Registry Restore Wizard Options

[d4vr0s]

I'm hoping someone can explain how to enumerate the ntuser.dats from the system restore folder. I know S-1-5-18 thru -20 are build in accounts, but how about for multiple users? There are a few programs to do it in a live windows, but for recovery purposes it would be nice to ID them from bartpe.
Then maybe viceroy could update this app to make use of them.

[twindude]

I second that.....

the plugin needs some registry ID's for the BS_Explorer i'm thinking..

it will come up but errors out because of start functionality is looking for some settings that not there but in xpe are!

with nu2menu or/and xpe runs great...

[twindude]

using BS_Explorer

getting error:

Runtime error '52':
Bad file name or number

But if i clik on nu2menu..........runs great...

[twindude]

I understand that it needs VBSupport......

i have added the vbsupport plugin and enabled it........

also add dll from windows os cd............in system32

but still no vail.........


i would like to know if somone has an xml file that will start the vbsupport...

i don't think it is starting on boot and not sure how to turn it on.........

[pcuser]

twindude,

Here's the inf file that I use to enable vb support:

CODE

; vb.inf
; PE Builder v3 plug-in INF file for Visual Basic 6 & 5
; Created by Benjamin Cordingley
; http://www.nu2.nu/pebuilder/
;

[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="VB"
Enable=1
Help="vb.htm"

; Add your stuff here...
[SourceDisksFiles]
OLEAUT32.DLL=2
OLEPRO32.DLL=2
ASYCFILT.DLL=2
STDOLE2.TLB=2
MSVBVM60.DLL=2
MSVBVM50.DLL=2
COMCAT.DLL=2

Hope this helps,

Tom

[viceroy]

There are several problems in determining the NTUSER.DAT locations from the external registry. The vital thing you must know is the location of the profiles folder. In NT4, this is at %SystemRoot%\Profiles. In Win 2000 and above it is at %SystemDrive%\Documents and Settings unless you upgraded from NT4. On my machine I also noticed the SYSTEM user created a profile when I logged in through the screen saver trick in an odd location: %SystemRoot%\system32\config\systemprofile. For all anyone knows, other profiles could be created there too.

I can think of no foolproof way of to find an offline profiles directory and match it to the offline system registry. You could scan for any of the above mentioned areas, but that would break in a mutliboot system, and would not work if the directory was customized. You could, of course, load the system registry as a hive into the PE registry to find some keys that specify the location. There are 2 problems still with that method.
1 - There are no keys that specify the NTUSER.DAT location exactly. Just some keys that specify the temporary directory and other such stuff in the profiles, which can't provide an always accurate locaton of NTUSER.DAT.
2 - If you do use a majority-rules style determining algorithm for the profiles directory, then you must decide whether to read from the newer potentially corrupted registry files or from the older backups? What if the profiles directory has changed during the backups?

Another question is this: What should the program do if it doesn't find a user backup but has a system backup? Should it refuse to revert to the backup? Promt the user? In reality, system registry backups are made often while leaving the user registry alone.

And of course there is the final issue of getting the username from the SID in System Restore. However this is only an issue in the System Restore backups (which I nevertheless suspect the vast majority of backups are). I'm fairly certain that a bit of digging in the Windows registry format will yield a simple method of key lookup to convert SIDS to usernames, but the same problems exist for reading backup hives as those listed above before (backup vs. recent corrupted).

One question I still have: Is there any method of changing the profiles directory and its NTUSER.DAT? Does anyone know of a program to do this in regular Windows? Or better yet, anyone have the registry entry for it?

PS: I'd also like to apologize for this post, since it is very late in this neck of the woods and I'm not sure I made the issues all that clear.

PPS:
@twindude
"Run time error 52"
That sounds like a bug on my part. I haven't used BS Explorer in any depth, but I guess I should try it and see. I doubt this will fix anything, but just in case, could you try to enter the following line in Command Prompt while in PE:

CODE

for /d %i in (OLEAUT32.DLL OLEPRO32.DLL MSVBVM60.DLL COMCAT.DLL) do regsvr32 %SystemRoot%\System32\%i /S

Thanks.

[d4vr0s]

@viceroy
Thanks for the reply
What you say makes sense.
How about a little program that just has a message box with translation of the sids to users? That way we could manually restore the ntuser.dat if we needed to.

[twindude]

@viceroy

will this inf start vbsupport ?

; vb.inf
; PE Builder v3 plug-in INF file for Visual Basic 6 & 5
; Created by Benjamin Cordingley
; http://www.nu2.nu/pebuilder/
;

[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="VB"
Enable=1
Help="vb.htm"

; Add your stuff here...
[SourceDisksFiles]
OLEAUT32.DLL=2
OLEPRO32.DLL=2
ASYCFILT.DLL=2
STDOLE2.TLB=2
MSVBVM60.DLL=2
MSVBVM50.DLL=2
COMCAT.DLL=2

[twindude]

@viceroy

ran:

for /d %i in (OLEAUT32.DLL OLEPRO32.DLL MSVBVM60.DLL COMCAT.DLL) do regsvr32 %SystemRoot%\System32\%i /S


still the same error.....

[twindude]

@viceroy

did you figure it out...........

I can't seem to see what is missing............?

[viceroy]

@twindude
I tried BS Explorer with regreswiz.exe and no errors came up. Could you please post your configuration files for BS Explorer from the PEBuilder temp directory?

[twindude]

@viceroy

this is all that is in the pebldr\programs\RegResWiz :
Change txt:
license.txt
readme.txt
regreswiz.exe

[twindude]

A fresh load of PE Builder 3.0.32

These PLUGINS only:

AutoDirver
BGinfo
BS Explorer
Network Support
RAMDISK
REGISTRY RESTORE WIZARD
Serial Mouse
StartupGroup (disable)
VBsupport
Results: nothing won’t load?

Then tried this….
New Bart load 3.0.32

ASPI
BS Explorer
ExplorerXP
RAMDISK
RegBrowser
REGISTRY RESTORE WIZARD (added cab plugin)
Rpc
Serial Mouse
USB & IEEE 1394 Support
VBsupport

Results:
Error: Invalid picture

[twindude]

sorry for all of the trouble

and

thanks for all the help


solution is

in M$ virtual server is acting up and it wasn't loading the VM correctly....

createds a new VM and works.......

thanks for all the help