Windows 10 recovery from damaged registry hive files (2023)

04 Apr 2021 - tsp
Last update 04 Apr 2021
9 mins

Disclaimer: The steps described in this article do not reflect how Microsofthas thought on should use their operating system. You should make a backup - really.One usually does such stuff only in case the alternative would be total loss of thegiven machine or in case on wants to play around a little. So as usual: Make backups.And if you haven’t had some up until now learn your lesson. And in the best casejust switch to a more user friendly and robust system such as FreeBSDor Linux.

Disclaimer 2: This article might be loaded with a decent amount of sarcasm since itemerged late at night after many hours of getting a single machine back up runningby an author that already had a somewhat negative bias towards this operating system.

What’s this article about?

So we all know this situation - you have a Windows machine that makes troubles - again.And as usual there is no easy way to recover from an error so the usual suggestionis just reinstall it or move back to a system restore point. But what specificproblem is this blog post about?

In case you have a damaged registry hive file (in my case it has been the SOFTWAREhive) the machine might crash during boot just raising an BAD_SYSTEM_CONFIG_INFOerror. This is in many cases caused by a damaged hive file in the systemconfiguration contained in \Windows\system32\config\. Currently there are

• COMPONENTS (HKEY_LOCAL_MACHINE\COMPONENTS)
• DEFAULT (HKEY_USERS\.DEFAULT)
• DRIVERS
• ELAM
• SAM (HKEY_LOCAL_MACHINE\SAM)
• SECURITY (HKEY_LOCAL_MACHINE\SECURITY)
• SOFTWARE (HKEY_LOCAL_MACHINE\SOFTWARE)
• SYSTEM (HKEY_LOCAL_MACHINE\SYSTEM)
• Different NTUSER.dat files (HKEY_USERS sub hierarchies)

These correspond to the different registry subkeys as mentions above. Back in thedays up to early Windows 10 versions Windows made a periodic backup of the registryinto the RegBack folder to allow easy recovery - I have to say I wouldn’t reallycall this recovery since copying an old version might lead to data loss but it wasan easy solution - from such errors. This has been disabled to reduce the disk footprintof Windows even morebut can be re-enabled by setting a registry key at HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager\EnablePeriodicBackupto DWORD:1 anyways but as usual you discover such changes when it’s toolate. The currently encouraged method to restore the system is to use a system restorepoint and roll back the configuration of the machine to a previous known state.Unfortunately there was no such point present on the machine I had the problemon. Also utilities such as dism do not work when they’re unable to gainaccess to the registry.

So I had to use another approach:

• Boot from a recovery disk
• Copy the hive file to another machine
• Use a forensic tool to dump all readable content of the hive file (as it turnedout there was nothing unreadable) into a reg file
• Copy that dump back to the damaged machine
• Create an empty hive file using a simple hack
• Import the reg file from within the Windows RE environment

Just took about a day to get to this solution - on any other decent operatingsystem one could’ve just copied a set of the base executable over the existingsystem and continue running in a few minutes or rewrite the few damaged configurationfiles - but not so for windows, but that’s what one’s used to on user friendly windows.

How to gain access

First one has to gain access to the current machine. Since there is no way to getsomething like a boot loader prompt or a shell in case the system configuration storeisn’t readable one has to use the installation medium. Since this is not shippedcurrently on has to download the Windows 10 ISO,burn it on a double layer DVD and finally boot from this disk.

Then one can simply select computer repair options on the installation menu andis ready to go. It’s a good idea to let auto repair try to repair the currentWindows installation though since sometimes there are some really basic problemslike a damaged BCD or some invalid references inside the boot configuration - ora simple chkdsk that’s required to get the system up and running.

