Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


How To Recover from Registry Corruption

by Mitch Tulloch
06/27/2006

One of the most frustrating experiences working with computers is when they won't start. This frustration is usually compounded by cryptic error messages that don't provide you with enough information to determine what's wrong, let alone fix the problem. For example, maybe you've seen the following message when starting your Windows XP machine:


Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE

Or maybe this one:


Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

An advanced user might recognize that the files the messages refer to are registry hives, binary files that contain the Windows registry. The first one is the Software hive, which contains the HKLM\SOFTWARE portion of the registry tree, while the second one is the System hive, which maps to HKLM\SYSTEM. The messages indicate that a portion of your registry has somehow been lost or corrupted, and as a result, Windows can't start.

The simplest way to resolve this situation is to restore your system state data from a recent backup. The system state data for your computer consists of the registry hive files, boot files, and the COM+ Class Registration database. Using the Backup utility included with Windows XP, you can easily back up your system state or restore it (Figure 1):

Thumbnail, click for full-size image.
Figure 1: Backing up your system state data, including the registry (click for full-size image).

Tip: If you run Windows Backup and the System State item is missing, you're probably logged on as an ordinary user, not an administrator. To back up the system state data on your machine, you must be logged on as a local administrator. Or, you can open a command prompt and type runas /user:administrator ntbackup to start Backup using Administrator credentials on your machine.

Alternatively, if you know you created a recent backup but can't find it, you're in luck: when Backup is used to back up your system state, it also copies your existing registry hive files to the %SystemRoot%\Repair folder. This means you can restore your corrupted or missing registry hives by logging on with the Recovery Console and copying the files from %SystemRoot%\Repair to %SystemRoot%\System32\config.

But what if you have never backed up your system state using the Windows Backup utility? You might still be able to recover your system by following the approach described below. Two caveats, though: some of the steps in this approach are not supported, so if your machine still won't start afterward, you can't blame Microsoft (or me). And, if your computer came with Windows XP pre-installed by an Original Equipment Manufacturer (OEM), the procedure below may fail due to OEM changes to the system hive on your machine. (In any case, you should really blame yourself for not making a recent backup.)

Anyway, here are the steps to recover your registry:

1. Boot your machine from your Windows XP product CD and press R when prompted to launch the Recovery Console.

2. Type your Administrator password or press Enter if it's blank.

3. Assuming that your operating system files are in C:\Windows, type the following commands one at a time:

md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak
delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default
copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default
exit

This replaces your current registry files with those from your Repair folder--that is, with backups of the registry hives that were created when Windows XP was originally installed on your system. (Remember, if you have never run the Backup utility, the Repair folder files have never been updated.) At this point your computer will be operational when you reboot it, but the registry hives will be those created when XP was installed, which means your registry won't detect later applications you've installed. Now, we need to try to make your system aware of these installed applications. To do that, we're going to hack System Restore by taking copies of registry hives from a recent restore point and replacing the current hives with them. Let's continue.

4. Once your machine restarts (if you have Windows XP Home Edition, make sure you start in Safe Mode), log on as Administrator, open Windows Explorer, select Folder Options under Tools, click View, select Show Hidden Files And Folders, and deselect Hide Protected Operating System Files (Figure 2):

Figure 2
Figure 2: Making hidden and system files visible in Explorer.

Now find the folder named System Volume Information in the root of your boot drive. This folder appears ghosted because it's a special, hidden system folder you've now made visible (Figure 3):

Thumbnail, click for full-size image.
Figure 3: The System Volume Information folder (click for full-size image).

5. Double-click on this folder, and if a dialog box appears saying that access is denied, follow the instructions described here. (Note that the exact procedure depends on whether you have Home or Professional edition and whether your computer belongs to a workgroup or a domain.) Inside the System Volume Information folder, you'll find a number of folders named in the form _restore_GUID. These folders were created by System Restore on your computer and contain system restore points. Open one whose timestamp differs from your current time (do not use the most current folder) and you'll find a series of folders named in the form RPn (Figure 4):

Thumbnail, click for full-size image.
Figure 4: System restore point folders (Click for full-size image).

6. Open any of these folders and you'll see a folder named Snapshot. Open it, and copy and paste the five files that are selected in Figure 5 into the C:\Windows\Tmp folder.

Thumbnail, click for full-size image.
Figure 5: Backups of registry hives from your most recent restore point (click for full-size image).

Why copy these registry files to your Tmp folder? So they can be accessed from the Recovery Console, as you'll see in a moment.

7. Open the Tmp folder and rename the copied files from _REGISTRY_USER_.DEFAULT to DEFAULT, from _REGISTRY_MACHINE_SECURITY to SECURITY, and so on.

8. Boot your computer from your Windows XP product CD again and start the Recovery Console. Type the following commands:

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default
copy c:\windows\tmp\system c:\windows\system32\config\system
copy c:\windows\tmp\software c:\windows\system32\config\software
copy c:\windows\tmp\sam c:\windows\system32\config\sam
copy c:\windows\tmp\security c:\windows\system32\config\security
copy c:\windows\tmp\default c:\windows\system32\config\default
exit

This replaces your original (created at Setup) registry hives with registry hives taken from a recent restore point. Now you can restore your system to a recent restore point by opening System Restore (from System Tools in Accessories) and selecting Restore to a Previous Restore Point.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.