:16 -0800
Organization: A noiseless patient Spider
Lines: 66
Message-ID: <t0hr3a$3g6$1@dont-email.me>
References: <t0gogf$icr$1@dont-email.me> <t0gs7d$3oi$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
Injection-Date: Sat, 12 Mar 2022 10:02:18 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="e4d06f4c8e1f7094d94f695bd8a76289";
logging-data="3590"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/3zdfNhNDVjoXJcKAW6tCjsceLLRszJx4="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:0C2RxWYvVBboKgASzVg60yQWHZ0=
In-Reply-To: <t0gs7d$3oi$1@dont-email.me>
Content-Language: en-DE
 by: T - Sat, 12 Mar 2022 10:02 UTC

On 3/11/22 17:15, T wrote:
> On 3/11/22 16:11, T wrote:
>> Hi All,
>>
>> I am trying to use "reg.exe" (NOT REGEDIT!!!!) from the
>> command line to read the local machine's SAM hive from
>> rescue/troubleshooting rescue mode (booted from the
>> install ISO).
>>
>> Would someone please correct this command line for me?
>>
>> X:\> reg query
>> "D:\Windows\System32\config\SAM\hklm\Software\Microsoft\Windows
>> NT\CurrentVersion" /v "ProductName"
>>
>> Many thanks,
>> -T
>
>
> Figured it out
>
> Offline (from the diagnostics cmd shell):
>
> First find the drive letter of the Windows installation:
>
>     diskpart
>          -> List vol
>
> Presuming it is D:
>
> Note: DO NOT USE THE NAME OF THE HIVE.  Just use xxxx or zzzz
>
> reg load hklm\zzzz "D:\Windows\System32\config\Software"
> The operation completed successfully.
>
> reg query "hklm\zzzz\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
> HKEY_LOCAL_MACHINE\zzzz\Microsoft\Windows NT\CurrentVersion
>     ProductName    REG_SZ    Windows 10 Pro
>
> reg unload hklm\zzzz
> The operation completed successfully.

My notes:

What is my OS?

From the command line:
Note: "ProductName" for Windows 11 will show that
it is still Windows 10. The only way to tell them
apart is the "BuildLab"
19000 -> Windows 10
22000 -> Windows 11
C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
"BuildLab"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
BuildLab REG_SZ 22000.co_release.210604-1628
C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
"ProductName"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
ProductName REG_SZ Windows 10 Pro
Note: incorret in Windows 11
C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
"DisplayVersion"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
DisplayVersion REG_SZ 21H2
C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
"EditionID"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
EditionID REG_SZ Professional
C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
"PathName"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
PathName REG_SZ C:\Windows

C:\Windows\System32\config\SAM
/run/media/<username>/Windows/Windows/System32/config/SAM
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"BuildLab"="22000.co_release.210604-1628"
"BuildLabEx"="22000.1.amd64fre.co_release.210604-1628"
"CurrentBuild"="22000"
"CurrentBuildNumber"="22000"
"DisplayVersion"="21H2"
"EditionID"="Professional"
"ProductName"="Windows 10 Pro"
"PathName"="C:\\Windows"

Offline (from the diagnostics cmd shell):
First find the drive letter of the Windows installation:
diskpart
-> List vol
Presuming it is D:
Note: DO NOT USE THE NAME OF THE HIVE. Just use xxxx or zzzz
reg load hklm\zzzz "D:\Windows\System32\config\Software"
The operation completed successfully.

reg query "hklm\zzzz\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
HKEY_LOCAL_MACHINE\zzzz\Microsoft\Windows NT\CurrentVersion
ProductName REG_SZ Windows 10 Pro
reg unload hklm\zzzz
The operation completed successfully.

Re: How do I read another hive with reg.exe?

