![]() |
-----Begin cut & paste here-----To restore files backed up by ERU you need to reboot to native/real/true/pure MS-DOS mode: hold F8 at the bootup BIOS POST (Power On Self Test) screen to bring up the Startup Menu ➜ select the "Command prompt only" option ➜ press Enter.
@ECHO OFF
IF "%OS%"=="Windows_NT" GOTO END
MEM /C | FIND /I "vmm32">NUL
IF NOT ERRORLEVEL 1 GOTO END
C:
CD\ERUBKP
IF NOT EXIST ERD.* GOTO END
IF EXIST ERD.EXE GOTO RUN
IF EXIST ERD.E_E REN ERD.E_E ERD.EXE
:RUN
ERD.EXE
:END
EXIT
------End cut & paste here------
FYI: Microsoft removed Group Policy Editor (GPE) [respectively GPEdit.DLL + gpedit.msc] from all Home and Starter Editions of Windows XP/Vista/7/8/8.1/10/11! :-( Restore GPE on all Windows NTx [2000/XP/2003/Vista/2008/7/8/8.1/2012/10/2016/2019/11/2022] Editions. |
(1) Main Heading
[Tree] (2) Hive [Root] Key (3) Sub [Child] Key | (4) Value Name (5) Value Data (6) Value Type |
|
---|
|
---|
[+] My Computer | |--[+] HKEY_CLASSES_ROOT (HKCR): Software settings, DDE, OLE, | drag-and-drop, Win31 backward compatibility, shortcut settings and | subkeys for every defined file association, also found ("cloned") | at HKEY_LOCAL_MACHINE\Software\Classes ("alias" key) . | |--[+] HKEY_CURRENT_USER (HKCU): Currently logged on user | | configuration settings, also found at HKEY_USERS\Username . | | Subkeys: | | | |--[+] AppEvents: Assigned system and applications sound events | | settings. | | | |--[+] Control Panel: Control Panel settings, similar to those | | defined in SYSTEM.INI, WIN.INI and CONTROL.INI in | | Windows/WfWG 3.xx. | | | |--[+] Identitites: Created and used by MS Outlook Express 4/5/6 | | and its Address Book. [Thank you Ojatex!] | | | |--[+] InstallLocationsMRU (Most Recently Used): Installation and | | Startup folders paths. | | | |--[+] Keyboard: Current keyboard layout. | | | |--[+] Network: Network connection settings. | | | |--[+] RemoteAccess: Current logon location settings if using | | Dial-Up Networking (DUN). | | | *--[+] Software: Software configuration settings for the currently | logged on user, sorted by developer/manufacturer/vendor. | |--[+] HKEY_LOCAL_MACHINE (HKLM): User independent hardware and | | software machine specific information: bus type, device drivers, | | keyboard layout etc. Subkeys: | | | |--[+] Config: System and software configuration. | | | |--[+] Drivers: Used by the Device Manager to keep track of active | | loaded drivers for hardware peripherals: PnP devices, PC | | cards, PCMCIA etc. [Thank you Ojatex!] | | | |--[+] Enum: Hardware devices information and settings. | | | |--[+] Hardware: Serial communication port(s) information and | | settings. | | | |--[+] Network: Information and settings about network(s) the user | | is currently logged on to. | | | |--[+] Security: Network security information and settings. | | | |--[+] Software: Software specific information and settings sorted | | by developer/manufacturer/vendor, each stored under its own, | | separate Subkey. | | | *--[+] System: System startup, device drivers and operating system | information and settings. | |--[+] HKEY_USERS (HKU): Information about Desktop and user specific | settings for each user who logs on to the same Windows 95/98/ME | system. Each user has a separate subkey here. If there is only | one user, the only subkey is .Default . | |--[+] HKEY_CURRENT_CONFIG (HKCC): Information about current hardware | profile used by the local computer at startup, pointing to | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current . | *--[+] HKEY_DYN_DATA (HKDD): Virtual key (exists only in memory) | created every time Windows 95/98/ME initializes: dynamic | configuration data about installed PnP devices. Changes constantly | when hardware devices are added, swapped or removed on-the-fly. | |--[+] Config Manager: Hardware problem codes and status. | *--[+] PerfStats: System and network performance statistics. |
|
---|
-----Begin cut & paste here-----RegEdit v5.0 .REG file representation of same REG_MULTI_SZ Value above in Unicode format:
REGEDIT4
; This key + value do NOT exist. Used here only as example!
