Manual Registry Restore
I have seen numerous Windows XP systems that would not boot.
Typically, this is due to a bad (corrupt) registry.
(No idea how this happens.)
Occasionally, some of the required executables simply won't run.
(Sometimes a virus, sometimes hard drive failure.)
I have even seen viruses (sorry, "potentially unwanted programs")
that intentionally stop Windows from running.
In Windows XP, system snapshots are stored in a super secret directory.
These include a copy of the registry and all the "important" files.
By simply restoring the system to an earlier version,
many problems can be fixed.
Note: The registry is stored in 6 separate files (called hives).
In the following manual instructions, only 5 of these are copied.
Automatic Recovery
| Manual Recovery
| Simplification
| Preparation
| System Volume Information
| Comment
Automatic Recovery
The normal way to restore the system to an earlier version is to use
Start / Programs / Accessories / System Tools / System Restore
|
After selecting Restore my computer to an earlier time,
you will see a calendar and be able to select any of the available backups.
I normally select a date a day or two before the problem was noticed.
Warning: Some applications (such as Adobe products) may be confused by
this procedure are require reregistering.
(I hate programs that call home every time you use them.
However, I suppose some people like being spied on.)
Warning: If you are a programmer, some of your source files
will be deleted when the system is "fixed". I understand deleting
any exe files created after the last restore point was saved,
but source files (written with notepad no less) should not be deleted.
Specifically, Flash *.as source files will be deleted.
Manual Recovery
Occasionally, the problem won't allow Windows to boot and,
therefore, System Restore can not be used.
Typically, this is caused by a registry problem
or a really bad virus
(as opposed to a "good" virus that allows you to use System Restore).
In these cases, there is a
fairly lengthy procedure - fully described in
Microsoft kb-307545
(How to recover from a corrupted registry that prevents Windows XP from starting) -
that allows you to manually repair the system.
This is the basic procedure
- Using the Restore Console, restore the original registry
- Boot to Safe mode and copy a more recent version of the registry to some directory
- Using the Restore Console, make the more recent version the current version
- In Windows, restore the system to a configuration saved a few days ago
As good as the Microsoft instructions are, I really hate having to
type that much at a command prompt (Restore Console).
There are a couple of shortcuts that will make it a little less frustrating.
- The up arrow and down arrow will allow you to recall commands you have
already typed. Use these and edit as appropriate.
- Use cd c:\windows\tmp to simplify the commands.
Using the "to" directory will reduce the number of letters typed.
The "from" directory is automatically recalled when you use the arrows.
- Wildcards (*) will not work with the recovery console
I have had to do this enough times that there should be a standard
Recovery Console command to accomplish this
(rather than a rather tedious procedure).
Simplification
If you prepare a machine before a problem occurs,
the restore procedure will be quite simple.
Basically, you need to save a copy of recent registry settings
in some directory and create a bat file that performs all the
steps necessary to copy those over the existing (broken) files.
The following bat file (98% copied from Microsoft) will simplify this procedure.
However, notice that the extension is txt not bat -
this is because the System Restore procedure replaces (removes)
bat files, but not txt files.
Notice that these assume that you have saved
a copy of a recent registry in
Copy_Hives_1.txt
cd c:\windows
md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak
delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default
copy c:\windows\recover\system c:\windows\system32\config\system
copy c:\windows\recover\software c:\windows\system32\config\software
copy c:\windows\recover\sam c:\windows\system32\config\sam
copy c:\windows\recover\security c:\windows\system32\config\security
copy c:\windows\recover\default c:\windows\system32\config\default
|
This is the modified procedure using the directories and files above.
- Start the recovery console
(a command line OS)
- the administrator password is blank
- Type Batch Copy_Hives_1.txt to execute it
- Type exit to quit Recovery Console and restart Windows
- Use System Restore to
restore a recent configuration
Note: The original registry is stored in
but will not allow you to run System Restore.
Preparation
This is the easy way to access some recent registry files ..
assuming that you do it before a problem occurs.
- In Windows Explorer, use
Tools / Folder Options / View
|
to display hidden files and system folders
and clear the Use simple file sharing (Recommended) check box
- Create a C:\Windows\recover folder
- Right click the System Volume Information directory and
change the security settings
so that you can see the contents (normally not available for security reasons)
- In System Volume Information, locate a snapshot folder named something like
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
|
- From the Snapshot folder, copy the following files to the C:\Windows\recover folder
• _REGISTRY_USER_.DEFAULT
• _REGISTRY_MACHINE_SECURITY
• _REGISTRY_MACHINE_SOFTWARE
• _REGISTRY_MACHINE_SYSTEM
• _REGISTRY_MACHINE_SAM
- Rename the files in the C:\Windows\recover folder as follows
• Rename _REGISTRY_USER_.DEFAULT to DEFAULT
• Rename _REGISTRY_MACHINE_SECURITY to SECURITY
• Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
• Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
• Rename _REGISTRY_MACHINE_SAM to SAM
- Right click the System Volume Information directory and
change the security settings
to remove your access - this is a very important security requirement
I don't think that Safe mode is necessary in this case.
However, my systems have been reconfigured so many times that
it is hard to say what is required for a default system.
System Volume Information
System Volume Information is a super secret directory that
most people can not access.
However, to perform a manual recovery, you must copy 5 files from
this directory to another location which can be accessed
from the Recovery Console.
The following is a summary from Microsoft's instructions on
How to gain access to the System Volume Information folder
- In Windows Explorer, select
Tools / Folder Options / View
|
and clear the Use simple file sharing (Recommended) check box
which will enable the Security tab
- Right-click the System Volume Information folder (in the root folder)
and select Properties
- Select the Security tab
- Click Add and enter an appropriate user name -
probably the one you are currently using
- Make sure that the account has read access
Once you are finished copying the files, be sure to restore the original security settings.
Comment
"potentially unwanted programs" - The US courts are great.
Apparently some court has ruled that it is wrong to call evil software a virus.
As a result, the euphemism "potentially unwanted programs"
is the "politically correct" expression.
Mcafee
provides a very good description of "potentially unwanted programs".
Author:
Robert Clemenzi