Вы находитесь на странице: 1из 60
Windows Registry
Windows Registry
An introduction to registry editor
An introduction to registry editor

What is the Windows Registry?

A hierarchical database of computer system settings, hardware configurations, and user preferences.

The Windows Registry stores:

Software settings

Windows configuration settings

User profiles

Password Hashes and account settings

Registry Terminology

The registry is created when windows boots using data from several files

Each file stores one or more hives

Each hive is made up of keys and subkeys

Each key has one or more values and value data

Windows Registry

Hives are a logical

group of keys, subkeys

and values

1)

HKEY_CLASSES_ROOT

2)

HKEY_CURRENT_USER

3)

HKEY_LOCAL_MACHINE

4)

HKEY_USERS

5)

HKEY_CURRENT_CONFIG

Windows Registry Hives

HKEY_CLASSES_ROOT (HKCR)- Contains information

about file types, filename extensions, and other details

related to files

It tells Windows how to handle different file types, and controls basic interface options like double-clicking and context menus.

Windows Registry Hives

HKEY_CURRENT_USER (HKCU) - Contains

configuration information about the setup of the person

currently logged into Windows

It controls the desktop, as well as Window‟s specific appearance and behavior for that individual user, including screen colors and the arrangement of the desktop

It also manages the connections to the network and to

devices like digital cameras or printers.

Windows Registry Hives

HKEY_LOCAL_MACHINE (HKLM)- Contains information

about the computer itself, as well as the operating

system

It includes specific details about all hardware, including the keyboard, printer ports, and storage devices

It also has information about security settings, installed

software, system startup, drivers, and other services,

like the ability to automatically connect to wireless networks.

Windows Registry Hives

HKEY_USERS (HKU)- Contains information about every

user profile on the system

HKEY_CURRENT_CONFIG (HKCC)- Contains information about the system‟s current hardware setup, in the same way that HKEY_CURRENT_USER

contains information about whoever‟s logged into the

system at the moment.

It has details like the type of hard disk installed in your PC.

Windows Registry

Windows Registry • A list of active hives is listed in the registry itself at HKEY_LOCAL_MACHINE\

A list of active hives is listed in the registry itself at

HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\hivelist

Windows Registry Files

The following table lists the standard hives and their supporting files:

Registry hive

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE\SAM

HKEY_LOCAL_MACHINE\Security

HKEY_LOCAL_MACHINE\Software

HKEY_LOCAL_MACHINE\System

HKEY_USERS\.DEFAULT

Supporting files

System, System.alt, System.log, System.sav

Ntuser.dat, Ntuser.dat.log Sam, Sam.log, Sam.sav Security, Security.log, Security.sav Software, Software.log, Software.sav

System, System.alt, System.log, System.sav

Default, Default.log, Default.sav

These files are located in %systemroot%\System32\Config

and at %userprofile%\Username

Windows Registry Files

The following table lists the registry files extensions and what

they mean:

.alt

.log

.sav

A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.

A transaction log of changes to the keys and value entries in the hive.

Copies of the hive files as they looked at the end of the text-mode stage in Setup.

Windows Registry

Values names have

data assigned to them

The data type can be:

String

Binary

DWORD

Multi-String

Expandable String

Windows Registry Data Types

Data type String

A string consists of plain readable text. String values are the most common values used in the Registry All string values are indicated by an AB icon, which makes sense since the data type is readable text

icon, which makes sense since the data type is readable text There are 3 types of

There are 3 types of STRING: REG_SZ, REG_EXPAND_SZ

and REG_MULTI_SZ

Windows Registry Data Types

Data type String (REG_SZ)

This is the main type of string data used in the registry

"YES" or "NO" are common Reg_SZ values, as are command line strings such as "C:\Program Files\Outlook Express" or even phrases or complete sentences (like error

messages)

A string can also consist of numbers. Colors, for example, are usually stated numerically in the registry Examples of numeric string values are at HKEY_CURRENT_USER\Control Panel\Colors

stated numerically in the registry Examples of numeric string values are at HKEY_CURRENT_USER\Control Panel\Colors

Windows Registry Data Types

Data type Expandable String (REG_EXPAND_SZ)

This is an "expandable" string value holding a variable.