<t0j7jn$2lk$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=60527&group=alt.comp.os.windows-10#60527

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Zaidy...@air.isp.spam (Zaidy036)
Newsgroups: alt.comp.os.windows-10
Subject: Re: How do I read another hive with reg.exe?
Date: Sat, 12 Mar 2022 22:41:59 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 124
Message-ID: <t0j7jn$2lk$1@dont-email.me>
References: <t0gogf$icr$1@dont-email.me>
<t0gs7d$3oi$1@dont-email.me>
<t0hr3a$3g6$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 12 Mar 2022 22:41:59 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="fb4bc31947f666e787375327f1f9bfc2";
logging-data="2740"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19gM2VNY1f9AgI76MoRUMZ+PGyuh8wvsmI="
User-Agent: NewsTap/5.5 (iPad)
Cancel-Lock: sha1:/I5h5OwCoenO41yivGbLPoWXuEU=
sha1:Yuw7p9AhRQBR5T1rVefZWlX7Pow=
 by: Zaidy036 - Sat, 12 Mar 2022 22:41 UTC

T <T@invalid.invalid> wrote:
> On 3/11/22 17:15, T wrote:
>> On 3/11/22 16:11, T wrote:
>>> Hi All,
>>>
>>> I am trying to use "reg.exe" (NOT REGEDIT!!!!) from the
>>> command line to read the local machine's SAM hive from
>>> rescue/troubleshooting rescue mode (booted from the
>>> install ISO).
>>>
>>> Would someone please correct this command line for me?
>>>
>>> X:\> reg query
>>> "D:\Windows\System32\config\SAM\hklm\Software\Microsoft\Windows
>>> NT\CurrentVersion" /v "ProductName"
>>>
>>> Many thanks,
>>> -T
>>
>>
>> Figured it out
>>
>> Offline (from the diagnostics cmd shell):
>>
>> First find the drive letter of the Windows installation:
>>
>>     diskpart
>>          -> List vol
>>
>> Presuming it is D:
>>
>> Note: DO NOT USE THE NAME OF THE HIVE.  Just use xxxx or zzzz
>>
>> reg load hklm\zzzz "D:\Windows\System32\config\Software"
>> The operation completed successfully.
>>
>> reg query "hklm\zzzz\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
>> HKEY_LOCAL_MACHINE\zzzz\Microsoft\Windows NT\CurrentVersion
>>     ProductName    REG_SZ    Windows 10 Pro
>>
>> reg unload hklm\zzzz
>> The operation completed successfully.
>
>
> My notes:
>
>
>
> What is my OS?
>
>
> From the command line:
> Note: "ProductName" for Windows 11 will show that
> it is still Windows 10. The only way to tell them
> apart is the "BuildLab"
> 19000 -> Windows 10
> 22000 -> Windows 11
>
> C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
> "BuildLab"
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> BuildLab REG_SZ 22000.co_release.210604-1628
>
> C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
> "ProductName"
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> ProductName REG_SZ Windows 10 Pro
> Note: incorret in Windows 11
>
> C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
> "DisplayVersion"
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> DisplayVersion REG_SZ 21H2
>
> C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
> "EditionID"
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> EditionID REG_SZ Professional
>
> C:\>reg query "hklm\Software\Microsoft\Windows NT\CurrentVersion" /v
> "PathName"
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> PathName REG_SZ C:\Windows
>
>
> C:\Windows\System32\config\SAM
> /run/media/<username>/Windows/Windows/System32/config/SAM
>
> REGEDIT4
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
> "BuildLab"="22000.co_release.210604-1628"
> "BuildLabEx"="22000.1.amd64fre.co_release.210604-1628"
> "CurrentBuild"="22000"
> "CurrentBuildNumber"="22000"
> "DisplayVersion"="21H2"
> "EditionID"="Professional"
> "ProductName"="Windows 10 Pro"
> "PathName"="C:\\Windows"
>
>
> Offline (from the diagnostics cmd shell):
>
> First find the drive letter of the Windows installation:
>
> diskpart
> -> List vol
>
> Presuming it is D:
>
> Note: DO NOT USE THE NAME OF THE HIVE. Just use xxxx or zzzz
>
> reg load hklm\zzzz "D:\Windows\System32\config\Software"
> The operation completed successfully.
>
>
> reg query "hklm\zzzz\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
> HKEY_LOCAL_MACHINE\zzzz\Microsoft\Windows NT\CurrentVersion
> ProductName REG_SZ Windows 10 Pro
>
> reg unload hklm\zzzz
> The operation completed successfully.
>
>
>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor