Windows Registry

Coping with partly encrypted hive files

Some Ransomware has encrypted the first xKB of your files? No problem. Use the --ignore-base-block switch, which is supported by regdump and regview

Recovering deleted registry keys

Use hivescan

When did this key has been deleted???

Use the -b switch of hivescan. This creates a bodyfile of all the keys in this file, including deleted ones (and marks deleted with (deleted))

Coping with partly encrypted hive files
Recovering deleted registry keys
When did this key has been deleted???

Windows Registry

Coping with partly encrypted hive files​

Recovering deleted registry keys​

When did this key has been deleted???​

Coping with partly encrypted hive files

Recovering deleted registry keys

When did this key has been deleted???