[HKEY_LOCAL_MACHINE\Software\Multi_String]
"Multi String Value"=hex(7):48,65,6c,6c,6f,21,00,00------End cut & paste here------
-----Begin cut & paste here-----In v5.0 each character of the word "Hello!" is expressed as a double byte (H = 48h,00h | E = 65h,00h | etc), but in v4.0 it is expressed as a single byte (H = 48h | E = 65h | etc).
Windows Registry Editor Version 5.00
; This key + value do NOT exist. Used here only as example!
[HKEY_LOCAL_MACHINE\Software\Multi_String]
"Multi String Value"=hex(7):48,00,65,00,6c,00,6c,00,6f,00,21,00,00,00,00,00------End cut & paste here------
-----Begin cut & paste here-----... And this is an example of actual text .REG file containing real Keys and Values:
REGEDIT4; This is a comment line.
[HKEY_KEY_NAME\SubKeyName0\SubKeyName1\SubKeyName2\etc...]
; String Value:
"ValueName"="ValueData"
; DWORD or Binary Value:
"ValueName"=ValueType:ValueData------End cut & paste here------
-----Begin cut & paste here-----FYI: Cut & paste lines are not part of the .REG files, of course. 😎
REGEDIT4; First Value below identifies MS Windows OS name:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
; String Value:
"Version"="Windows ME"
; DWORD Value:
"CacheWriteDelay"=dword:00000320
; Binary Value:
"OldWinVer"=hex:00,02------End cut & paste here------
-----Begin cut & paste here-----Some inconsistencies exist between string representation in different versions of REG scripts (5.0 and 4), as following example shows:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\ 5]
; Name only: useful for flag values such as "AlwaysShowExt" [: required].
"0 REG_NONE"=hex(0):
; These strings are Unicode (probably UTF-16).
"1 REG_SZ"=hex(1):48,00,65,00,6c,00,6c,00,6f,00,2c,00,20,00,\
57,00,6f,00,72,00,6c,00,64,00,21,00,00
"2 REG_EXPAND_SZ"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\
46,00,69,00,6c,00,65,00,73,00,25,00,00,00
"3 REG_BINARY"=hex(3):46,72,65,65,20,66,6f,72,6d,20,62,69,6e,61,72,79
"4 REG_DWORD_LITTLE_ENDIAN"=hex(4):12,34,56,78
"5 REG_DWORD_BIG_ENDIAN"=hex(5):12,34,56,78
"7 REG_MULTI_SZ"=hex(7):4c,00,69,00,6e,00,65,00,20,00,31,00,00,00,\
4c,00,69,00,6e,00,65,00,20,00,32,00,00,00,\
4c,00,69,00,6e,00,65,00,20,00,33,00,00,00,\
4c,00,69,00,6e,00,65,00,20,00,34,00,00,00,\
00,00
; Windows XP RegEdit silently imports this registry value type, but does not
; recognize nor display it properly. Probably Windows XP 64-bit edition does.
"b REG_QWORD_LITTLE_ENDIAN"=hex(11):12,34,56,78,9a,bc,de,f0
; So it does with this weird line.
"f REG_REDMOND_ONE_MICROSOFT_WAY"=hex(15):aa,bb,cc,dd,ee,ff------End cut & paste here------
-----Begin cut & paste here-----Windows 95/98/ME RegEdit will expect:
REGEDIT4
[HKEY_CURRENT_USER\ 4]
; Only this string is Unicode for REGEDIT4 script, the rest are ANSI.
; Probably RegEdit handles REG_SZ differently, even in this form.
