Windows Registry

Coping with partly encrypted hive files

Some Ransomware has encrypted the first xKB of your files? No problem. Use the --ignore-base-block switch, which is supported by regdump and regview

Recovering deleted registry keys

Use hivescan

When did this key has been deleted???

Use the -b switch of hivescan. This creates a bodyfile of all the keys in this file, including deleted ones (and marks deleted with (deleted))

Windows Registry

Coping with partly encrypted hive files​

Recovering deleted registry keys​

When did this key has been deleted???​

Coping with partly encrypted hive files

Recovering deleted registry keys

When did this key has been deleted???