Registry Recovery for XP

[Multibooter]

Kaspersky Registry Editor

Experiment: I made Windows XP unbootable, for testing Kaspersky Registry Editor.

The Windows XP operating system seems to have become unbootable by simply having set, with the regedit Windows registry editor,
the permission of SYSTEM of the registry key HKLM\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion to Deny:
- in regedit browsed to HKLM\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion
-> right-clicked on CurrentVersion -> Permissions -> selected SYSTEM -> clicked on Advanced button
-> selected SYSTEM -> clicked on Edit button
-> clicked on any checkbox in column Deny -> OK -> clicked on Apply button -> OK

WARNING: The above experiment was very dangerous. Don't repeat it, unless you know what you are doing, and only at your own risk.

When booting again into Windows XP, the following message came up:

Windows Product Activation. A problem is preventing Windows from accurately checking the license for this computer. (0x80070005)

Pressing Alt-Ctl-Del didn't help. Pressing F8 while booting, for getting into safe mode, didn't help, eventually only a black screen with a blinking cursor was displayed. I was locked out. I definitely do not want to suggest a similarity between Windows Product Activation and ransomware.
It might be interesting to see whether volume licenses of Windows, which do not require activation, have a similar locked-out problem.

How to recover from being locked out?
The easiest way was to restore the Windows XP partition from a previous partition backup image.
Another recovery method, restoring the previously backed up registry key HKLM\SOFTWARE\Microsoft\Windows\Windows NT\CurrentVersion from a .reg file with Kaspersky Registry Editor, has also worked for me. Although Kaspersky Registry Editor cannot set permissions, Windows XP came up OK after importing CurrentVersion. Windows XP booted OK and worked OK just like before setting SYSTEM to Deny.

Importing with Kaspersky Registry Editor the CurrentVersion key from a 5MB .reg file was extremely slow on my 25-year-old 650MHz Inspiron 7500 laptop, about 45 minutes using the Kaspersky Rescue CD.

In my successful recovery attempt I had first deleted with Kaspersky Registry Editor the CurrentVersion key in the Windows XP registry, BEFORE importing the backup of the CurrentVersion key,
In an earlier recovery attempt I had tried to import a 108MB backup .reg of the whole registry, without having deleted the content of  HKLM\SOFTWARE\ beforehand. Importing the whole registry took 12+ hours and WinXP did NOT come up afterwards, it was stuck in a different crash loop. Deleting the registry key with Kaspersky Registry Editor BEFORE importing a .reg file with the corresponding registry key seems to be essential.

A comparison of 6 rescue disks lists three (AVG Rescue CD, Kaspersky Rescue Disk 10 and Norton Bootable Recovery Tool) which contain a registry editor: https://char.learnwebcoding.com/help/rescue_disk_comparison.html

\rescue\help\English\KRE.htm in the .iso seems to be the only documentation of Kaspersky Registry Editor.
KRE.htm incorrectly indicates "for all Windows operating systems installed on a computer":
Kaspersky Registry Editor does NOT display the Win98 registry, although it also displays the Win2003 registry on my old laptop, even if Win2003 is not listed among the system requirements of Kaspersky Rescue Disk 10:
https://web.archive.org/web/20120609034308/http://support.kaspersky.com/viruses/rescuedisk?level=3

KRE.htm (file modification date 28Feb2012 in the .iso) indicates compatibility only up to Win7. The description page of Kaspersky Rescue Disk v10.0.32.17 (captured on 29Apr2014), however, indicates compatibility up to Win8: https://web.archive.org/web/20140429131943/http://support.kaspersky.com/4162

Kaspersky Registry Editor seems to work OK also under Win2003, I have made a preliminary test.

The final build v10.0.32.17 of Kaspersky Rescue Disk 10 is of 28Feb2013, as indicated by the file modification date of \rescue\KRD.VERSION in the .iso. It contains the Kaspersky Registry Editor component and signatures of 22Feb2013. It can be downloaded from https://web.archive.org/web/20140627131637/http://rescuedisk.kaspersky-labs.com/rescuedisk/kav_rescue_10.iso

A user guide for Kaspersky Rescue Disk 10 (revision date 30Apr2010, does not mention mention Kaspersky Registry Editor which was first contained in kav_rescue.iso v10.0.31.4 (29Apr2012)) can be downloaded from https://web.archive.org/web/20111007093941/http://support.kaspersky.com/downloads/guides/kasp10.0_rescuedisk_en.pdf

Even if virus-checking is rarely done with a rescue CD, the registry editor on the CD may make the .iso interesting under WinXP,  Win2003 and up to Win8, no idea under Win10/11.

Edited March 18 by Multibooter

[modnar]

2 hours ago, Multibooter said:

Kaspersky Registry Editor

Experiment: I made Windows XP unbootable, for testing Kaspersky Registry Editor.

You can easily fix registry mistakes by booting into Hiren's Boot CD (15.2); in "Registry" there is Registry Editor PE. Works well.

[Multibooter]

8 minutes ago, AstroSkipper said:

@Multibooter Just a reminder. This thread is not about registry editors and definitely not about all other Kaspersky products. Please open a separate thread for such experiments and don't pollute mine. Thank you!