"1 REG_SZ"=hex(1):48,00,65,00,6c,00,6c,00,6f,00,2c,00,20,00,\
57,00,6f,00,72,00,6c,00,64,00,21,00,00,00
"2 REG_EXPAND_SZ"=hex(2):25,50,72,6f,67,72,61,6d,\
46,69,6c,65,73,25,00
"7 REG_MULTI_SZ"=hex(7):4c,69,6e,65,20,31,00,\
4c,69,6e,65,20,32,00,\
4c,69,6e,65,20,33,00,\
4c,69,6e,65,20,34,00,\
00------End cut & paste here------
"1 REG_SZ"=hex(1):48,65,6c,6c,6f,2c,20,57,6f,72,6c,64,21,00Windows XP RegEdit exports REGEDIT4 scripts as text files encoded in current ANSI codepage (example):
-----Begin cut & paste here-----so localized value names and data should comply with it. But nothing will stop you from creating REGEDIT4 scripts as Unicode (as far as I know, only low-endian UTF-16 encoded text files with byte order mark FF FE are recognized) or Windows Registry Editor Version 5.00 scripts as ANSI encoded text files.Windows 98 SE RegEdit (the DOS part of dual REGEDIT.EXE) imports REG_SZ value data verbatim, no translation done, so to be compatible, REGEDIT4 scripts should be properly encoded.It appears that RegEdit simply parses scripts ignoring white space for value name (quoted string before equal sign), value type and value data [in generic form hex(#):b1,b2,b3... with #==3 if omitted together with both parentheses, or specific "string" for hex(1), dword:12345678 for hex(4)], then submit them along with data size to RegSetValueEx() Win32 API function, which in turn simply posts it to the Registry. You can make a value of type REG_NONE with arbitrary data, confuse RegEdit with non-four-byte REG_DWORD, explore and exploit buffer overflows with null-unterminated REG*_SZ values etc. 😎"This comes directly from the "horse's mouth" (formerly independent developer Sysinternals was "acquired" by Microsoft) and demonstrates what can be done with the Registry using NT Native API... RegHide any1?
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CodePage]
"ACP"="1251"------End cut & paste here------
|
---|
|
|
-----Begin cut & paste here-----Then run REGEDTCP.REG from Windows Explorer or File Manager (FM = %windir%\WINFILE.EXE) to merge (import) this information into your Registry.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77708248-f839-436b-8919-527c410f48b9}]
@="Registry Editor"
"InfoTip"="Starts the Registry Editor"
"System.ControlPanel.Category"="5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77708248-f839-436b-8919-527c410f48b9}\DefaultIcon]
@="REGEDIT.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77708248-f839-436b-8919-527c410f48b9}\shell\open\command]
@="REGEDIT.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{77708248-f839-436b-8919-527c410f48b9}]
@="Add Registry Editor to Control Panel"------End cut & paste here------
-----Begin cut & paste here-----Then run REGEDTDT.REG from Windows Explorer or File Manager (FM = %windir%\WINFILE.EXE) to merge (import) this information into your Registry.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shell\regedit]
@="Registry Editor"
"SuppressionPolicy"=dword:0
"Icon"="REGEDIT.EXE,0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shell\regedit\command]
@="REGEDIT.EXE"------End cut & paste here------
-----Begin cut & paste here-----Then run REGEDTMC.REG from Windows Explorer or File Manager (FM = %windir%\WINFILE.EXE) to merge (import) this information into your Registry.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\regedit]
@="Registry Editor"
"SuppressionPolicy"=dword:0
"Icon"="REGEDIT.EXE,0" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\regedit\command]
@="REGEDIT.EXE"------End cut & paste here------
©1996-2023 MDGx (a.k.a. AXCEL216): Everything here is FREEware. Always free of ad(vertisment)s, cookies, tracking, malware + spyware. I have created [August 1996], maintain and update these web pages entirely by hand using Programmer's File Editor [replaced Notepad]. I do not promote, speak in the behalf of, advertise or work for any computing, technology, news or internet profit business. All ©copyrights and ®registered trademarks retain owners' property. |