Example: %SystemRoot% and %UserName% are variables that are used to indicate the System folder and the name of the logged in user. Windows will replace (or EXPAND) the variable with the full path when the command is called.

By using a variable, you do not need to know the drive letter the user has Windows installed on.

the command is called. By using a variable, you do not need to know the drive

Windows Registry Data Types

Data type: Multi - String (REG_MULTI_SZ)

A multiple string array type made up of characters and numbers - used for entering more than one value, each one separated by a NULL character.

Example: This multi string value consists of 4 entries:

eqnclass.dll,CoInstallClass

spxcoins.dll,SpxClassCoInstaller

dgsetup.dll,DigiMultiPortCoInstaller

dgrpsetu.dll,DigiMultiPortCoInstaller

Note: Due to the NULL character being used to separate values, entering these from the keyboard can be

difficult. It is often easier to copy and existing multi-string and edit it.

entering these from the keyboard can be difficult. It is often easier to copy and existing

Windows Registry Data Types

Data type Binary (REG_BINARY)

Binary is used most commonly with hardware and configuration settings.

The data is usually displayed in hex format

Binary is used most commonly with hardware and configuration settings. The data is usually displayed in

Windows Registry Data Types

Data type DWORD (REG_DWORD)

Dword data types also consist of binary data, but two points distinguish them from binary types.

1. The binary data that can be entered is limited to 32 bits (4 bytes) in length.

2. The binary data can be entered in hexadecimal or decimal format.

be entered is limited to 32 bits (4 bytes) in length. 2. The binary data can

Editing the Windows Registry

Windows comes with a utility called Regedit for editing the registry data:

with a utility called Regedit for editing the registry data: You can start regedit by going

You can start regedit by going to the Start button,

Choosing Run… and then entering regedit

Editing the Windows Registry

The Regedit Edit menu for creating, renaming and searching the registry data:

menu for creating, renaming and searching the registry data: From the Edit menu, you can create

From the Edit menu, you can create new keys, subkeys, values and data. You can also:

Modify the permissions to registry elements

Search for keys, subkeys, values and data

Editing the Windows Registry

The Regedit File menu for importing and exporting the registry data:

File menu for importing and exporting the registry data: From the File menu, you can import

From the File menu, you can import one or many registry keys, subkeys, values and data. You can also:

Export registry data for backup or copying to another computer

Load a Hive file from another computer or user that is not logged in.

Editing the Windows Registry

As an example edit, here is how to change the settings for Internet Explorer so that pop-up windows are allowed from all websites in the *.ncsu.edu domain:

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow

to create a value and data in this key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New

Windows\Allow

First double click on keys in the HKEY_LOCAL_MACHINE hive until you get to the Microsoft key:

Explorer\New Windows\Allow First double click on keys in the HKEY_LOCAL_MACHINE hive until you get to the

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New

Windows\Allow

Then create keys for Internet Explorer, New Windows and Allow

Explorer\New Windows\Allow Then create keys for Internet Explorer , New Windows and Allow

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New

Windows\Allow\*.ncsu.edu"="*.ncsu.edu"

Then create a String Value called *.ncsu.edu

Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then create a String Value called *.ncsu.edu

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New

Windows\Allow\*.ncsu.edu"="*.ncsu.edu"

Then enter data of *.ncsu.edu

Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then enter data of *.ncsu.edu

Editing the Windows Registry

The objective is to create a value and data in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New

Windows\Allow\*.ncsu.edu"="*.ncsu.edu"

Then enter data of *.ncsu.edu

Explorer\New Windows\Allow\*.ncsu.edu"="*.ncsu.edu" Then enter data of *.ncsu.edu

Editing the Windows Registry

As a second example edit, here is how to change the settings for Remote Desktop so it uses a different port than the default, 3389:

The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\Console\RDP-Tcp\PortNumber

at this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber

Backing Up the Windows

Registry

The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP- Tcp\PortNumber

Since this key already exists, make a backup of the current values using the File | Export menu. Enter a name for the backup like RDP-orig

exists, make a backup of the current values using the File | Export menu. Enter a

Editing the Windows Registry

The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\Console\RDP-Tcp\PortNumber

Double click on PortNumber and select Decimal

Server\WinStations\Console\RDP-Tcp\PortNumber Double click on PortNumber and select Decimal

Editing the Windows Registry

The objective is to alter a data value at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\Console\RDP-Tcp\PortNumber

Enter a new number, like 3903

Server\WinStations\Console\RDP-Tcp\PortNumber Enter a new number, like 3903

Editing the Windows Registry

Note: For this change to work, also change the PortNumber in this key:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp

Server\Wds\rdpwd\Tds\tcp This will change RDP to use port 3903 instead of 3389. Next

This will change RDP to use port 3903 instead of 3389.

