Results 1 to 14 of 14
  1. #1
    Ken Kashmarek
    Guest

    Question Windows 7 registry recovery program

    I recently went through a somewhat awful experience having to recover my Win7 registry after if was corrupted. Almost all web sites that I visited after Google search on this topic, only talked about recovery from the running system itself. With a corrupted registry (badly enough to preclude booting), I found only one reference and that used regedit from the Recovery Console of the install CD. That is pretty tedious work.

    I am looking for a program that can be run from another partition to access a damaged registry (or copy thereof). In other words, work interactively on a static copy of a registry to view, diagnose, analyze, edit, change, recover, or repair the hive files, so they can be used again to bring a system back to a bootable state.

    If you know of any such program, even in part, please post your information here.

    Thank you.

  2. #2
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,433
    Thanks
    371
    Thanked 1,456 Times in 1,325 Posts
    Ken,

    Have you tried booting the "Last Known Good Configuration" on the Boot Menu? HTH
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  3. #3
    Ken Kashmarek
    Guest
    The consideration "badly enough to preclude booting" was experienced in these circumstance (in the following order):

    1. normal startup fails and returns to the boot selection menu (that is, a re-boot is performed and the multi-boot menu is displayed).

    2. safe mode boot fails (yada yada yada as above)

    3. boot last good configuration fails (as above)

    4. boot into repair system fails

    5. boot into recovery console fails

    6. startup repair also fails (this one was a separate circumstance from repair system)

    Yes, this one was a suitable basis for a recovery re-install (save user stuff but put the system back, which would have required re-install of applications as well).

  4. #4
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    There are several excellent programs, many of them are free. They're collectively known as drive imaging applications. For a situation very similar to yours, see this thread.

    Also, dual booting two installations of Windows allows importing of a registry from one to the other in Regedit.
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  5. #5
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    Based on your description, it sounds like its more than a registry issue. What do you mean by boot to repair system fails? What happens? Can you get to the repair menu and select System Restore?

    You might want to get a memory test CD and run a memory test.
    Jerry

  6. #6
    Ken Kashmarek
    Guest
    Quote Originally Posted by bbearren View Post
    There are several excellent programs, many of them are free. They're collectively known as drive imaging applications. For a situation very similar to yours, see this thread.

    Also, dual booting two installations of Windows allows importing of a registry from one to the other in Regedit.
    Most (all?) drive imaging programs that I know of, do not provide any the capabilities that I am looking for (view, diagnose, analyze, edit, change, recover, or repair the hive files). Imaging programs can only copy the hive files. I have done that for my recovery.

    I checked regedit and the only thing I saw was the ability to "load hive", which places a hive file into your current registry in whole under a new key, so you can view the contents. Again, this is missing what I am looking for. While I did not check it out, I suspect that "unload hive" simple removes that entire entry from the current open registry. I don't know if it puts that information back to the original hive file (it could but I doubt it; opportunity for learning something here).

    I will review the URL you provided. Thanks for the feedback.

  7. #7
    Ken Kashmarek
    Guest
    Quote Originally Posted by jwitalka View Post
    Based on your description, it sounds like its more than a registry issue. What do you mean by boot to repair system fails? What happens? Can you get to the repair menu and select System Restore?

    You might want to get a memory test CD and run a memory test.
    Jerry
    On my computer, I use multi-boot functions, and have 6 items in the list (older system, WIN7, WIN71, Win81, Win8RP, and Recovery Console). Older is XP, and the Win8RP system is a VHD on external drive.

    For my default system, WIN7, which had the corrupt registry, when that item is selected, I hit F8 and it gives me a long list of alternatives for booting. One is Repair System, which fails to bring up function that allows the system recovery to take place. It might be the case that this item said "repair your computer" (there was a point when frustration may have overwhelmed my sense of being a rational person). In any case, it would not function or go any further than a locked up screen.

    Since I was able to boot into two other partitions on this computer, memory isn't an issue. Further, since I have recovered the system with the corrupt registry, memory isn't an issue. Suggestion appreciated however (one can never tell).

    For benefit of others that might view this thread, I posted another thread talking about the core of the corruption; the achernar.sys driver. You might review that thread.

  8. #8
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    Quote Originally Posted by Ken Kashmarek View Post
    Most (all?) drive imaging programs that I know of, do not provide any the capabilities that I am looking for (view, diagnose, analyze, edit, change, recover, or repair the hive files). Imaging programs can only copy the hive files. I have done that for my recovery.
    Well, that's the point. Restoring a recent known-good drive image is quicker, easier, and more thorough than plunking around in the registry. I've done both (and surely will again, but prefer restoring a known-good recent image).

