Registry oddity

Looking at modifying the registry on a virtual machine while its offline. I mount the VHDX file and can run this  to load the registry

PS> reg load HKLM\VHDSYS h:\windows\system32\config\system
The operation completed successfully.

If I perform a reg unload at this point everything works but if I access the registry – for instance

PS> ls hklm:

and then try and unload I get an error!

PS> reg unload HKLM\VHDSYS
ERROR: Access is denied.

One thing I found is that there is as reference to the remote hive in the variable collection

PS> ls variable:

Name                           Value
----                           -----
$                              HKLM\VHDSYS

Empirically I’ve found that running these commands

ls env:
ls variable:

changes the value of the $ variable

You can then unload the hive

PS> reg unload HKLM\VHDSYS
The operation completed successfully.

Published Fri, Dec 14 2012 14:27 by RichardSiddaway
Filed under: ,

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: