can not see any entry in HKEY_LOCAL_MACHINE\SOFTWARE\Micros

[uminds]

I am trying to diagnose a malware problem on a XP machine and used the Windows PE 3.0 CD to boot the system. When I ran regedit, I can't see any startup program at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I tried it on various XP installation and got the same result. Can someone tell me what am I missing?

Thanks

[uid0]

I've not used PE3, but I imagine regedit by default will show you the registry of the PE, not the one on the windows install - try loading the hives manually?

There are lots of other locations to check too - try autoruns for a more complete list.

[Tripredacus]

This is correct. You need to load a registry hive, and select the file on the XP drive. The hives are located in

C:\Windows\System32\Config

You will want to load the one called SYSTEM. Make sure to unload the hive before closing regedit, I hear bad things can happen if you don't. That is to say, I've always followed the unload rule!

[uminds]

Thank you very much for the response.