You probably remember from Hives and Files of Chapter 2, that each hive of the Registry is stored in a separate file. While it might seem reasonable to assume that you can just back up these files as though they were Word documents or some other innocuous file, the harsh reality is that you can’t. The NT kernel always keeps the Registry data files open, so ordinary backup software won’t be able to back them up. However, there are ways to successfully duplicate the files for safekeeping; we explore three ways in the remainder of this section.
In Chapter 2 you learned that the Registry’s made up of several hives, which are actually files that live on your disk. They’re normally stored in the System32\Config subdirectory of your system volume; you can always find the correct location by examining the value of HKLM\SYSTEM\Control\CurrentControlSet\hivelist.
If you change to
System32\Config (or wherever
your files are) and get a directory listing, you’ll see five
files whose names match the hives listed in Table 2-1: DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.
(The other hives, SID and HARDWARE, aren’t stored here.) The
hive files themselves don’t have extensions on them, but there
are other files with the same names that do have extensions. Files
whose names end in .LOG contain log and auditing
information for the corresponding hive, while files with the
.SAV extension keep backup copies of Registry transactions so a hive can be ...