Is there way to scan a registry hive on an attached USB drive?

I have a hard drive with a virus that I removed from a PC. I can scan the file system of it as an attached USB drive. But how do I scan the registry of that USB drive since it is not booted up like a regular hard drive?

To clarify, the USB drive was a regular hard drive in a PC that got infected. I cannot boot into the OS to run a scan. I removed it to attach it to a working PC so I can scan its file system. But, I cannot scan the registry of that hard drive, because that drive is not booted up. The hard drive was a regular Windows XP hard drive install that I removed to scan as an attached drive (with an adapter to make it a USB drive).


What you want to do is called 'offline registry editing'. You can load the registry hives from the old hard disk drive into your registry editor. Here's a tutorial:

Load registry hive for offline registry editing

However, I'd recommend to use BartPE instead of your current Windows installation to do this:

How to edit the registry offline using BartPE boot CD?

BartPE will recognize your external USB hard disk drive connected.


Personally I recommend backing up the old disk and then wiping it

This way you don't have to worry about the virus remaining behind and it's more efficient too.

Note: the problem you're having right now is probably that the host OS (you're using right now) doesn't have access to the Windows folder of your infected guest OS. Using a Linux Live CD would allow you to "ignore" these permissions and restore whatever files you need.

Alternatively you could use a virus scanner within Linux to scan the drive as well, but I'm sure a clean install will give a better and more efficient result


RunAlyzer

  • Autostart entries - RunAlyzer shows a bunch of places applications use to get themself started upon Windows start. This is good for tweaking your system as well as finding spyware, viruses or other malware.
  • Analysis - RunAlyzer comes with a database of known entries and can do an online lookup to get the newest classifications of entries from our servers. Simple colors - green for good, red for bad - will give you the quick overview needed. Our detectives will even classify any unknown entries you submit to us through an easy function integrated into the application.
  • Log functions - Should you want to get help from another place, RunAlyzer can export log files as would be created by Spybot-S&D or HijackThis - formats that many experts all over the world prefer.
  • Windows x64 compatibility - RunAlyzer works on the new 64 bit versions of Windows as well - and allows you to view and change both 32 bit backward compatbility and new 64 bit entries there.
  • WinPE compatibility - thanks to the multi platform code we use in many of our products, RunAlyzer also automatically detects Windows installations on other attached harddisks or partitions, and allows you to manage those. This can be extremly useful if for example you want to repair a system while booting from a BartPE (bootable Windows PE) CD.

Or ubcd4win has a tool called RunScanner that let you do offline registry scan with any scanners