Windows XP: Repairing Registry Hives from a System Restore Point

This article is the first of what I hope will be many in a series I am calling “Base Level”. These articles will detail some of the base level skills you should already have if you work in a PC repair technician position. If you don’t know one of the items here don’t be embarrassed. I personally didn’t know any thing when I started and was hoping this would help someone in a similar position. If you aren’t familiar with these things learn to do them without having to refer to this site. The are things that you will do regularly.

Why would I need to know this?

This is a very easy way to fix your registry but you are pulling a registry from the past and pairing it with current files. This can be some what sorted out by doing a system restore immediately after but it still may cause issues. That said this is a very useful skill when it comes to something that is messed up in the registry that causes the computer to not respond. Here is one common example:

Windows XP displaying a boot error relating to a corrupt registry hive.

Windows XP displaying a boot error relating to a corrupt registry hive.

What am I going to need for this?

Head over to knopper.net and get the latest version of the Knoppix and burn that to a CD. Make a nice CD case for it and keep it around. This is a useful tool in your arsenal.

Ok, I am ready. What do I need to do?

Place your Knoppix CD into the your optical drive. When the boot: prompt pops up type knoppix and press enter.

Knoppix ready to boot.

Knoppix ready to boot.

When Knoppix gets fully loaded click on the PCManFM icon in the bottom tool bar on the left.

Location of the file browser (PCManFM) in Knoppix.

Location of the file browser (PCManFM) in Knoppix.

Locate the partition where your windows install is and and click on it. Note: It probably will not be marked as “WINDOWS_XP”.

pcmanfm_partiton_click

Click on the System Volume Information folder to open it.

pcmanfm_system_volume_information

Next, click on the directory marked _restore proceed by some random hex values and hyphens in brackets.

pcmanfm_system_volume_information_2

This next part may be easier if you put PCManFM into Detailed List View by clicking on View -> Detailed List View.

pcmanfm_set_detail_mode

Now that it is set in Detailed List View you can clearly see when each restore point folder corresponds to what date. These dates are a good indicator of when each restore point was made. This should give you a good idea of which one you should pick. In the example below I opted to go back a couple of days. When you have chose the restore point that would like to use click on the folder associated with it. Then open the snapshot folder inside it.

pcmanfm_xp_restore_points

 

Now you need to copy the following files to your clipboard:

  • _REGISTRY_MACHINE_SAM
  • _REGISTRY_MACHINE_SECURITY
  • _REGISTRY_MACHINE_SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM
  • _REGISTRY_USER_.DEFAULT

pcmanfm_xp_backup_registry_hives

Now click back on the partiton where your Windows install is and navigate to ./WINDOWS/System32/config and create a backup folder for the old registry hive files. Make sure to include today’s date in the folder name!

pcmanfm_create_folder_registry_backup_xp

Now drag and drop the following files in the config directory into that newly created folder, like so:

pcmanfm_drag_drop_registry_backup_xp

Go ahead now and paste the files from the restore point directory into the config directory. And rename them to match the ones you backed up. Like this:

  • _REGISTRY_MACHINE_SAM -> SAM
  • _REGISTRY_MACHINE_SECURITY -> SECURITY
  • _REGISTRY_MACHINE_SOFTWARE -> SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM -> SYSTEM
  • _REGISTRY_USER_.DEFAULT -> DEFAULT

pcmanfm_rename_registry_hive_default_xp

Okay, Nearly finished! Now just reboot the machine by clicking the start menu like item in the bottom left and choosing Logout then Reboot from the menu that pops up.

Knoppix_reboot

Last but not least you need to run a system restore now that you can get back into the system. This helps insure that your registry and Window’s system files are on the same page. Fire up system restore.

windows_xp_start_menu_system_restore

Now choose a date from system restore when the system was operating as you intended it to. It doesn’t have to be the same date as the day we picked earlier but it can be.

windows_xp_system_restore_date_select

After the system restore completes you are done!

Wait, couldn’t I have used X and have gotten the same results?

As the first screencap in this article hinted at you can accomplish this same task with a Windows XP disk, but you can resolve this by booting into anything that will let you read and write to the files on the partition that the corrupted Windows install is located on. Examples of this are your Windows XP installation media, a installed recovery environment, or a Linux bootable live CD. We used a Knoppix live CD because it is very compatible and has a GUI so it wont alienate anyone starting out. If you are starting out I wouldn’t recommend using the windows installation media because you may end up needing to slipstream drivers and without tab completion some of the directories can be a pain to type up. In the event you are in the mood for it, the Microsoft Blessed™ way to accomplish this is laid out in Knowledge Base article 307545. They have you do some extra steps just to put you back into a GUI quickly and then you have to mess with file permissions (because you are back inside your Windows system) to get to the files you need.

Leave a Reply

Your email address will not be published. Required fields are marked *