Manual System Restore

This is a neat trick that most people who deal with broken XP PCs a lot will probably know in a variation.  Standard disclaimer though, I will not be held responsible for any damage caused by anybody attempting to follow these instructions.  You do so completely at your own risk!

Sometimes a machine will get a corrupt registry and will not boot no matter what you do.  Safe Mode, Last Known Configuration, whatever you select from the startup screen will not work.

You have two options:

  1. Perform a “Repair Install” by booting from the XP CD
  2. Perform a manual system restore of the registry

The first thing to do is run the usual hardware tests.  There’s no point trying to fix windows if you have bad RAM.  If the hard disk drive is suspect, grab an image of it pronto.  Trying to repair windows with a failing hard disk drive will create a mess, real quick.

Anyway, lets look at how to perform option 2. 

For some reason known only to them, Microsoft by default denied access to the “System Volume Information” folder from the recovery console.  This is the folder you will need to access to get at the saved system restore points.  I think it’s for this reason that most folks will do something similar to these instructions but instead they will use the registry from c:\windows\repair.  This is totally missing the point of performing the procedure in my opinion.  The registry will be totally mismatched to the software that has been installed.  What you are doing is putting the registry back to how it was when windows was first installed.  Why not just put the registry back a couple of days?

So, to do it properly, you need to use a trusty boot CD.  My weapon of choice is BartPE.  I start a BartPE live CD, open a command prompt and then do these steps:

If you can’t get a mental picture of what you are doing by reading the following steps, you should probably stop now.  If something is different about your configuration you need to be able to think for yourself rather than blindly typing in commands.  You have been warned!

  1. c:
  2. cd \windows\system32\config
  3. mkdir oldreg
  4. move sam oldreg
  5. move security oldreg
  6. move software oldreg
  7. move default oldreg
  8. move system oldreg
  9. cd “\System Volume Information”
  10. dir
  11. dir /a:h (If you have two different _restore{… folders type the full name of the latter one in step 11 rather than _rest*)
  12. cd _rest*
  13. dir /a:h

Now you need to look at the resore points.  Each restore point has it’s own RPxxx folder.  Look at the dates on the right and select a restore point that’s before the troubles began.  Unless there’s a good reason otherwise, I usually go back at least an extra day from when the problem supposedly appeared.

Now,

  1. Change directory into the restore point, ie cd RP056
  2. cd snapshot
  3. copy _REGISTRY_MACHINE* \windows\system32\config
  4. copy _REGISTRY_USER_.DEFAULT \windows\system32\config
  5. cd \windows\system32\config
  6. ren _REGISTRY_MACHINE_SAM SAM
  7. ren _REGISTRY_MACHINE_SECURITY SECURITY
  8. ren _REGISTRY_MACHINE_SOFTWARE SOFTWARE
  9. ren _REGISTRY_MACHINE_SYSTEM SYSTEM
  10. ren _REGISTRY_USER_.DEFAULT DEFAULT

That’s it.  The registry has been restored to an earlier point.  I give the machine a moment to flush any disk writes and then reboot, usually to a working system. 

Some people prefer to just perform a repair installation anyway.  There are several problems with this.  If the registry is knackered you will not get a working system.  You also will need to re-download all windows updates again.  Some software will require reinstallation.

I prefer to try this method first, if this doesn’t work or there are problems afterwards, I will look at what the cause is, and only then, once I’m happy that there’s nothing physically wrong will I do a repair installation.

There are a couple of other things you can do at the same time, in addition to or instead of the above.  Firstly, you can remove any new drivers from c:\windows\system32\drivers – if you suspect that a rogue driver is causing a problem.  This should really be a last resort though as removing certain drivers will stop the system booting anyway.  You can also recover from a corrupt user profile by copying the _REGISTRY_USER_NTUSER_S… file into c:\documents and settings\[user name]\, renaming ntuser.dat to ntuser.old and then renaming the copied file to ntuser.dat.  You’ll have to figure out which file to copy.  If it’s a single user system then it’ll be easy – the one that’s several MB rather than any of the small ones.

Have fun, but be careful - if you don’t think about what you are doing you can cause more damage than good.