If nothing works it’s a good idea to first try the usual sfc and dismcommands that one knows might help (adjust the c: - which is my bootpartition - and d: - which is my system partition - paths according toyour system):

sfc /offbootdir=c:\ /offwindir=d:\ /scannow

One might also try to fix the MBR, the bootsector and the BCD. In this case Iassume that the EFI partition has been assigned the drive letter F by usingthe usual diskpart commands (list vol, sel vol N, assign letter=F)

bootrec /fixmbrbootrec /fixbootbootrec /scanosbcdboot d:\windows /f ALL /s F:

Now one might also use dism to restore system files. This utility usuallyshould be used with active internet connectivity since it tries to fetch componentsfrom the windows update site. One might also add a different source but that’sway more cumbersome than simply specifying the path of the installation disk (oneusually has to have a wim or esd file such as the one contained oncustom created recovery disks - if one has done this instead of using a genericinstallation medium one can supply the location using the /Source:x:\sources\install.wimparameter). I personally don’t know how to get a wim file at a later stagefor a system one hasn’t built a recovery disk for.

dism /Image:d:\ /Cleanup-Image /CheckHealth /ScratchDir:d:\scratch\dism /Image:d:\ /Cleanup-Image /ScanHealth /ScratchDir:d:\scratch\dism /Image:d:\ /Cleanup-Image /RestoreHealth /ScratchDir:d:\scratch\

So that’s all pretty well known and basic stuff - now what’s this blog post about?Basically it might happen that dism fails with an error 1009 and complaininside it’s log that a registry hive could not be loaded. It’s a good idea to verifythis by trying to import the hive file inside regedit - simply selectyour HKEY_LOCAL_MACHINE node and then execute the Load structurecommand selecting the specific file inside \Windows\system32\config\ andspecifying any name such as TEST. If it gets loaded correctly your problemis a different one. In case the load fails it’s exactly what this short articleis about.

First try to restore a periodic backup

In any case - first check if the RegBack folder only contains 0 byte files.If this is the case you’ve got bad luck. In case files are actually present, havea size larger than zero and are somewhat recent it’s a good idea to simply tryto copy them into the config parent folder and try a reboot. Many times thissolves the problem.

Extracting hive content

In any other case the next step is to get the files of the machine. I personallyused the ftp tool to do this. First one has to disable the firewall:

wpeutil DisableFirewall

Then one can launch ftp

open 192.0.2.1binaryput SOFTWAREquit

This allowed me to upload the current hive file onto a different (FreeBSD)machine.

To extract hive content I used some forensic tools - in this case the RegRipper.On FreeBSD it’s available in the security/regripper package and easilyinstallable using pkg install regripper. This suite is a collection oftools that’s usually used during forensic investigations on Windows machines - itallows to search for information inside copied hive files, allows one to dumpinformation and pretty efficiently look for specific data. Basically all I didwas to use regexport.pl ~/SOFTWARE -r to dump the information fromthe hive into the ASCII registry format.

regexport.pl ~/SOFTWARE -r > software.reg

If everything works out this should provide a pretty complete dump of the registrycontent of the given hive - in my case of HKEY_LOCAL_MACHINE\Software.

Re-importing

The next step is re-importing. Again I used the ftp utility to copy databack onto the windows machine

open 192.0.2.1get software.regquit

The last step was to import the data back into the local registry. Since directaccess is not possible and the hive file is still inaccessible I just copiedthe SOFTWARE hive from the Windows RE environment

copy x:\windows\system32\config\SOFTWARE d:\windows\system32\config\

Then I started regedit and added this as substructure into HKEY_LOCAL_MACHINEdirectly under the Software2 key. Now I deleted all child keys containedinside this substructure. The last step before importing was to edit theASCII dump software.reg and replace all HKEY_LOCAL_MACHINE\Softwareoccurrences with HKEY_LOCAL_MACHINE\Software2. Then I simply ran theimport function from regedit to load the dump again.

After that a final reboot turned out to work somewhat - after the known hourslong black boot screen period that chkdsk triggered anyways (another one ofthe really user friendly status message hiding features since it seems to be waymore intuitive to stare on a black screen for multiple hours than to actually see amessage about the current progress of any error checking and recovery operation …).At least tools like dism now worked as before.

Note: Note that of course this removes any security information attached tothe registry keys.

As it turned out the system required another run of

dism /Image:d: /Cleanup-image /RestoreHealth /ScratchDir:d:\scratch\

Which now leads to the end of this blog article but not to the end of the recoveryof the machine (since DISM now complained with the well known 0x800f081f).Just to note that again: Life is really way easier with a solid and well designedUnixoid operating system such as FreeBSD,Linux, Solarisor even Android …

This article is tagged:

• Computer
• Windows
• Administration