Next change the firewall to allow the connections to the new port.

Editing the Windows Registry

Next change the firewall to allow the connections to the new port, 3903.

You could use the Windows Firewall configuration tool, but as you might expect, the

firewall settings are stored in the registry at these keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew

allPolicy\StandardProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew

allPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew allPolicy\DomainProfile

Editing the Windows Registry

Create a port exception for port TCP 3903:

In Regedit, goto this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew

allPolicy\StandardProfile\GloballyOpenPorts\List

Create a string value named 3903:TCP

allPolicy\StandardProfile\GloballyOpenPorts\List Create a string value named 3903:TCP

Editing the Windows Registry

Create a port exception for port TCP 3903:

In Regedit, goto this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew

allPolicy\StandardProfile\GloballyOpenPorts\List

Enter value data of 3903:TCP:*:Enabled:Remote Desktop

allPolicy\StandardProfile\GloballyOpenPorts\List Enter value data of 3903:TCP:*:Enabled:Remote Desktop

Editing the Windows Registry

- Modify the Windows Firewall configuration settings for both the Standard Profile at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew

allPolicy\StandardProfile

- And the Domain Profile at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firew

allPolicy\DomainProfile

-These edits will work with Windows XP and Windows Vista

Importing and Exporting

Windows Registry Data

-When you export data with the File | Export option, the data from the selected key or subkey is written to a file with a .reg extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai

nProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai

nProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa

rdProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa

rdProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener“

Example .reg file to update the Windows Firewall for Officescan

Editing the Windows Registry using .REG files

When you double click or import a .reg file, the settings in the file are copied into the registry keys named in the file.

Registry keys and sub keys are created using the tree structure described in the .reg file.

The values listed in the .reg file are created and assigned the data given in the .reg file.

If the keys or values with the same names already exist, they are replaced with the

information in the .reg file.

If the keys already exist, the values in the .reg file are merged with those in the registry

Editing the Windows Registry using .REG files

It is possible to delete keys or values by placing a minus sign in front of the key name or equal sign:

[-HKEY_LOCAL_MACHINE\Software\Test]

HKEY_LOCAL_MACHINE\Software\Test

"TestValue"=-

If a key in a .reg file is preceeded by a minus sign, the key, its' sub-keys, and Value Names are

deleted

•If a “ValueName”=- line is presetn in a .reg file, the Value Name is deleted

To rename a key or value using a .reg file, first delete the item and then add the data with a new name

To rename a key or value using regedit , select the item, right click and choose rename

• To avoid the “Are you sure?” prompt when importing, use the /s option in your script:

regedit /s test.reg Export the registry with this command:

regedit /e full.reg would export the full registry to the full.reg file.

To export individual registry keys: regedit /e software.reg "HKEY_LOCAL_MACHINE \ Software"

Searching the Windows Registry

If you need to find occurences of a particular string in registry key names, values or data, Use the Edit | Find menu of regedit.exe:

values or data, Use the Edit | Find menu of regedit.exe: The search will start from

The search will start from the highlighted position and go downward in the registry window You may need to select My Computer to search through all hives

Searching the Windows Registry

If you need to replace all occurrences of a registry string with another string, you may be able to accomplish this by:

Exporting the keys to a .REG file

Search and replace the strings in the text file with a text editor

Import the .REG file.

