There exist a vulnerability in rdisk which causes the contents of the registry hives to be exposed to Everyone during updating of the repair info.
When rdisk updates the repair info it uses a temporary file called $$hive$$.tmp, which it puts in the repair directory and deletes when it's finished. The temporary file is used to store the contents of the hives during the update. This is especially interesting on Terminal Server, so I'll take that as an example.
The \Wtsrv\repair directory contains backups of the hives, but these have the permissions: Administrators - Full Control, and SYSTEM - Full Control. Hard to get to those... but the $$hive$$.tmp file is a different thing. Everybody has Read permissions to it, so Everybody can get the contents of the hives during update. An ordinary user can leave a program running which checks for the temporary file constantly, and copies the contents when the file is created.
Microsoft has released a security bulletin
about this issue.