Where does Windows Vista store registry data on the hard drive?

Question

If you can believe it, a program I've been using for several years saves its data using the Windows registry!

I need to recover this data from a backup drive.

Where does Windows Vista store registry information on the hard drive?

I've looked in C:\Windows\system32\config but I've seem to hit a dead end here. Here's the contents of that directory:

256K May 31  2008 BCD-Template
 37K May 31  2008 BCD-Template.LOG
  0B Nov  2  2006 BCD-Template.LOG1
  0B Nov  2  2006 BCD-Template.LOG2
 30M Jun 30 15:04 COMPONENTS
1.0K Dec 21  2006 COMPONENTS.LOG
256K Jun 30 15:04 COMPONENTS.LOG1
  0B Nov  2  2006 COMPONENTS.LOG2
8.0K Nov  2  2006 COMPONENTS.SAV
512K Jun 30 15:04 DEFAULT
1.0K Dec 21  2006 DEFAULT.LOG
256K Jun 30 15:04 DEFAULT.LOG1
  0B Nov  2  2006 DEFAULT.LOG2
 20K Nov  2  2006 DEFAULT.SAV
  0B Nov  2  2006 Journal/
8.0K Jun 21 09:36 RegBack/
256K Jun 30 07:57 SAM
1.0K Dec 21  2006 SAM.LOG
256K Jun 30 07:57 SAM.LOG1
  0B Nov  2  2006 SAM.LOG2
256K Jun 30 15:04 SECURITY
1.0K Dec 21  2006 SECURITY.LOG
256K Jun 30 15:05 SECURITY.LOG1
  0B Nov  2  2006 SECURITY.LOG2
8.0K Nov  2  2006 SECURITY.SAV
 39M Jun 30 15:04 SOFTWARE
1.0K Dec 21  2006 SOFTWARE.LOG
256K Jun 30 15:05 SOFTWARE.LOG1
  0B Nov  2  2006 SOFTWARE.LOG2
9.7M Nov  2  2006 SOFTWARE.SAV
 17M Jun 30 15:04 SYSTEM
1.0K Dec 21  2006 SYSTEM.LOG
256K Jun 30 15:04 SYSTEM.LOG1
  0B Nov  2  2006 SYSTEM.LOG2
1.7M Nov  2  2006 SYSTEM.SAV
4.0K Sep 22  2008 TxR/
4.0K Jun 30 07:58 systemprofile/

I'm looking for HKEY_CURRENT_USER/Software/...

Answer 1

The HKCU hive is held in NTUSER.DAT (or a similar filename) under the profile's directory:

C:\Users\<NAME>\Ntuser.dat

You can enable viewing system files or when opening the file in regedit select HKEY_LOCAL_MACHINE, Go to File » Load Hive, Browse to C:\Users\<NAME>, Type Ntuser.dat into the file name box and select Open.

Answer 2

You are in the right directory, the registry hives are the files with no file extensions, with the exception of HKCU, which is the NTUSER,dat file

http://ezinearticles.com/?Windows-XP-Registry-Files-Revealed---Structure-And-Location&id=763552

In the registry, there are hives that correspond to several files. Hives are a collection of keys, subkeys and values that contain the configurations for the operating system and programs. In the registry, there are 5 groups: HKEY_CLASSES_ROOT(HKCR), HKEY_CURRENT_USER(HKCU), HKEY_LOCAL_MACHINE(HKLM), HKEY_USERS(HKU), and HKEY_CURRENT_CONFIG(HKCC).

For the corresponding hives, you will see several types of extensions: no extension, .alt, .log, and .sav.

No Extension: The complete registry hive

.alt: An alternate copy of the registry hive

.log: A log of changes that have occurred within the registry hive

.sav: This is an automatic backup created from when a setup or program installation occurs.

Here are the corresponding files:

HKCC: System, System.alt, System.log, System.sav

HKCU: Ntuser.dat, Ntuser.dat.log

HKLMSAM: Sam, Sam.log, Sam.sav

HKLMSecurity: Security, Security.log, Security.sav

HKLMSoftware: Software, Software.log, Software.sav

HKLMSystem: System, System.alt, System.log, System.sav

HKU.DEFAULT: Default, Default.log, Default.sav