There are also third party utilities to do this such as Registry Toolkit from https://www.funduc.com

Registry Search + Replace (also from funduc.com)

Beware that there are lots “Registry Cleaner” type programs that are trojans

Search + Replace (also from funduc.com) Beware that there are lots “Registry Cleaner” type programs that

Searching the Windows Registry

Finding settings in the Windows Registry can be difficult due to the fact that there is no standard naming convention for registry keys, values and data

The website jsiinc.com was a good online resource for finding what registry keys control a setting

You may find search engine results that refer to jsiinc.com. These are usually very

helpful

The JSI website is still available on the internet archive site, web.archive.org

The Microsoft knowledge base is also a good source for clues about what registry keys do

Registry Permissions

Like files and directories, Registry keys have security permissions to control who can view, alter and delete registry data

You can view/change the permissions for a key by selecting the key and using the Edit |

Permissions menu

registry data You can view/change the permissions for a key by selecting the key and using

Registry Permissions

The general permissions are Read, Full Control and Special Permissions

These Special Permissions can be configured using the advanced button:

Permission

QV Query Value

Definition

allows assigned user or group to read the settings of a value entry located in the Registry

SV

Set Value

allows assigned user or group to set the value of a value entry located in the subkey

CS

Create Subkey

allows assigned user or group to create a subkey located in this selected subkey.

ES

Enumerate Subkeys allows assigned user or group to identify all the subkeys in the selected subkey.

NT Notify

DE Delete

WD Write DAC

CL Create Link

WO Write Owner

RC Read Control

allows assigned user or group to receive audit notifications from this subkey.

allows assigned user or group the right to delete the subkey. allows assigned user or group the right to read the discretionary access control list for the selected subkey. allows assigned user or group to create a symbolic link to this subkey. allows assigned user or group the right to take ownership of the subkey.

allows assigned user or group the right to read the access control list

When a key is created, it inherits its permissions from its parent key

As with file and directories, it is possible set the permissions of a key different from its parent key and to break

the inheritance of permissions if needed.

Values do not have permissions only keys and subkeys have permissions

Registry Permissions

Since password hashes and other security data is stored in the SAM hive, keys in the SAM hive have special permissions

You must run regedit as the SYSTEM user to view the SAM hive:

Start a SYSTEM shell with: at 22:08 /interactive “c:\windows\regedit.exe”

Where 22:08 is a time a minute or more in the future and Windows is installed at c:\windows

At the time specified in the command, regedit will run and you will be able to see the SAM information on the computer

Registry Permissions

Registry Permissions Notice the Administrator has no access, only the SYSTEM user is supposed to read

Notice the Administrator has no access, only the SYSTEM user is supposed to read SAM information

Useful Registry Edits

Here are some things you can change with Registry edits:

Alter the DNS Cache time from the default of 1 Day to 30 minutes

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]

"MaxCacheTtl"=dword:00000708

Turn on file name completion in the DOS window

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]

"CompletionChar"=dword:00000009

"EnableExtensions"=dword:00000001

"PathCompletionChar"=dword:00000040

Disable Dynamic DNS in the TCP/IP Parameters

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"DisableDynamicUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"DisableReverseAddressRegistrations"=dword:00000001

Useful Registry Edits

Here are some things you can change with Registry edits:

Find a list of programs that run at startup in these Run keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\Software\Microsoft\Windows\CurrentVersion\Load

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\Software\Microsoft\Windows\CurrentVersion\Load

The values of these keys and others that control startup programs are listed on the Startup tab of the msconfig utility. However, you can not change them from that program.

If you see a „path not found‟ or „file not found error‟ at login, it maybe because one of the Run key values has the wrong filename or directory. This can be corrected with Regedit.

Useful Registry Edits

Here are some things you can change with Registry edits:

The uninstall path for applications is stored at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

If you are having trouble getting the uninstalled to run, perhaps because a drive letter changed or a directory name changed, you can fix the problem by editing the

path in the Uninstall key.

a drive letter changed or a directory name changed, you can fix the problem by editing

Useful Registry Edits

Here are some things you can change with Registry edits:

Windows can synchronize time with the government NIST time server

can synchronize time with the government NIST time server Enter the name of the time server

Enter the name of the time server in the following key:

Registry Forensics

The registry stores all kinds of information about how Windows is being used and what a user is doing when logged in.

The registry stores:

List of terms entered into the Windows File Search tool History of command entered in the Start | Run menu choice History of mapped drives History of mounted USB devices (cameras, flash drives, printers) Recent file lists for Microsoft Word, Excel, Powerpoint, Access, and Wordpad URLs typed into Internet Explorer, Windows Media Player and Firefox Internet Explorer saved passwords and URL pairs List of wireless network used Other information listed at: http://windowsxp.mvps.org/RegistryMRU.htm

The registry also stores a list of all applications run on the computer and a count of how many times each was launched. This includes applications run by double-clicking on a document, shortcut or Control Panel Applet.

Along with the cound mentioned above, the registry stores the last time the application was run.

Using this information, it is possible to see what program was launched, when it was launched and how many

times it was launched.

For a list of registry keys and how to read them, see: http://www.forensicswiki.org/wiki/Windows_Registry

Loading Offline Registry

Hives

The Windows Registry is stored in several files located in the Windows folders and in user‟s profile space

There are also backups of the registry in Windows restore points located in the \System Volume Information

Folder

points located in the \System Volume Information Folder Registry backups have the word _REGISTRY_ in the

Registry backups have the word _REGISTRY_ in the file name

These hive files can be loaded into regedit

Loading Offline Registry

Hives

Here is how to load a hive from a file:

Run regedit and select the HKEY_LOCAL_MACHINE hive to activate the LOAD HIVE menu

HKEY_LOCAL_MACHINE hive to activate the LOAD HIVE menu After selecting Load Hive… browse to the hive

After selecting Load Hive… browse to the hive file and open it

When prompted for a Key Name, enter something to describe the hive

Loading Offline Registry

Hives

Here an ntuser.dat file has been loaded with the Key Name default-user:

file has been loaded with the Key Name default-user : The hive will show up in

The hive will show up in regedit under the HKEY_LOCAL_MACHINE hive If you make changes to the loaded hive and want to save them:

Select the Key Name of the loaded hive (default-user in the example above)

Choose File | Unload Hive…

Registry Backup Tools

There are several ways to backup the registry:

One way is to copy the files (SAM, Security, Software, System and Default) from the

\Windows\system32\config directory These cannot be copied when Windows is running, but can be copied from Recovery Console

A second way to make a registry backup is to manually create a Windows restore point

To create a restore point in Windows XP:

1. Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK.

2. On the Welcome to System Restore page, click Create a restore point, and then click Next .

3. On the Create a Restore Point page, type a name for the restore point and then click Create

4. After the restore point has been created, click Close.

Registry Backup Tools

To restore the registry in Windows XP:

1. Click Start, click Run, type %SystemRoot%\System32\Restore\Rstrui.exe, and then click OK.

2. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next .

1. On the Select a Restore Point page, click the system checkpoint. In the On this list select the restore

point area, click an entry that is named "Guided Help (Registry Backup)," and then click Next. If a System Restore message appears that lists configuration changes that System Restore will make, click OK.

On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration and then restarts the computer.

Log on to the computer. When the System Restore confirmation page appears, click OK.

Registry Backup Tools

To backup the registry in Windows Vista using a restore point:

1. Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.

2. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.

3. Wait for Windows to search for available disks and most recent restore points. In the System Properties dialog box, on the System Protection tab, click Create

4. Type a name for the restore point and then click Create.

5. After the restore point has been created successfully, click OK two times.

Note If System Restore is turned off, click to select the local disk, click Apply and then click Create.

Registry Backup Tools

To restore the registry in Windows Vista using a restore point:

1.

Click Start, type systempropertiesprotection in the Start Search box, and then press ENTER.

2.

If you are prompted for an administrator password or for a confirmation, type the password, or click

Allow.

3.

In the System Properties dialog box, on the System Protection tab, click System Restore,

4.

In the System Restore dialog box select Choose a different restore point, and then click Next

5.

Select the restore point that you want to use, and then click Next.

6.

Confirm your restore point, and then click Finish System restore restores the selected Windows Vista configuration and then restarts the computer.

7.

Log on to the computer. When the System Restore confirmation page appears, click OK.

Registry Backup Tools

There are several ways to backup the registry:

Another is to make a System state backup and then restore it to an Alternate location

several ways to backup the registry: Another is to make a System state backup and then

Registry Backup Tools

When you restore the System state backup, you can restore to the running system (this is the default) or to an alternate location. If you want to edit or view the registry copy, restore to an alternate location:

or view the registry copy, restore to an alternate location: Note: There is a copy of

Note: There is a copy of the registry from the last System state backup in

\Windows\Repair