Restoring the registry

[jassenna]

  In the topic:
  "Access registry by moving system drive to another computer"
  Jaclaz said:
   >There are several ways (to edit an offline registry manually)

 Would you please point some to me ?

  My story:
 I reinstalled 64 bit Windows 7 in a computer.
 The installer kept a copy of the old system
 in a file named Windows.old in the HD.
 I would like to copy the many of the old
 registry settings to the new installation,
 but don´t know how to do it.
 If I open the registry with the old regedit,
 it opens the new registry , not the old.
  

[ED_Sln]

https://jchornsey.wordpress.com/2015/03/11/accessing-another-windows-computers-registry-from-a-disk-in-windows-8-1/

Ignore that it's Win8.1, it's the same on Win7.

 

[jaclaz]

There are basically two ways to access an "external" Registry "backing file".

#1 is mounting the file as a (temporary) hive in the "current" Registry (this can be done with the "normal" Regedit), for an example look here:

https://4sysops.com/archives/regedit-as-offline-registry-editor/

#2 using an "offline" Registry editor such as:

http://reboot.pro/index.php?showtopic=11312

For what you want to do the "normal" #1 way is "better", but it is what you want to do that is extremely complex and that is difficult or impossible with *any* method, as it would imply hundreds or thousands of settings, many of whlch may be contrasting with your current Registry.

In theory you could load one of the old windows Registry backing file as a temporary hive, select and export the relevant keys to .reg file, manually edit the .reg file (to change the temporary hive name to the "real" one) and import the .reg file in the "current" Registry, but as said likely we are talking of hundreds of small .reg files and a mistake may always happen.

Besides, the .reg file does not "carry" some metadata (authorizations) so that when you import them the authorizations may be incorrect for some particular keys.

jaclaz

[jassenna]

  I tried the option #1 and things did not happen as expected.
  I opened the current registry with regedit and expanded HKLM.
 then I tried to open the old registry software hive
 C:\Windows.old\Windows\System32\config\SOFTWARE
 using  regedit, but it failed to open, saying SOFTWARE was
 not a register file.
  I returned to the first regedit window and tried to import
 the old SOFTWARE hive under HKLM. This worked, and regedit
 gave the new hive the name BCD000000. I checked it was the
 old SOFTWARE hive and edited its keys as I wanted.
  I selected the BCD000000 hive and clicked "Load hive", then
 selected the current SOFTWARE hive and clicked "Unload hive".
  regedit warned the BCD00000 hive would completely replace
 the current SOFTWARE hive, which was not what I wanted - I
 thought it would add the new keys to the existing hive - so
 I canceled the operation. I tried to delete BCD000000.
 regedit would not do it. So, I exited regedit and rebooted.
  The computer would not reboot. I had to boot from  the
 installation DVD and start "Repair the computer". When the
 repair was finished, the computer booted normally.
  I opened again the current registry and found BCD000000
 was still there, but contained only two keys that could not
 be deleted.
  I tried again importing the old SOFTWARE hive to BCD00000,
 which worked. This time, I edited its keys so it could (I
 think) replace the current SOFTWARE hive. I tried again
 the load hive/unload hive. regedit would not perform the
 unload.
  I had again to reboot from DVD and repair and the registry
 has now a hive named BCD00000 under HKLM that cannot be
 deleted and none of the keys I wanted to add to the SOFTWARE
 hive.
  Can I at least return the registry to its state before the
 editing attempt ?

[jaclaz]

No.

There is something that you are doing "wrong".

The BCD00000 is a key where the BCD is mounted, you shouldn't touch it.

When you select to load a hive, a dialog will (should) prompt you to give to the  key a new name (possibly a distinctive one, like "my_software").

See if this video helps:

jaclaz

[jassenna]

That was the first thing I tried,  clicking "Load hive" in the

regedit menu. but no dialog box appeared and no "hives" folder.

  BCD000000 did exist in current HKLM before I imported a hive

from the old installation?  I did not notice it.

 

[jaclaz]

No, for the "current installation", the BCD000000 exists in *any* Windows Registry since Vista and it is actually a mount point for the BCD (Boot Configuration Data) that your BOOTMGR (or BOOTMGR:EFI) uses when booting, either /boot/BCD or /EFI/Microsoft/Boot/BCD.

Though the Registry does not really "exist", it is assembled automatically at boot time mounting in a structure the relevant "backing files", these are in various places on your disk and are "put together" for convenience, typically:

%windir%\System32\config\SYSTEM -->  HKEY_LOCAL_MACHINE \SYSTEM

.%windir%\System32\config\SOFTWARE-->HKEY_LOCAL_MACHINE \SOFWWARE

%windir%\System32\config\DEFAULT--> HKEY_USERS \.Default

%UserProfile%\NTUSER.DAT--> HKEY_CURRENT_USER

About loading an offline hive, let's recap.

Open the registry editor.

Select the HKLM (HKEY_LOCAL_MACHINE), then click on File -> Load Hive, then in the dialog navigate/select the (offline) hive you want to load, and finally you are asked a new (temporary) name to give to the loaded hive.

In the above video, the "hives" folder is only a folder that was made on the desktop to store (a copy of) the offline hive(s)/registry backing file(s).

jaclaz

[jassenna]

 Well, as I said,  when I tried some days ago , no dialog box did appear, but today it did.

 I loaded the old SOFTWARE hive with the name OLD_SOFT and it appeared in

the registry,  I could edit it without clicking  "Edit hive" . 

