SoBe8503

In the past, I have always disabled the Windows System Restore in the properties of My Computer. Whenever I have used it, it seemed to make the computer even worse, so why take the HDD space? Recently, however, a coworker asked me to do a restore on a customer’s machine. There was one catch. It was freezing whenever it was time to enter a password, even in safe mode. So it wasn’t possible to properly use the restore feature. So my coworker told me to just manually do the restore by rolling back the registry. I have never even heard of doing this before, but wouldn’t you know it?? IT WORKED!! Everything is working like nothing happened!! Now I want to share this process with you.

Note: In order for this to work, you would have had to have the System Restore running for at least a few days.

The first thing you have to do is put the corrupted system hard drive in another computer. If windows can’t boot correctly, you will need another OS to do the work. Directly in the root of the drive is a hidden system folder called System Volume Information. The trick here is to change the permissions on the folder to allow you in it. So just right mouse click the folder and select properties. In the Security tab just add Everyone and allow them full control. Once everything is done you can revert back to the previous settings. The Security tab may not be there at first, but my FAQ: How to: See The "Security" Tab In My Windows XP Machine? explains how to see it.

Inside the System Volume Information folder you will see another hidden folder named something like: _restore{C6E9847C-AEF5-4523-BE1B-5E7A365553E6). Open it and view everything by date modified. Each of the folders (Labeled RP followed by a number) are different restore points in which to restore from. Choose a folder you would like to restore from and open it. Each RP* folder is different, except for a snapshot folder. Open the Snapshot folder and you will see several registry files.

Copy the following files from the folder:

_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

Browse to \Windows\System32\config in the corrupted HDD. Paste the files in this folder. Now rename the files to:

DEFAULT
SECURITY
SOFTWARE
SYSTEM
SAM

Make sure there are NO extensions in the file name.

Since files with these names already exist in this folder you will want to rename them before renaming the files that were just copied over. I don't delete the files just incase I need a backup.

Once you are finished, go back into the System Volume Information folder security and sharing and remove “Everyone” from the list of groups and users with permissions.

Remove the hard drive, reinstall in the original system, turn on the PC, and watch it boot into Windows.

Note: This will restore the system to the state it was in when the files you copied over were created. If the user has changed their (local) password or installed new software, they will likely need to reinstall the software or change their password again.

What is interesting about this whole process is that it does the same thing as windows restore, but it takes only a fraction of the time. Good ol' Windows!