This post
discusses how to use Sysinternals
Autoruns in the offline mode if all you have are registry hives.
1. Create the following files structure
for the system registry hives to fool Autoruns to thinking you’re giving it the
Windows folder.
a. <FOLDER>\System32\ntdll.dll [can be an empty file]
b. <FOLDER>\System32\Config\SAM
c. <FOLDER>\System32\Config\SYSTEM
d. <FOLDER>\System32\Config\SOFTWARE
e. <FOLDER>\System32\Config\SECURITY
2. Recreate the user’s hives
a. <FOLDER>\NTUSER.DAT
b. [on Vista+]
<FOLDER>\AppData\Local\Microsoft\Windows\UsrClass.dat
<FOLDER>\AppData\Local\Microsoft\Windows\UsrClass.dat
[pre-Vista]
<FOLDER>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
<FOLDER>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Now just point your Autoruns at these two folders and you’re ready to go!
It’s worth noting that while the latest version of Autoruns doesn’t seem to try to perform any tests on the files from extracted entries if it’s in the Offline mode (e.g. to tell you if the file exists), if your version does then you could use it to your advantage by running Autoruns on a fresh copy of the same operating system as the one the hives come from and turn on the option “Hide Windows Entries” and “Hide Microsoft Entries”. Naturally, doing so should reduce the amount of entries that you need to look at by ignoring the files that would occur on a legitimate system. Of course it discounts the fact that the system the hives come from might have had some of its system files replaced, which while quite unlikely to happen is perfectly plausible.
Troubleshooting: If you managed to load the hives in Autoruns the first time you tried but it complains when you try again, that’s most likely because the hives remain loaded by the system. To fix that open up the Command Prompt as administrator and type the following commands:
- reg unload HKLM\autoruns.software
- reg unload HKLM\autoruns.system
- reg unload HKLM\autoruns.user
