New
#190
Just an FYI for anyone trying to do this with more recent copy of Windows. I just tried to follow these instructions for Option Six and could not get to the Advanced Startup to open the command prompt. But I was able to by holding down the SHIFT key while clicking restart. After that everything went fine.
Brink,
In Option 4, there is a mistaken [out-of-date?] reference to "Option Six" that I think you'll want to delete.
[That's what MickeyCT was referring to.]
Denis
Thanks for the tutorial! Very detailed. I used option 5 and it got me back in like a charm. 1 question though. What about unloading the hive REM_SAM that was loaded? I went back to look for it and its gone. Thanks for answering.
Hello, and welcome to Ten Forums.
The two articles below are good for more details about the SAM hive that will hopefully help some.
Forensic Investigation: Windows Registry Analysis
How to access the SAM and SECURITY hives in the Registry using the SYSTEM account | 4sysops
That's way above my understanding. My question is what happens if the temporary hive (REM_SAM) that was loaded is not unloaded? After changing the line 38 value to 10 I just hit the "X" button and rebooted. I went through option 5 again and this time the value for line 38 is not 10 or 11...its 13. Just making sure I didn't screw anything up. Thanks.
Brink,
At
Option 5, Step 5
might it be worth warning people that the drive to find is the one with
a Windows folder AND a Users folder AND a PerfLogs folder
and cannot be
X:\
because that will stop them mistakenly choosing [for example] the installation disk or the virtual OS disk [X:\].
All the best,
Denis