Now, a confirmation (or not) that I understood the method:

If I select the OLD_SOFT hive, click "Load hive" , then select the SOFTWARE

hive and click "Unload hive", the  OLD_SOFT will  replace the SOFTWARE

hive ?  I noticed  that some keys in SOFTWARE cannot be deleted.

If one hive replaces the other, wouldn´t these keys cause problems

as when I imported the old SOFTWARE hive over the BCD000000 hive ?

 

[jaclaz]

Not exactly.

When you ask to load a hive you first choose which hive (actually the hive backing file) you want to load and you assign to it a "new" name.

As an example, you have a SOFTWARE file coming from your old install, you make a copy of it and place it in a folder called old_install on your C:\ drive.

So the file you want to load is C:\old_install\SOFTWARE.

When you load it in the registry you first select that file (C:\old_install\SOFTWARE) and then you assign to it a new name, let's say OLD_SOFT.

The name is a sort of alias, similar to mount point for the hive (actually the hive backing file), so when you unload it the changes you made to the hive "OLD_SOFT" will be committed to the backing file that is still C:\old_install\SOFTWARE.

Your loaded hive MUST be a NEW name directly in HKLM and it MUST be unloaded once you have done your edits, before closing the Regedit and/or rebooting, the Registry itself, in this way won't be modified, only the loaded and unloaded hive will be.

Some keys may have Owner and/or Authorization that you (as Administrator) do not have access to.

The Registry is a structure in many aspects very similar to the NTFS, and each key may have particular Owner(s) and Permission(s) attached, they can usually be changed but it is tricky business.

Then you need a second instance of the OS (or a PE or a Live Linux) capable of replacing the "current" SOFTWARE hive (the one in %windir%\System32\config\SOFTWARE, od which you MUST have a backup copy, made form the same secoinf instance or PE, etc.) with the edited one (the one in C:\old_install\SOFTWARE).

At next boot the Registry will be assembled using the edited %windir%\System32\config\SOFTWARE.

Whether it will actually boot without errors will of course depend on the edits you made, even a teeny-tiny mistake in them may prevent the OS to boot fully and/or without errors, in which case you need to boot to the "other" OS and restore the backup of the SOFTWARE and start again.

jaclaz

 

 

Edited September 1, 2023 by jaclaz

[jassenna]

I saw that the changes made to OLD_SOFT had been saved to the

SOFTWARE hive in the backup directory when I unloaded the hive.

I was unable to substitute it for the SOFTWARE hive in the current 

using the load hive/unload hive commands.

However, I used  import command and it worked. The backup

SOFTWARE hive replaced the current SOFTWARE hive.

When I rebooted, things were ok until the opening screen.

Then I could not log on to any user account, but I could

log on in safe mode, and the user proffiles seemed OK.

After more attempts, I  ran Windows from the DVD and

it worked.  The problem was caused by Windows trying to

auto run in the background some programs I did not keep

from the old installation. Then I scanned the hive and deleted

every  key associated with those programs (some 20 keys, in

quite unexpected places) . Now, Windows boots normally and

the software settings I had in the old installation are restored.

I thank you for the patience.

A funny thing I noticed: There was one key that neither regedit

nor reg could open nor delete, because the process that created

it  put an space inside its name.  If I was dealing with a directory,

I would have deleted it but, as you told, the registry is not a directory.

The key seems to be doing nothing, but I still would like to delete

it.  Do you know how ?

 

[jaclaz]

Happy you made it. 

About the "strange" key with a space in it, maybe it is not the space but "something else" (I don't remember issue with just a space in the key name, you just need to enclose it in quotes using - say - reg.exe):

https://www.windows-commandline.com/delete-registry-key-command-line/

Check the Permissions/Owners of that key.

If you can use a Linux of some kind there is a tool, hivexsh:

https://www.libguestfs.org/hivexsh.1.html

that sometimes allows more "freedom" than the native Regedit or reg.exe.

jaclaz

[jassenna]

Actually, it was not the space. I found other keys with spaces in name that could be opened.

I  looked the hivesh page, but it offers compiled versions only  for Debian and Ubuuntu,

After some searches, I found this page:

https://pogostick.net/~pnh/ntpasswd/

That program is in a small bootable CD image Linux, and can be used to edit registry keys.

It worked for me.  The odd thing was that the key contained a link to another key that

no longer existed.   I did not know  about symlink keys in Windows.

 

Edited October 10, 2023 by jassenna
clarification

[jaclaz]

Well the whole registry is made of them.

What you see in the Registry editor is a sort of NTFS filesystem with mountpoints and symlinks (to hives), but the one you found likely was a REG_LINK type, see:

List of standard registry value types

here:

https://en.wikipedia.org/wiki/Windows_Registry#Keys_and_values

Check also this nice tool:

https://helgeklein.com/blog/free-tool-list-registry-links-reg_link/

jaclaz

[jassenna]

 Yes, it was a REG_LINK.  But this was the contents of the key. What I found strange is

that both regedit and  reg seem to try to open the key linked to the key containing

that type,  So, how would  the key containing a REG_LINK be deletetd without deleting

also the linked key ? 

 BTW,  I thought a key was a name for a data structure.

 

[jassenna]

  I think I solved all the problems with the registry by now.  Again, thank you for the help.

 There are, however, several other strange things happening,  so I may open another

 thread  to ask about them, perhaps with a name like

"Reinstalling Windows 7 - Annoyances and Grievances."

  Would it be OK ?