Hi everyone, I would like to ask you if it is possible to dump the hive file from a memory image. For some reason the printkey cmd does not return expected values. In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key, but I dont see it in the printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" cmd output I am using volatility version 2.3 beta. I want to use Windows registry recovery tool to check if it is able to get the info I need. Thank you Jaro