unloaded registry hive

If it's not about a problem in the program
Post Reply
Brummelchen
Posts: 392
Joined: Sun Oct 12, 2008 9:13 pm

unloaded registry hive

Post by Brummelchen » Sat Jan 05, 2019 1:53 pm

the windows registry is a bunch of loaded hives on startup and changes were merged on shutdown. sandbox load its hive here
HKEY_USERS\Sandbox_name_box

for some reason and investigation into security i want to know, if it is possible to recover keys or traces from unloaded hives in the "registry" as it is possible for marked as deleted entries. i can use YARU to find deleted entries but its harder to get informations about hive handling at microsoft technet.

thx in advance

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: unloaded registry hive

Post by Barb@Invincea » Mon Jan 07, 2019 10:20 am


Brummelchen
Posts: 392
Joined: Sun Oct 12, 2008 9:13 pm

Re: unloaded registry hive

Post by Brummelchen » Mon Jan 07, 2019 11:54 am

sorry, but no. i know how to dump or compare the reghive from sandboxie. my question concerns recovering traces of a sandboxie hive in the registry itself when it was unloaded (sandbox working ended) and the sandbox with its content was deleted. so the hive file is no longer present - is it possible to recover traces in registry then?

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests