WinXP Hives Backup and Restore
- save yourself from disaster -
- also see the XP won't Boot page -
*** this method works with FAT32 hard drives
(you can't access NTFS files with a Win98 boot disk)
I cannot tell you how many times I have personally saved my system by going back to a previous set of registry hives !!! It is basically the same as going to a previous Restore point, but does not require you to boot into Windows. Here again, to do this you need a FAT32 drive - not NTFS.
IMPORTANT: Keep in mind that even if you have never backed up your hives - there is always a backed up set of them in your Windows\Repair folder. This will be an older set, however - as it is created when you first install Windows. So back up your hives once in a while as a safety measure.
What is a Hive ?? unlike Win98 where the registry is contained completely within 2 files, the WinXP registry is broken up into multiple sections, called "hives". Each hive is a portion of your registry - which includes keys, subkeys, and values in the registry, that has a set of supporting files containing backups of its data. Microsoft lists 7 "hives" (see bottom of this page), but for the purpose of disaster recovery, there are only 5 that you need to be concerned with.
The 5 Hives
These are files without extensions, and they are located in the windows\system32\config folder.
Unlike Win95-98-ME where the registry is contained in two files (system.dat and user.dat), the Windows XP registry is contained in 5 hives :
security system software sam default
The 6th Hive ??
There is yet another hive in the \windows\system32\config\systemprofile folder:
This file has an extension, and is a different folder than the 5 main hive files, so I question whether it should be called a hive . . . but Microsoft calls it that. You can back this file up also, but the many times that I have fixed my own computer by restoring the hives - I only needed the 5 main hives - not this one.
Why backup the Hives ??
i.e. why not use NTbackup or set a System Restore Point instead?
You can, of course, backup your entire system using ntbackup. However, this requires a ton of disk space, and since the majority of XP disasters are caused by corrupted registries - backing up your hives gives you a quick fix.
You can also set a system restore point. However, WinXP only keeps a few restore points, because like NTbackup - they take up a significant amount of disk space. Also, if you have added or moved files - going to a previous system restore point will often remove those files !!!
The hives, on the other hand, are a series of small files - which are the primary location for WinXP corruption. If you can't boot, or if your core apps such as IE are acting up (and you can't un-install IE) - a good backup of your hives will usually take care of it !!
The hives are locked while you are in Windows and cannot be copied. NTbackup has a workaround for that, but you won't - so you must copy them within a DOS or Win98 (which simulates DOS) command prompt boot. You cannot copy them by starting up a DOS box within Windows !!
The easiest method is to use a Win98 boot disk, and copy the hives to a backup folder.
FAT32 vs NTFS Drives
The Win98 boot disk cannot access NTFS hard drives !! So you must have WinXP running on a FAT32 drive in order to copy the hives !! There is an NTFS boot disk available, but the shareware version is Read-Only, and the full, Read/Write version is very expensive.
So, if you are already running WinXP on an NTFS drive - forget about this, and instead use system restore points and use NTBACKUP to backup your system files and registry occasionally.
Backing up the Hives
You will want to periodically backup your hives (once every 2 to 3 months is fine). Make sure your XP setup is working fine before you do this, so that your hives are fine.
Batch File to keep two Backups of your Hives and your WinXP Boot Files
Here is a simple batch file that will do the work for you - copy and paste this into Notepad and save it to a batch file, such as "hivesbak.bat". Make sure that you copy "deltree.exe" to your boot disk. If you do not have a Win98 boot disk, click Here to download. This routine keeps two backups of your Hives. It deletes Hives2, then copies Hives1 to Hives2, deletes Hives1, and replaces it with your current hives from your XP boot drive:
REM Backup your Hives
deltree /y Hives2
if exist Hives1\*.* copy hives\*.* hives2
deltree /y Hives1
copy sam \Hives1
copy system \Hives1
copy security \Hives1
copy software \Hives1
copy default \Hives1
REM Copy Boot Files in Root of C Drive (optional)
if exist RootBak\*.* deltree /y ootBak
attrib boot.ini -h -s -r
attrib ntldr -h -s -r
attrib NTdetect.com -h -s -r
copy boot.ini c:\RootBak
copy ntldr c:\RootBak
copy NTdetect.com c:\RootBak
Optional - keep multiple backups of your Hives - after running the batch file from the Win98 boot diskette, remove the diskette, reboot into windows, and copy the hives folder to another location, and rename the folder - include the date of the backup in the new folder name. For example:
Restoring the Hives
Do this if you have an XP problem that you just can't fix. Of course - try everything else first (see XP won't Boot) . . . such as . . . update your WinXP files from the MS update site, run antivirus scan, run disk utilities, etc. If all else fails to fix the problem, do the following:
*** remember - in case you have not backed up your hives, or in case your backed up hives fail for some reason - there is always a backed up set of them in your Windows\Repair folder. In addition, WinXP creates a backup set during installation in the same folder, and names each file with a ".sav" extension. However, these should generally not be used because they are created when Windows is not really completely finished installing ***
(from Microsoft at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/registry_hives.asp )
A hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. The setup phase of the Windows boot process automatically retrieves data from these supporting files. You can also retrieve data manually using the Import Registry File menu item of the Registry Editor (Regedit.exe). When you shut down Windows, the operating system automatically writes the hive data to the supporting files. You can also back up the hive data manually using the Export Registry File menu item of the Registry Editor.
The supporting files for all hives except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config directory; the supporting files for HKEY_CURRENT_USER are in the %SystemRoot%\Profiles\Username directory. The file name extensions of the files in these directories, and in some cases a lack of an extension, indicate the type of data they contain. The following table lists these extensions along with a description of the data in the file.
|No extension||A complete copy of the hive data.|
|.alt||A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.|
|.log||A transaction log of changes to the keys and value entries in the hive.|
|.sav||Copies of the hive files as they looked at the end of
the text-mode stage in Setup.
Setup has two stages: text mode and graphics mode. The hive is copied to a .sav file after the text-mode stage of setup to protect it from errors that might occur if the graphics-mode stage of setup fails. If setup fails during the graphics-mode stage, only the graphics-mode stage is repeated when the computer is restarted; the .sav file is used to restore the hive data
|Registry hive||Supporting files|
|HKEY_CURRENT_CONFIG||System, System.alt, System.log, System.sav|
|HKEY_LOCAL_MACHINE\SAM||Sam, Sam.log, Sam.sav|
|HKEY_LOCAL_MACHINE\Security||Security, Security.log, Security.sav|
|HKEY_LOCAL_MACHINE\Software||Software, Software.log, Software.sav|
|HKEY_LOCAL_MACHINE\System||System, System.alt, System.log, System.sav|
|HKEY_USERS\.DEFAULT||Default, Default.log, Default.sav|
Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user's hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.
The supporting file for the user profile hive for a particular user is located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList\SID\ProfileImagePath, and is named Ntuser.dat. The value of ProfileImagePath is a binary representation of the directory name of the user's profile, which includes the user's name. Use the Registry Editor to display this binary value as a string.
Standard vs Latest Hives
Registry files have the following two formats:
Standard Hives - the only format supported by Windows 2000 and Windows NT. It is also supported by later versions of Windows for backward compatibility.
Latest Hives - supported by Windows XP and any version of Windows thereafter (such as Windows 2003).
On versions of Windows that support the latest format, the following hives still use the standard format:
*** all other hives use the latest format.