A registry editor of WinXP, booting from a Linux boot CD, is a security program, permitting the cleaning of ransomware affecting the registry. As I mentioned above, AVG Rescue CD, Kaspersky Rescue Disk 10 and Norton Bootable Recovery Tool are included in the respective security programs for WinXP.

Edited March 18 by Multibooter

[Multibooter]

8 hours ago, modnar said:

You can easily fix registry mistakes by booting into Hiren's Boot CD (15.2); in "Registry" there is Registry Editor PE. Works well.

I have checked Hiren's Boot CD 15.2 Restored v1.1 (Proteus) January 2013, actually a DVD with 2.76GB, but I didn't see Registry Editor PE.
There are several versions 15.2, e.g. https://www.hirensbootcd.org/hbcd-v152/ [592MB], which lists Registry Editor PE 0.9c. is this the one?

I booted with the 2.76GB version of Hiren's Boot CD 15.2, clicked on Antivirus - and surprise, surprise: it showed Kaspersky Rescue Disk 10 as only virus checker.
The Kaspersky Rescue Disk 10 program on the Hiren 15.2 DVD was v10.0.31.4 of 7Feb2012, the signatures were of 9Jan2013, probably updated OK by Hiren for another 11 days because BASES.ID indicates 29Dec2012. Kaspersky Lab released several .isos of v10.0.31.4 with freshly updated signatures for about a year, between 3Mar2012 and 29Dec2012.

The updated CD I described in my posting of 8Mar2026 is the final build v10.0.32.17 of 28Feb2013 of Kaspersky Rescue Disk 10,
with signatures updated to 7Mar2026. The final build v10.0.32.17 must have been quite satisfactory to Kaspersky Lab because they updated the .isos of this final build with new signatures for over 4 years, from 22Feb2013 thru 30Aug2017.

Both builds v10.0.31.4 and v10.0.32.17 of Kaspersky Rescue Disk contain the same build of Kaspersky Registry Editor.

Edited March 19 by Multibooter

[Multibooter]

Kaspersky Registry Editor is a Linux program able to edit the WinXP etc registry. It is not intended to be used as a normal registry editor under WinXP, but during infections when the registry is infected by ransomware and when you cannot use a normal registry editor under Windows to clean the registry.

An example of the use of Kaspersky Registry Editor for the removal of ransomware is shown at https://www.malwareremovalguides.info/pum-userwload-trojan-ransom-removal-instructions/
"PUM.UserWLoad is a difficult to remove remnant of the Trojan.Ransom infection.
 PUM.UserWLoad is a register [=registry] reference [in] which the permissions are modified so that they can not be removed in the normal way."
 PUM.UserWLoad is the malicious registry entry belonging to one of the ransomware variants"

In the above example Kaspersky Registry Editor made the use of Windows safer by removing infected stuff from the registry.
Kaspersky Registry Editor was used to clean ransomware detected by Malwarebytes, which Malwarebytes could not remove from the registry.

The ransomware article at www.malwareremovalguides.info includes screenshots of Kaspersky Rescue Disk 10, Kaspersky Registry Editor and Malwarebytes, all three working together. Kaspersky Registry Editor is not available as a separate program, only as a component of Kaspersky Rescue Disk, together with Kaspersky Anti-Virus.

For my earlier posting about Kaspersky Registry Editor I had created a locked-up WinXP by setting the permission of the CurrentVersion key to DENY. I did not want to actually infect my computer with ransomware for my experiment, creating a locked-up WinXP was good enough. Both the locked-up WinXP in my experiment and the ransomware example about "PUM.UserWLoad TrojanRansom removal" have modified permissions in the registry.

[we3fan]

14 hours ago, Multibooter said:

There are several versions 15.2, e.g. https://www.hirensbootcd.org/hbcd-v152/ [592MB], which lists Registry Editor PE 0.9c. is this the one?

Hi Multibooter, yes this is it.

[modnar]

21 hours ago, Multibooter said:

I have checked Hiren's Boot CD 15.2 Restored v1.1 (Proteus) January 2013, actually a DVD with 2.76GB, but I didn't see Registry Editor PE.
There are several versions 15.2, e.g. https://www.hirensbootcd.org/hbcd-v152/ [592MB], which lists Registry Editor PE 0.9c. is this the one? ...

As I said it's a CD, so yes, the original. Not DVD. It is the right version, 0.9c. It used to be so that you had to have XPSP3 CD to create the Hiren's iso/CD. http://www.hiren.info

Sorry, Astroskipper for the off topic.

[j7n]

The normal registry editor can load hives from other systems and make them generally accessible for reading and editing. I use the TorchSoft Registry workshop, but the loading is the same. I haven't messed with permissions. I guess it is probably fine to edit System or Administrator(?), but maybe other users have their own numbers within the target system.

Only old Hiren's Boot CD makes sense to use on XP-grade computers. These developers should have not hijacked the name for their new boot medium (that doesn't fit on a CD). Now everytime I tell people to use Hiren's Boot CD, I have to add an explanation and sometimes face resistance from them to using an old version. Get both 10.6 and 15.2 where they only have free software (apart from Windows).