    Quote Originally Posted by Ken Kashmarek View Post
    I checked regedit and the only thing I saw was the ability to "load hive", which places a hive file into your current registry in whole under a new key, so you can view the contents. Again, this is missing what I am looking for.
    Actually, that's exactly what you're looking for.

    When you load (import) the hive file, you are able not only to view the contents but also to edit it to your hearts content, and then unload (export) it. The editing gets saved via the unload.

    "Load hive" actually loads the hive into regedit, as if it were part of the registry that is booted. That's one of the reasons you need to give it a different name than one normally used by the registry. Once loaded, the hive is as editable as any other part of the registry. When you unload the hive, it is unloaded in its edited state.

    Since you multi-boot Windows, you're already setup.
    Last edited by bbearren; 2013-10-15 at 21:32. Reason: clarity
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  9. #9
    Ken Kashmarek
    Guest
    In the scenario I am working with, there are between 20 to 30 instances of entries that include achernar.sys or achernar in the keys and/or data. Using regedit to work though that is just plan masochistic.

    Further, from reading the regedit help file material, it is not clear that one can use "load hive" for this purpose. Since the failed registry is in another partition, the command will load one of the entire files (some are 512 meg in size) as a new key into your current registry. That is NOT what I want to do.

    Further, "unload hive" will write back that entire key to the target location you specify, but it is not clear that it will replace the entire hive file at the target location, or simply insert this entire key into that target hive file.

    If I would consider anything HIGH RISK when working with a registry, this is it. What a way to screw up your current registry by loading in a hive file in its entirety from another computer.

    And, image files are straightforward & complete, but you get everything back, including all of the out of date content after the image was taken, which could cause later problems. In my case, all the Windows Update operations that had taken place after the image was taken, were out of date, and the patch Tuesday fixes had to be applied again. Most of them failed since they were already installed (but no longer noted in the restored registry), and other operations had to be taken to achieve success for this.

    Note this from the import/export help section:

    "Before a hive can be loaded or restored, it must be saved as a key, either to a floppy disk or to your hard disk."

    That implies that I cannot load a hive file directly, but it must be saved first as a key, and then it can be loaded. There must be something missing here that I have not yet comprehended but no matter. I don't think this is the path I would take.

  10. #10
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    Quote Originally Posted by Ken Kashmarek View Post
    In the scenario I am working with, there are between 20 to 30 instances of entries that include achernar.sys or achernar in the keys and/or data. Using regedit to work though that is just plan masochistic.
    Now you see why a drive image is a much preferred solution.

    Quote Originally Posted by Ken Kashmarek View Post
    Further, from reading the regedit help file material, it is not clear that one can use "load hive" for this purpose. Since the failed registry is in another partition, the command will load one of the entire files (some are 512 meg in size) as a new key into your current registry. That is NOT what I want to do.
    But that is how it works. The registry does not become a readable or editable database until it is loaded in a registry editor. In use or as hive files, it's all code. Open one of the hive files with notepad, and you'll see what I mean.

    Quote Originally Posted by Ken Kashmarek View Post
    Further, "unload hive" will write back that entire key to the target location you specify, but it is not clear that it will replace the entire hive file at the target location, or simply insert this entire key into that target hive file.
    But it does replace the entire hive file at the target location, complete with any editing that has been done to the hive. I've done this many times, and it is a very straightforward process.

    Quote Originally Posted by Ken Kashmarek View Post
    If I would consider anything HIGH RISK when working with a registry, this is it. What a way to screw up your current registry by loading in a hive file in its entirety from another computer.
    And yet,
    Quote Originally Posted by Ken Kashmarek View Post
    I am looking for a program that can be run from another partition to access a damaged registry (or copy thereof). In other words, work interactively on a static copy of a registry to view, diagnose, analyze, edit, change, recover, or repair the hive files, so they can be used again to bring a system back to a bootable state.
    was what you requested in your OP. One such program is Regedit. There are also a number of third party registry editors available. In my reply I stated that this could be done from a dual boot. I didn't say from another computer (but that will also work if both are on the same network with the proper sharing).

