Jump to content

Where is the registry stored in X64?


Recommended Posts

A virus snuck it's way on my system system. I have removed it, but would like to revert the registry back to before the virus just in case it messed with my windows security settings.

I ran system restore, but of course that didn’t work (never seems to work after a virus), so I did what one normally does for windows XP:

I copied the sam, system, security, default, and software files into C:\windows\system32\config folder using NTFS DOS. This always works in windows XP, but it doesn’t work in XP 64-bit, as when I boot the system back up, all the settings are current. Not only that, I am copying the hive files from before I installed one of my games. But after copying over the files, and rebooting, the game registry entries are still in the registry. x64 has another registry backup, does anyone know where it is?

These are the things I have tried, but nothing reverts the registry settings back to before I got the virus:

1) Totally emptied C:\windows\system32\config, and only copied over the 5 main registry files. I even deleted the the systemprofile directory.

2) Deleting snapshot registry files out of subsequent RP664, RP665, RP666, RP667, ect. (I though x64 may be re-loading in the latest registry entries from those snapshot locations.

3) Also replaced the _REGISTRY_USER_NTUSER.... files in the correct location (in the user profile directory), as well as the _REGISTRY_USER_USRCLASS.... files in the correct location, and of course renaming.

As soon as I reboot the computer, the computer has the latest registry settings, it doesn’t go back in time. Does anyone know where X64 has a secondary set of hidden registry files, or how x64 keeps on knowing what the latest settings were?

Thank you

Angie

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

If it helps, these are the files and locations your registry is made up from:

C:\Boot\BCD

C:\Users\FredBloggs\AppData\Local\Microsoft\Windows\UsrClass.dat

C:\Users\FredBloggs\ntuser.dat

C:\Windows\ServiceProfiles\LocalService\ntuser.dat

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat

C:\Windows\System32\config\components

C:\Windows\System32\config\default

C:\Windows\System32\config\sam

C:\Windows\System32\config\security

C:\Windows\System32\config\software

C:\Windows\System32\config\system

Regards,

ps. This is for Vista - sorry.....

Edited by FishMan
Link to comment
Share on other sites

Try The Windows File Inspector/ System File Checker Just In Case Other Files Are Missing!

Run SFC /Scannow

Repairing This Problem In Any Other Way Would Be Tedious And Will Affect Performance In The Future. I Suggest A Complete Re-Install!

Look For Registry Backups Created By Common Cleaning Tools!

Link to comment
Share on other sites

Thank you FishMan for the detailed file list. In XP X64 I do not have a C:\boot folder and their is no components file. The rest of the files on the list I believe I reverted back to from the snapshot folder.

Vista does not have a snapshot folder and Microsoft set up the restore feature in such a way that it can no longer manually be restored. Thus you have to trust Microsoft’s restore feature to work, and since has never worked for me in Vista (after a computer has been infected or registry corrupted, it always comes back saying, computer can not be restored to .......), so from what I have seen Vista is near impossible to repair once you get the blue screen (continual reboot if automatically restart it on). I did get one Vista machine working using the repair option after booting from a Vista CD.

I will try again to go back to make sure I restored the ntuser.dat files to the correct location. If there are no other registry files, that is the only explanation.

As for alrichdesa reply, the question didn’t have anything to do with the integrity of windows files, and the generic answer “re-install windows” is for the novice technician who doesn’t know how windows works. I typically repair XP computers twice as fast as it takes to reload windows, reload the clients applications, set up their e-mail (depending on the client), backup/restore their data, satisfy all their icon specifications, ect... and the systems leave stable and virus free.

The point about cleaning tools is a good guess, but I don’t happen have any cleaning tools on my computer, I clean everything manually in DOS or windows explorer, and avoid utility software.

If anyone knows whether or not XP X64 has a different registry setup than windows XP, please let us know. Thank you

Link to comment
Share on other sites

  • 2 weeks later...

:/ possibly too late to help but for future readers, in xp64 there is a folder called

c:\windows\SysWOW64

Think of it like system32 but they store 64bit library files there, and also the other half of the system hive (ignoring the user hives which are stored in %username%)

Link to comment
Share on other sites

No it isn’t too late, and thank you for the input.

I was suspicious of the SysWOW64 folder, but their was only one file with a date modified of this year windrvNT.sys (1/29/2009), and one folder that had a date modified of this year, phpED. The phpED folder only has a config folder inside of it, and the config folder is empty. So that seemed to lead to a dead end.

If you have any other suggestions, please let me know. So far everything is pointing to the fact that I incorrectly restored the user hive files.

Thank you

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...