Tuesday, January 18, 2011

Manually Restoring Registry Files (offline System Restore for XP)

The process in this post is not relevant for Windows Vista or Windows 7. For Windows Vista or Windows 7, boot from the installation DVD and perform a repair. The repair process can perform a system restore.
I recently had an unbootable computer that complained about registry corruption on startup. I attempted a last known good for recovery but it didn't work. Which makes sense because last known good works within the registry rather than replacing registry files. A system restore on the other hand replaces the registry files, unfortunately I couldn't get the system bootable to the point of performing a System Restore.

Here is how I replaced the registry files manually:
  1. Boot the computer from a bootable DVD such as WindowsPE or Ultimate Boot CD 4 Windows.
  2. Browse to C:\Windows\System32\Config and rename:
    • DEFAULT
    • SAM
    • SECURITY
    • SOFTWARE
    • SYSTEM
  3. Change security on C:\System Volume Information to allow Administrator access
  4. Browse to C:\System Volume Information\_restore{xxxxx}\RPxxx\Snapshot (choose the RPxxx folder based on time of creation)
  5. Copy the following files to C:\Windows\System32\Config and rename to match step 2.
    • _REGISTRY_USER_.DEFAULT
    • _REGISTRY_MACHINE_SAM
    • _REGISTRY_MACHINE_SECURITY
    • _REGISTRY_MACHINE_SOFTWARE
    • _REGISTRY_MACHINE_SYSTEM
  6. Reboot and good to go.
It's a pity I'm learning this as Windows XP is slipping out the door. However, this has only become relevant in the last few years when a lot of XP machines are starting to have registry corruption issues due to failing drives.

ImageX Gotchas

As of late, ImageX has been my imaging software of choice. Mostly because it is free and I already have it installed. I've been using it to move existing computers to a new drive when a hard drive starts to report errors.

To use ImageX, I attach the drive to my server by using an external USB case. Then run imagex /capture to gather data from the drive. Then I use imagex /apply to put the image down onto the new drive also attached via USB.

The first few times I did this, I was worried the MBR on the new disk would not be configured correctly, but no special preparation is required. Just format the disk ahead of time and mark the partition active.

System Restore Files Not Captured
The files used by System Restore are not captured by the default configuration of ImageX. I was moving to a new drive and then planning on repairing Windows XP. Not such a good plan. This forced me to manually copy system restore registry files from the old drive to the new drive by using a boot CD. However, despite the pain, the system started booting again.

System Restore files are stored in C:\System Volume Information. By default only System has permission to read that folder. To image the files, you may need to modify those permissions. You will definitely need to create a configuration file for ImageX to specify that the folder should be included in the image. Documentation on creating the configuration file is here: http://technet.microsoft.com/en-us/library/cc766147(WS.10).aspx

Don't Forget the Utility Partitions
The hard drive I was capturing data from yesterday had a utility partition installed by the manufacturer in addition to the operating system partition. However, I forgot all about the utility partition and only moved the operating system partition. Then the new drive would not boot.

To get the system bootable, I needed to edit the boot.ini file on the root of C: to point at the single existing partition. The original arc path was pointed at partition 2, I needed to point it at partition 1 as in the example below:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional" /fastdetect