    When loading a hive file, you give it a different name, such as TEST. It loads as an HKEY with the name TEST. Even though it's in your active registry, it has a pathname that is not recognized by your registry or system for any operation at all. It's harmless. Of course, the person at the keyboard can screw up the registry, completely unrelated to the loaded hive file. I've done that myself - not a problem, though, as I have a drive image at the ready.

    But I am unaware of any way of editing a registry without using a registry editor. I find it convenient to use the one I already have, as I'm quite familiar with how it works and what it does.


    Quote Originally Posted by Ken Kashmarek View Post
    And, image files are straightforward & complete, but you get everything back, including all of the out of date content after the image was taken, which could cause later problems. In my case, all the Windows Update operations that had taken place after the image was taken, were out of date, and the patch Tuesday fixes had to be applied again. Most of them failed since they were already installed (but no longer noted in the restored registry), and other operations had to be taken to achieve success for this.
    I use Image for Windows, and I make drive images frequently. I've never had an issue restoring an image, nor any problem such as you describe.

    Quote Originally Posted by Ken Kashmarek View Post
    Note this from the import/export help section:

    "Before a hive can be loaded or restored, it must be saved as a key, either to a floppy disk or to your hard disk."

    That implies that I cannot load a hive file directly, but it must be saved first as a key, and then it can be loaded. There must be something missing here that I have not yet comprehended but no matter. I don't think this is the path I would take.
    That is not the first set of Microsoft instructions that are outdated or incomplete. As I said, I've done this many times, and it's quite a straightforward process. A hive file can be loaded directly from its normal partition, and unloaded directly back to its place of origin. No intermediary necessary.

    Still, I find that restoring a recent known-good drive image to be the simplest, quickest, and easiest solution to a corrupted registry, and indeed many other problems as well.
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  11. #11
    Ken Kashmarek
    Guest
    The more thorough explanation is appreciated. Thank you.

    I guess I am not ready for becoming a regedit guru. My task is to remove the achernar.sys driver from my system. The vendor that supplied the driver does not know how.

    I suspect that one of these days, I will take my backups, create my image files, and whack my way through the taske of removing the 20-30 registry entries that have "achernar" in them (keys and data), followed by a re-boot and a prayer.

    If it works, celebrate!

    If it fails, turn to Microsoft to find out why this (or maybe other) driver entries cannot be removed. Well, restore the registry so I can still use my system.

    There must be a dependency between the driver service entry at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servi ces\achernar" and other information in the registry such that the removal of just this single entry causes the system be not boot.

    When a driver service entry is removed, are there other items that need to be updated to preserve the integrity of the registry for booting?

    What a mess!

  12. #12
    Ken Kashmarek
    Guest
    In another thread, Fred suggested I use the device manager to find the driver. The driver is not listed as a driver per say. Devices are listed and it is not the primary driver on any specific device on the system.

    In this area, you have to find drivers by device. achernar.sys is noted as a SCSI command filter driver. Apparently it is not listed as a driver for any specific device.

    However, at this point, the suggestion yielded results. I started searching EVERY device and listed the drivers. I found achernar.sys.

    It is listed under this device: Intel(R) ICH8R/ICH9R/ICH10R/D0 SATA RAID Controller

    It has a device class of SCSI adapter.

    The bus reported device description says RAID Controller.

    The provider is listed as Intel.

    The Class lower filters value is "Achernar".

    Under driver details, the provider is listed as NewSoft Technology Corporation (Copyright -same-), the provider of the Presto Page Manager v9 software I once installed.

    This RAID controller has a primary driver from Intel.

    So, now the question becomes "Why is achernar.sys a lower filter driver for the Intel RAID controller?"

    NOTE: this is why the system won't boot when only this driver is removed from the registry. The entire RAID controller must be removed. The raid controler configuration must be satisifed BEFORE the boot process begins.

    Since I don't have any RAID on this system, I can probably remove the raid controller and clean this up once and for all.

    Thanks for the feedback in this thread.

    Who would have thought this was hooked to the unused raid controller. Looks like malware at this point, though it might never get invoked if there is no attached RAID device.

  13. #13
    Ken Kashmarek
    Guest
    Update to the previous post to add:

    IntelRAIDController-drivers.jpg

  14. #14
    Ken Kashmarek
    Guest
    Well, I can't remove the Intel RAID Controller. The label is a misnomer. This device is the storage controller for the computer and the fact that it can handle certain RAID configurations is just an extra. It isn't there for RAID only.

    In fact, I did try to remove it, but it doesn't go away and nothing changes except for an annoying reboot to put things back in shape.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •