Sunday, August 15, 2010

Restoring a Corrupted Registry using Linux Live CD

To run the following commands, you must either use a Boot CD that will give you read/write access to the Windows partition, or put your drive into a working system and run these commands on your Windows Partition from that system. Note that the Windows
Recovery Console will not work to run these commands because it will not allow read access to the "System Volume Information" folder.

First, backup the existing Registry - You can do this with the following commands using a GNU/Linux Boot CD: mkdir /windrive
ntfs-3g /dev/sda1 /windrive (this could be /dev/hda1 if using ide drives)
mkdir /windrive/regbackup
cp /windrive/WINDOWS/system32/config/system /windrive/regbackup
cp /windrive/WINDOWS/system32/config/software /windrive/regbackup
cp /windrive/WINDOWS/system32/config/sam /windrive/regbackup
cp /windrive/WINDOWS/system32/config/security /windrive/regbackup
cp /windrive/WINDOWS/system32/config/default /windrive/regbackup
umount /windrive

Now, copy a System Restore Point Registry to the config directory - To do this, you have to figure out which System Restore Point is somewhat recent, you can do this using a Linux CD by issuing the "ls -l" command to find out the dates of the folders. The System Restore Points are located in the "System Volume Information" directory. Here is an example (remember that GNU/Linux has Tab Completion): mkdir /windrive
ntfs-3g /dev/sda1 /windrive (this could be /dev/hda1 if using ide drives)
cd /windrive/System\ Volume\ Information
ls -l
cd _restore{2E926FD9-.......} (Select the recently created file like one or two days back)
cd RP1/snapshot
cp _REGISTRY_MACHINE_SYSTEM /windrive/WINDOWS/system32/config/system
cp _REGISTRY_MACHINE_SOFTWARE /windrive/WINDOWS/system32/config/software
cp _REGISTRY_MACHINE_SAM /windrive/WINDOWS/system32/config/sam
cp _REGISTRY_MACHINE_SECURITY /windrive/WINDOWS/system32/config/security
cp _REGISTRY_MACHINE_.DEFAULT /windrive/WINDOWS/system32/config/default
cd /
umount /windrive
Now, when you restart the computer, you will be using the restored Registry.