Manually restore an XP registry

You are here:Home»KB»PC»Windows Family»Windows XP»Manually restore an XP registry

Sunday, 16 November 2008 15:01

Manually restore an XP registry

Written by shoulders

In working with many Windows XP computers over the past couple of years in my shop, I've run across a few systems with corrupted registry files. Most of the time, I will get an error similar to the following:

Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM
\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

Other times I won't get an error and the system will just reboot continuously without a blue screen error message. One thing is for certain in all of these problems: I can't boot into safe mode to fix it!!!!

It is cases like this when we want to manually roll back the registry. Basically, this restores your system's registry files to a point where they might have actually been stable, or at least less destructive than they are now. This process is not the same as system restore, mainly because we're only replacing the registry files, where system restore also replaces other system files.

If you Turned Off System Restore, turn around and go back where you came from. There is no hope for you.

One of Windows XP's "features" is something called System Restore. I don't like to use it for reasons I do not plan to go into, but what is good news for you and me is that System Restore takes a daily snapshot of your Registry files.

The registry snapshots are kept in the System Volume Information directory, typically in the root of the C: drive. The files are difficult to access normally, even in the Recovery Console, because the NTFS security settings on these files do not allow any user except for SYSTEM access to the files. Microsoft's way of doing what I am explaining now, which is linked at the bottom of this page, explains to restore the original registry files from %Windir%\Repair\ first, then changing the security and blah blah blah eventually getting the right files in. What a crockashit... My way is much easier.

STEP 1 -> Boot your system with WinPE

In order to move these registry files around, we need full, unrestricted access to the NTFS filesystem. This can be done several ways, but the easiest and most efficient way is to use something called the Windows XP PreInstallation Environment, WinPE for short. If you are a Microsoft OEM you likely have a real Microsoft WinPE CD lying around, but if not you can build your own WinPE. I highly recommend building the PE yourself, as it is a most valuable tool as a technician. If you do not care to do this, skip everything else I'm going to say and go do it the Microsoft way.. blah.

STEP 2 -> Find a recent Restore Point Registry Snapshot

So at this point, you've fully booted into the WinPE environment and have a cmd.exe prompt open. First off, navigate to the C:\System Volume Information\ directory. Windows XP has a great thing called tab completion Type "cd \sys" and then press the tab key. Voila! press enter.

From here, do a "dir" and see what you have... You may see one or two weird directories that have Microsoft CLSID identifiers. Within one of these directories we're looking for "Restore Points" which will be directories identified by "RPxx" where xx is a number. Type "cd _restore{CDSFSD"+tab or whatever the name of the directory is and do another 'dir'. If you see nothing, "cd .." and then go into the other one.

Now you've made it into the directory with all the restore points. Congratulations! Since they're not in any order, type "dir /od" to sort them by date. Look closely at the timestamp of these directories. Your goal here is to restore the system to a point where it was working and not about to crash. You also do not want to go back so far that it affects your settings or programs that you've installed, programs you've activated, etc. I try to keep the restore over two days but within a week of when the system crashed. Let's say it's 6pm on Thursday, look for midday Tuesday or beforehand, but not much more than that. Once you have found one that you're satisfied with, change to that directory, and beneath it, change to the "snapshot" directory. Do a directory listing. This is what your registry was at that point. Chances are it isn't corrupted, and your system might boot with it!

STEP 3 -> Overwrite your corrupt registry with the snapshot

All we have to do now is get these registry files to overwrite your current registry files. Great. Wait, Backup, you say? Why? They're corrupted. Why backup a corrupted file?

Using the benefits of Tab Completion, type the following commands:

copy _REGISTRY_MACHINE_SAM \windows\system32\config\SAM
copy _REGISTRY_MACHINE_SECURITY \windows\system32\config\SECURITY
copy _REGISTRY_MACHINE_SOFTWARE \windows\system32\config\SOFTWARE
copy _REGISTRY_MACHINE_SYSTEM \windows\system32\config\SYSTEM
copy _REGISTRY_USER_.DEFAULT \windows\system32\config\DEFAULT

Done.

There is also a copy of the registry in C:\windows\repair, you could try these if you have turned system restore off. This method can be used in the recovery console see this article from microsoft

If it didn't fix, Try a repair installation or scanning your hard drive for viruses outside of your computer or in WinPE.

Read 881 times Last modified on Sunday, 27 May 2012 12:58

Published in Windows XP

back to top