CAINE 1.5 Installed... WINE and Windows Registry Recovery

[joetekno]

Using WINE and Mitec's Windows Registry Recovery to view Windows Registry entries.

Copy the “Hive” files to your “/evidence/config” directory

1. Open a terminal window
2. Become the root user
a. Type: sudo su

3. Maneuver to the /evidence directory and create a subdirectory named config
a. Type: cd /evidence
b. Type: mkdir config

4. Mount your image file
a. See “CAINE 1.5 Installed and MMLS to mount NTFS image file” for more information on how to do this

5. Copy the “Hive” files from the image to the /evidence/config directory
a. cp /media/evidence/WINDOWS/system32/config/* /evidence/config/

6. Change the permissions on the copied files to allow the mitec program to access them
a. chmod 666 /evidence/config/*


Downloading and Installing a Windows application with Wine

1. Open a browser and go to www.mitec.CZ
2. Download the “Windows Registry Recovery” application
3. Save the WRR.zip file to your desktop
4. Double Click the WRR.zip file
5. Right Click the WRR.EXE file and select “Open with…”
6. Select “Wine Windows Program Loader”
7. Click the “Open” button

Using the Mitec Windows Registry Recovery application

1. Select the File… Open… menu
2. Select /evidence/config…{some hive file}
3. Click the “Raw Data” button

Sam – HKEY_LOCAL_MACHINE\SAM
Security – HKEY_LOCAL_MACHINE\SECURITY
Software – HKEY_LOCAL_MACHINE\SOFTWARE
System – HKEY_LOCAL_MACHINE\SYSTEM
Default – HKEY_USERS\.DEFAULT

[MAX.KNIGHT68]

hello,
I need to know what format is accepted by Windows Registry Recovery.
I have downloaded the sw from the site mentioned in the post, then, in order to make a test (for practice), i have been on my pc and i have opened regedit and exported my pc's registry on a file in order to use it in wrr, but, when i tried to open the file into WRR it told me that the file is in a not supported format.

Just to explain
The first time i have exported the registry in a .reg file format
The second time i tried the same operation exporting in a .txt file format

but nothing happened... the result was a fail in both cases... so i want to know in what file format i have to export the registry taking in consideration that regedit exports in the following formats:

log(?) files (*.reg) - file di registrazione
registry hive files (*.*) - file hive del Registro di Sistema
text file (*.txt) - file di testo
Win9x/NT4 log(?) files (*.reg) - file di registrazione Win9x/NT4
All files - Tutti i files

Notice: since i have italian version of Windows 7, i have reported the entries that regedit shows to me (in both italian and the correspondent translated version in english with the hope that the translated entries are the most possible corresponding... if not, you can open regedit on your windows pc and choose export, when a dialog open it will show the allowed file formats for export operation).
Any suggestion is accepted.
Thank you in advance

[joetekno]

From the mitec website... This application allows to read files containing Windows 9x,NT,2K,XP,2K3 registry hives.

7 is not supported.

Regards,

Joe

[MAX.KNIGHT68]

hello,
just for curiosity i wanted to see if there was a newest version of the software on the site MiTec and i have seen that windows 7 is supported... so i have thought "this is a newer version" and i have downloaded it...
but the result was the same under Wine it seems to have problems to recognize the file exported from regedit.
To cross-check I downloaded the same program and I run it directly under windows and I saw that it works.
So... what i have to think now?
WRR seems to have compatibility with wine... isn't it?

Thank you in advance

[joetekno]

It may be a problem with Wine but I'd try this...

Copy the registry files from the raw disk to the same location in the wine directory structure... then run WRR.

HKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system
HKEY_LOCAL_MACHINE \SAM : \system32\config\sam
HKEY_LOCAL_MACHINE \SECURITY : \system32\config\security
HKEY_LOCAL_MACHINE \SOFTWARE : \system32\config\software
HKEY_USERS \UserProfile : \winnt\profiles\username
HKEY_USERS.DEFAULT : \system32\config\default

So you would copy c:\system32\config\system from the Windows 7 system you are investigating TO c:\system\config\system in the Wine Directory structure. Then run WRR and see if it works.

Regards,

Joe

[MAX.KNIGHT68]

Thank you very much
Finally i succeded. Few minutes ago i tried step by step what you wrote to answer me in the post and it works...
In order to do this i have copied some parts of my original win 7's registry by exporting them in some files.
Then i have copied those files on a pendrive and then again i have copied them in my VM with Caine installed on it.
After several attempts i have found the directories in the C: drive of wine and i put the files in the C: drive and i have started WRR and opened the files in it!!!
So i have seen that it works also under wine but now there is a new question:

if i make an image of my C:\ drive containing the operating system how can i extract the registry files raw data from the image?

Thank you in advance for your patience and your reply

Regards.

Max.

[joetekno]

You can see my post here: https://cainelive.rpg-board.net/t39-using-caine-and-mmls-to-mount-an-image-of-an-ntfs-drive

Once you mount the image you will have access to the file system as if it were just another attached drive.

Regards,

Joe

[MAX.KNIGHT68]

Okay, Thank you very much
you're so kind
have a nice day

Regards,
Max

[Sponsored content]