[Vol-users] hive file dump

Jaroslav Brtan jaroslav.brtan at gmail.com
Mon Jun 10 03:37:26 CDT 2013


Hi everyone,

I would like to ask you if it is possible to dump the hive file from a
memory image.
For some reason the printkey cmd does not return expected values.
In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key,
but I dont see it in the printkey -K
"Software\Microsoft\Windows\CurrentVersion\Run" cmd output

I am using volatility version 2.3 beta.

I want to use Windows registry recovery tool to check if it is able to get
the info I need.

Thank you

Jaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130610/fe3263ee/attachment.html


More information about the Vol-users mailing list