How to recover user hive without saving it

Discussion in 'Windows 10' started by Flayv, Sep 3, 2015.

  1. Flayv

    Flayv MDL Novice

    Aug 3, 2015
    #1 Flayv, Sep 3, 2015
    Last edited by a moderator: Apr 20, 2017
    Hi !

    I'm playing with registry and I'd like to know how to recover the user hive after a crash (BSOD, corrupted partition/registry...). I can't save it before.

    Here is the trick : I have a shared home partition (between Mac, Windows and Linux, on a hackintosh but whatever) and Windows save NTUSER.DAT inside this partition. I did this with a symlink inside C:\Users\myname to the drive E:\. If Windows crash, I'd like to just reinstall Windows and symlink again my account to the drive to recover everything.

    Problem is if I do this, at log in sceen, when I click connect, Windows writes "connexion" then "deconnexion" without creating the desktop. It doesn't recognize/block the user hive. I tried to understand registry to know why.
    If I'm correct, each user profile is listed in HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/ProfileList.
    Windows load the connected users hives inside HKU and the current user is also inside HKCU.

    I tried to understand which value in ProfileList\SID could block Windows to load user hive but I can't find anything. Even the SID isn't store in the user hive, it can't be this.

    Does anyone have a clue ? :confused:

    Edit :
    Looks like it's a permission problem. I've just tested to give all NTFS permission to the user with
    icacls.exe E:\ /grant LAPTOPNAME\Myname:F /T /C /Q
    but it didn't change anything.

    Then I tried to load the hive manually, give full rights (with subinacl, microsoft tool downloadable) and reconnect :
    reg load HKEY_USERS\test E:\NTUSER.DAT
    "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /subkeyreg HKEY_USERS\test /grant=LAPTOPNAME\Myname=F
    reg unload HKEY_USERS\test
    And it worked ! It logged in with the right profile. Now, I have another problem : some part of GUI don't open up, like Windows Menu, Cortana or Indicators (sound, wifi...) when I click.

    Inside Registry, ProfileList\MySID has full access for my user but ProfileList\MySID_Classes don't have rights. Maybe it's saved in a different file (not in NTUSER.DAT) ? Which one ?
    I tried to give full access to this key with GUI but it didn't worked. I'm not sure I made it right with GUI, I'd like to do it with command line to be sure.

    Edit 2:
    I've just found the file : %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat

    reg load HKEY_USERS\Test E:\AppData\Local\Microsoft\Windows\UsrClass.dat
    "C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /subkeyreg HKEY_USERS\Test /grant=OBSIDIAN\Test2=F
    reg unload HKEY_USERS\Test
    But it didn't improve anything. Note that for 3594 entries, 494 failed with subinacl.

    Wish someone has another clue :biggrin: