The Registry Editor Display
When you run one of the Registry Editors (Regedit.exe or Regedt32.exe), several important sections of the Windows NT Registry are displayed within individual subwindows (Regedt32.exe) or within branches of the My Computer “tree” (Regedit.exe) inside the utility’s main window. These subwindows or branches represent the individual registry keys on the local computer. Five keys, described in Table 7.4, are displayed by default.
Each of these individual keys is like a “branch” of the Registry Editor tree. The branches contained within each key window are also referred to as keys (or subkeys), and all keys are represented by folder icons. Each key can contain one or more values and subkeys. Each value is, in turn, assigned three characteristics: the value name, the value class, and the value’s actual data contents.
Special Note to Windows 3.x Users: If you’re comfortable with the .ini files used in Windows 3.x, you can think of registry as more sophisticated .ini file. The main key branches in the registry compare to individual .ini files, and the values they contain are like the variables set by individual lines inside an .ini file. With an .ini file line like MyVariable=No, MyVariable would be equivalent to a value name, and No would be the actual data assigned to the value. The only major difference in this analogy is that .ini files can’t contain nested .ini files, but registry keys can contain nested subkeys.
Navigating and Editing the Registry
Within either of the Registry Editor utilities, you can navigate registry keys by simply double-clicking them; an opened key displays its nested subkeys and values. Whenever a key containing subkeys is unopened, its folder icon displays a plus (+) symbol. When the key is opened, its folder icon displays a minus (–) symbol, and the subkeys it contains are listed. Also, any values contained within that key are displayed in a window to the right (example shown in Figure 7.13).
The class of a particular value displayed in the Registry Editor window is denoted by its prefix (e.g., REG_DWORD, REG_SZ, etc.), which follows the value’s name in capital letters. The following five classes of values are found in the registry:
values that contain binary data (0 or 1).
REG_BINARY REG_SZ values contain string data (text).
REG_DWORD values contain numeric data.
REG_MULTI_SZ values contain multiple strings of text.
REG_EXPAND_SZ values contain expandable strings of text.
In addition to a class type, each value has some type of data assigned to it. The data assigned to a value can be either a string or numeric data. To change the data assigned to a value, double-click the value name in the window to the right. An editor window for the value type appears and shows the current data, which you can then change (see Figure 7.14).
Using the Edit menu in Registry Editor, you can add subkeys and values to registry keys. However, as with any registry change, you should only do so under specific instructions from Microsoft, a third-party hardware or software vendor, or a qualified technician. And, as always, be sure to have a recent full backup of your Windows NT system and the registry database before making any changes.
Special Note: Performing a full backup of your system and the Windows NT Registry usually involves the use of an NT-supported tape drive and either the built-in Windows NT backup application or a third-party backup utility. You can also get a complete backup of the registry by using a special utility called Regback, which is included in the Windows NT 4.0 Resource Kits available from Microsoft Press. See Appendix C for more information about the Windows NT Resource Kit.
Tools and Resources: Despite the new functionality available in the new Windows 95-like Registry Editor found in Windows NT 4.0 (Regedit.exe), some may still find the utility inadequate for advanced editing. Fortunately, a tool called Registry Search & Replace is available that has extended search features and lets you perform search and replace operations on registry data. This program is considered “donation-ware,” meaning that if you like the software and decide to use it, you are encouraged to send a small donation to the author.
Description of Resource
The Registry Search & Replace utility, version 2.0, written by Steven J. Hoek, lets you perform enhanced Windows NT Registry searches including search and replace operations.
Where to Find It
You’ll find the Registry Search & Replace utility at the following Web site:
You can also contact the utility’s author at the following e-mail address:
shoek@ix.netcom.com
Accessing Remote Registries
You can also access the registry of a remote computer on a network. To do so, you must be a member of that computer’s (or the domain’s, if applicable) system administrators group. This feature can be especially handy for network administrators who need to diagnose and solve problems on remote workstations and servers.
To access the registry of a remote computer, click Select Computer (if using Regedt32.exe) or Connect Network Registry from the Registry Editor’s Registry menu. Then select the computer from the list displayed or type its name in the Computer box.
Special Note: When you access the registry of a remote computer, only the HKEY_USERS and HKEY_LOCAL_MACHINE keys will appear.
Restoring the Registry
If your Windows NT Registry gets damaged, you will need to revert to a back-up copy of the registry (or portions of it) to restore functionality to your system. Clearly a good backup and an updated ERD will save you a lot of trouble. The steps you need to take to restore the registry depend on your specific situation. A few scenarios are presented in the following sections.
Restoring the Last Known Good Configuration
If you restart your system after making a configuration change and Windows NT fails to boot, the change is likely the cause of the problem. If the change was related to your video driver and you are no longer able to see the Windows NT screen when the system boots, you should be able to recover the system by simply choosing the “Windows NT Version 4.00 [VGA Mode]” selection from the Windows NT Boot Manager menu at startup. This choice loads Windows NT with a regular VGA mode driver, which should let you get back in and modify the video driver configuration to the correct settings.
