A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #13388  by Tigzy
 Wed May 23, 2012 5:41 pm
Hello

Something is pulling my hairs off... :x

I use NTREG (library) to modify hives in an offline context (such as live CD, OTLPE f.i)
When I play around with all that is in the %sys32%/config directory (HKLM hives basically) the changes are taken correctly, but when I play with HKCU (%userprofile% / NTUSER.dat) , at reboot I got a messaebox "Some registry entries have been restored from a copy" and I got a brand new desktop. (I guess due to the restoration at factory of the profile)

Is there somewhere a copy of the user hives where the system can read to compare with the current one?
Someone as already got something like this?

EDIT: Seems my hive is really corrupted... :cry:

"Solved"
 #13465  by Tigzy
 Mon May 28, 2012 8:02 am
Very good indeed... don't know there was a Microsoft API for this :(
Now my dev is done, and I really don't want to recode all this shit :D

Thank you anyway

EDIT:

Well, this is a not-native dll (not present by default in all windows), so I would have to embed it.
I prefer native code instead. ;)