How to modify a computer’s offline registry from WINPE?

Load the necessary registry hives:

  • in Registry Editor (regedit), select either HKEY_LOCAL_MACHINE or HKEY_USERS, then click File → Load Hive, open the hive file, and input a temporary name for it;
  • in command line, use reg load HKLM\temp-name path-to-hive
    or reg load HKU\temp‑name path-to-hive.

The hive files are located in:

  • most of HKEY_LOCAL_MACHINE corresponds to files in %SystemRoot%\system32\config:
    • HKLM\SAM – file SAM
    • HKLM\Software – file software
    • HKLM\SYSTEM – file system
    • the special “system” user’s registry (e.g. login screen, etc.) – file default
  • each user’s personal registry (i.e. their HKEY_CURRENT_USER) is located in file NTUSER.DAT in their profile directory (e.g. C:\Users\grawity\NTUSER.DAT);
    • however, HKCU\Software\Classes is stored in the file AppData\Local\Microsoft\Windows\UsrClass.dat.

A list of currently loaded hives is at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.