If the change was related to another portion of Windows NT, you may have to revert to a previous registry configuration to fix the problem. Luckily, Windows NT automatically keeps backup copies of previous versions of important registry configuration information for just such an occasion. Whenever Windows NT starts successfully and a user logs on, a section of the registry (stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet) is automatically backed up and saved as a separate branch in the registry (the names of the branches containing these backup configurations usually appear as HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001, ControlSet002, etc.). Since these configuration settings were used to successfully start the system, they are considered by Windows NT to be a “known good configuration.”
When you started Windows NT in the past, you may have noticed a screen during the boot process that reads Press the Space Bar Now to Restore the Last Known Good Configuration. If you press the space bar at this point, Windows NT will present you with a menu that includes the option to restore a previous set of registry configuration settings. From this menu, select the Use Last Known Good Configuration option and press Enter. Windows NT will then make the most recent configuration settings the current ones, and restart the system using the new configuration. If Windows NT still fails to load properly, your registry files may be physically damaged. To solve this problem, you will probably need to follow one of the procedures outlined in the sections that follow.
Repairing a Physically Damaged Registry
To restore registry files that have become physically damaged, you should first try using the repair process with the ERD. This process is described in the section entitled “The Emergency Repair Process”.
If this method doesn’t work, you can also try to replace the registry hive files manually. To do this, you’ll need to first get access to the hard disk partition where Windows NT is stored (the NT boot partition). If this is a FAT volume, you can access it by either booting from a DOS diskette or choosing the MS-DOS boot option from the NT Boot Manager on an NT/DOS dual-boot system. From there, you can try replacing the registry hive files located in the %SYSTEMROOT%\System32\Config directory with the known good copies.
If, however, the Windows NT boot partition is an NTFS volume, the fix is not as easy. On an NTFS volume, you can’t simply boot an MS-DOS diskette to access the drive because DOS doesn’t recognize NTFS partitions. However, with the help of a special utility called NTFSDOS, it may still be possible for you to access an NTFS partition using a boot diskette. NTFSDOS is a DOS-based utility that lets you access NTFS partitions while booted under MS-DOS. See the Tools and Resources box below for more information about this utility.
Tools and Resources: A controversial new tool has recently been developed that allows access to Windows NT NTFS partitions from MS-DOS called NTFSDOS. A boon to users troubleshooting their Windows NT installations, this utility has also raised a few eyebrows with security-conscious NT system administrators (who previously believed that NTFS volumes could only be accessed from within Windows NT).
Description of Resource
NTFSDOS, a utility written by Mark Russinovich and Bryce Cogswell, allows access to NTFS partitions under MS-DOS.
Where to Find It
This utility can be found at the following Web site:
http://www.ntinternals.com/ntfsdos.htm
Once you have gained access to your NTFS volume using this utility, you can then restore a backup copy of the registry from a copy stored on a tape drive, removable drive, or hard disk. After you’ve restored a backup copy of the registry, reboot your system back into Windows NT. If this procedure still doesn’t get you back into Windows NT, you’ll need to proceed to your last resort: a reinstallation of Windows NT.
WHEN ALL ELSE FAILS: REINSTALLING WINDOWS NT
Occasionally, despite all of your best efforts and use of the aforementioned troubleshooting procedures, you might not be able to recover a damaged Windows NT installation. This is especially true in circumstances where the registry has become corrupted and attempts to restore working copies have failed for one reason or another.
In these circumstances, you may need to reinstall Windows NT. When doing so, you’ll have two options: reinstalling Windows NT into the current installation directory, or reinstalling Windows NT into a new, separate directory. Reinstalling into the same directory has the advantage of preserving existing registry information, but is less likely to fix the problem. This process will proceed much like an upgrade from one version of Windows NT to another.
Despite its lower likelihood of success, you should always try the same-directory option first, because it will be the easiest road if it works. If things are no better after completing this process, you must install at Windows NT into a separate directory. In this scenario, you are basically installing a fresh copy of Windows NT, which will not preserve any of the existing configuration data from your previous Windows NT installation. After you have completed this process, you will then need to reinstall your applications and reconfigure your Windows NT services and environment settings.
Tip: If you reinstall Windows NT, don’t forget to also reinstall any Service Pack updates you have received or downloaded.
If you are an advanced user comfortable with the use of the Registry Editor utility and aren’t afraid of a little risk to your new installation, you can also do some registry “patching” to recover some of your previous installation’s configuration settings. You will need to first save individual registry hives using the Registry Editor application and then attempt to restore these hives on an individual basis to recover their settings. However, if you accidentally restore a hive that caused a problem in your previous installation, you might once again find yourself with an unusable system.
If, however, you’re confident that the damage is in a particular hive (e.g., the HKEY_LOCAL_MACHINE\System hive) and want to restore other hives to recover their configuration settings (such the HKEY_LOCAL_MACHINE\Software hive), you can attempt to do so using the Registry Editor. There are no guarantees that this will work, but it may be worth trying if your registry contains a great deal of configuration data.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Virtualization Congress Oct. 14-16 in London Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Windows IT Pro
Register
