Recovering information for the HKCU branch of the registry from a backup

If you are logged into an account, you won't be able to access or copy the NTUSER.DAT file for that account as Windows will "lock" it. But, if you have administrator-level access, you can gain access to the NTUSER.DAT file for other accounts that aren't logged into the system. If you need to know the previous contents of a registry entry under HKEY_CURRENT_USERS, aka HKCU and have a backup of that file, you can read the contents of the file with a free Windows command line utility from NirSoft called RegFileExport. You could also use it to read the NTUSER.DAT file of an account that isn't logged into the system at the moment.

You can see the options for the program by entering regfileexport /? at a command prompt; also see the ReadMe file for the program..

C:\Program Files\NirSoft\RegFileExport>regfileexport /?
RegFileExport v1.06
Copyright (c) 2010 Nir Sofer
Web Site: http://www.nirsoft.net

General syntax:

RegFileExport [Registry File] [Destination .Reg File] {Registry Key}

{Registry Key} is optional, if the key is specified, only this key and all
its subkeys will be exported into the .reg file.

if [Destination .Reg File] is an empty string ("") the Registry data will be
sent to the standard output.

Examples:
RegFileExport "E:\Windows\system32\config\SOFTWARE." "f:\temp\reg1.txt" "HKEY_LO
CAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion"
RegFileExport "SOFTWARE" "" "Software\Microsoft\Windows NT\CurrentVersion"
RegFileExport "NTUSER.DAT" "ntuser-reg.txt"
RegFileExport "NTUSER.DAT" "ntuser-reg.txt" "HKEY_CURRENT_USER\Software\Microsof
t\Windows NT\CurrentVersion"

If you wanted to read the contents of the HKEY_CURRENT_USER\Control Panel\Desktop registry key, under which is stored personalization information for the Windows desktop for a user, such as the wallpaper being used for the account, you could use a command similar to the one below to read the contents of an NTUSER.DAT file and save the contents to a text file or .reg file.

C:\Program Files\NirSoft\RegFileExport>regfileexport "c:\users\jdoe\ntuser.dat" "desktop_reg.txt" "HKEY_CURRENT_USER\Control Panel\Desktop"

In the example above, the output file in which the contents of that registry key are to be saved is the first parameter given to the program and is named desktop_reg.txt. The second parameter given to the program is the registry key to be read from NTUSER.DAT. Though in the example above the NTUSER.DAT file being read is one for another account on the system other than the one logged on at the moment, you could also specify a backup copy of the file for the currently logged on user, if you needed to see a prior version of what was stored in a particular registery key.

If you look at the value for Wallpaper in desktop_reg.txt, you will see it listed as shown below:

"Wallpaper"="C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg"

There are two backslashes between the parts of the directory path when the registry contents are exported to a reg file, since a backslash can have special significance, so the first one serves as an escape character for the second. If you wish to reset the registry entries to what was stored in the file expored from regfileexport, name the output file as a .reg file and then doule-click on it to have Windows read its contents and replace the current registry contents with those stored in the file. Note: in the example above that would reset all of the values under HKCU\Control Panel\Desktop, not just the one for the wallper.

References:

1. User profiles in Microsoft Windows
   Wikipedia, The Free Encyclopedia

 

Justdeals Daily Electronics Deals

Created: Friday January 9, 2015