I was unfortunate enough to have my disk failing, AND for the failure to be exactly at the Windows registry file; eventually I got the Windows recovery to fail with:
Your PC/Device needs to be repaired
The operating system couldn't be loaded because the system registry file is missing or contains errors
File: WINDOWSsystem32configsystem
Error code: 0xc0000225
I have realized that at least WindowsSystem32configSYSTEM and WindowsSystem32configSOFTWARE are only 8 kB in size on the corrupt disk – and of course, Windows Recovery cannot help with this.
So, I cloned the failed drive, and then used Photorec to recover all recoverable files; and then I used the approach in grep beginning of file? to find all files that start with regf, which would make them candidates for Windows Registry hives:
find . -type f | while read file; do [[ "$(head -1 "$file" | tr -d '�')" =~ ^regf ]] && ls -la "$file"; done > find_regf.txt
So I ended up with some 200+ files that are candidates for Windows Registry hives, but they are all named ./recup_dir.2/f0093640.reg, ./recup_dir.4/f0238192.reg and so on (a bit unfortunate naming, since .reg files are typically ASCII, and the hive files are binary, but OK).
So now I do not know which of those might be SYSTEM, SAM etc hives; from How to read Registry entries from disk archive? it seems these are the basic Windows Registry hive files:
Registry hive Supporting files HKEY_LOCAL_MACHINESAM Sam, Sam.log, Sam.sav HKEY_LOCAL_MACHINESecurity Security, Security.log, Security.sav HKEY_LOCAL_MACHINESoftware Software, Software.log, Software.sav HKEY_LOCAL_MACHINESystem System, System.alt, System.log, System.sav HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav, Ntuser.dat, Ntuser.dat.log HKEY_USERSDEFAULT Default, Default.log, Default.sav
So, is there some sort of a binary signature, or a specific key or value, I could search for, to tell me if what kind of a Windows Registry file a given *.reg file is?
