Registry DataBase : Backup
Windows 95 - Windows 98/ME - Windows NT 4.0 - Backup by hand (NT)
Automatic backup (NT) - Backup on several diskettes (NT)
 
Top Windows 95
The Windows 95/98/ME registry database is made of 2, 3 or 4 files located in the Windows folder :
1. \Windows\System.dat   HKLM
2. \Windows\User.dat
HKU settings override HKLM settings.		   HKU \.Default
3. \Windows\Profiles\User.dat
Exists if more than 1 profiles have been created,
in that case, both User.dat files will be loaded (2+3).		   HKU \Utilisateur
3. \Windows\Profiles\Classes.dat (Windows ME)   HKCR
Those files have the 3 following attributes :
1. +r : read only
2. +h : hidden
3. +s : system (only for Windows 95)
Windows 98/ME include a backup utility but in Windows 95, the registry must be saved by hand. To do so, you must remove those attributes to be able to access those files :
1. Start in MS-DOS mode.
2. Create a backup folder, for example SavDat :
md C:\SavDat
3. Disable the attributes to access the registry files :
attrib -r -h -s %WinDir%\System.dat
attrib -r -h -s %WinDir%\User.dat
4. Copy the registry files in the backup folder :
copy %WinDir%\System.dat C:\SavDat\*.*
copy %WinDir%\User.dat C:\SavDat\*.*
 
There are 2 other interesting utilities on Windows 95's original CD in the folder Other\Misc : CfgBack.exe and Eru.exe.

CfgBack.exe makes a backup of the configuration stored in Windows's folder, called RegBackX.rbk, where X identifies the backup copy number. This file contains compressed User.dat and System.dat. A file called RegBack.ini is also used to log backup dates and names.

The Eru.exe (Emergency Recovery Utility) enables saving vital files to diskette (if it is still possible) or to disk. The following files may be saved by Eru.exe : Config.sys, AutoExec.bat, Win.ini, System.ini, Protocol.ini, User.dat, System.dat, IO.sys, Command.com, MsDos.sys. If there is not enough room on the diskette, make separate backups by ticking the files to be saved in Eru.exe's dialog box.
 
Top Windows 98/ME
Automatic backup
There is an automatic backup procedure in Windows 98/ME based on 5 backup sets compressed in .cab files stored in %WinDir%\Sysbckup. A backup is made every day when the machine is started for the first time. No other backup will be made if the machine is restarted the same day or if it is not turned off for several days. Backup copies are made of Rb00X.cab files where X identifies the backup copy number. The corresponding applications are ScanReg (DOS) and ScanRegW (Windows).

Backup by hand
Run ScanRegW in Windows. First, the system checks the registry. Then it displays a dialog box called Registry check result whiche the following message : The system has already made a backup of the registry today. Do you want to make another one ? Click on Yes.

Restore a previous copy of the registry
Start in MS-DOS mode, type ScanReg /restore and choose the backup to restore. Restart Windows.
 
Top Windows NT 4.0
See the hives section for more information.
The Windows NT registry database is made of 6 files located in %SystemRoot% \System32 \Config, except for Ntuser.dat located in %USERPROFILE%. The Userdiff file is for compatibility with previous versions of Windows.
1. Default HKU \.DEFAULT Default profile.
2. Sam HKLM \SAM User accounts and passwords.
3. Security HKLM \SECURITY Control access list
4. Software HKLM \SOFTWARE Installed applications.
5. System HKLM \SYSTEM Hardwxare configuration.
6. Ntuser.dat HKU \{SID} Active profile.
7. Userdiff Pour importer un profil d'une version précédente de Windows.
If NT is installed on a FAT partition
You can use the same method as in Windows 95 to backup the registry (backup by hand).
If NT is installed on a NTFS partition
Unless you have special tools, sorts of DOS NTFS drivers, it is not possible to access an NTFS partition when booting with a diskette because NTFS partitions need mounting, more or less as in Unix. There are 2 methods for saving the Windows NT registry : by hand (whole registry) or automatic (hardware configuration only). You may prefer to install a 2nd copy of NT from which you will be able to boot to restore your main system's registry.
If you have the Resource Kit MV utility
Uncompress you registry backup and have this batch launched at startup :
MV /X /D   %Temp%\Default   %SystemRoot%\System32\Config\Default
MV /X /D   %Temp%\Sam   %SystemRoot%\System32\Config\Sam
MV /X /D   %Temp%\Security   %SystemRoot%\System32\Config\Security
MV /X /D   %Temp%\Software   %SystemRoot%\System32\Config\Software
MV /X /D   %Temp%\System   %SystemRoot%\System32\Config\System
 
Top Backup by hand

Registry backup
If you double-click on RDisk.exe, the System and Software hives will be saved. To force RDisk.exe to backup the Sam and Security hives, type RDisk.exe /s at the command prompt. Use RDisk.exe /s- if you do not want to backup on a diskette. This backup can be restored by repairing the registry when booting with the NT installation diskettes. It is very easy to do, but you have to backup the registry regularly in Winnt\Repair or on diskette. To backup the registry, run RDisk.exe which will display a dialog box with the following options :
Update recovery reparation
  Makes a backup of the registry in Winnt\Repair.
Make emergency recovery disk
  Makes a backup of the registry on diskette called ERD (Emergency Recovery Disk). If the files are too big to fit on 1 diskette, use this trick to be able to save them on several diskettes..

Registry restore
Boot the Windows NT installation diskette.
Choose the repair option.
 
Top Automatic backup
Automatic backup handles registry hardware configuration. It can be restored at Windows NT startup, when the system displays the message Press space... It can not be configured by the user because Windows NT does it by storing 3 hardware configurations in HKLM \System \CurrentControlSet :
ControlSet001
ControlSet002
ControlSet003
Numbers will be incremented (ControlSet00X) according to the various versions of the registry.
The HKLM \CurrentControlSet \Select subkey indicates how to use them :
Key : HKLM \CurrentControlSet \Select
Entry : Current
System : NT, 2K
Type : REG_DWORD
Value : Backup copy number
Active configuration. Same as CurrentControlSet.
 
Key : HKLM \CurrentControlSet \Select
Entry : Default
System : NT, 2K
Type : REG_DWORD
Value : Backup copy number
Configuration to be used at next startup, except if the user makes a change.
 
Key : HKLM \CurrentControlSet \Select
Entry : Failed
System : NT, 2K
Type : REG_DWORD
Value : Backup copy number
This configuration failed and was replaced with LastKnownGood the last time the machine was started.
 
Key : HKLM \CurrentControlSet \Select
Entry : LastKnownGood
System : NT, 2K
Type : REG_DWORD
Value : Backup copy number
Last known good configuration. This entry will only be changed if startup fails.
The HKLM \SYSTEM \Clone key is built during startup and contains a temporary copy of the control set used to boot. When Winlogon has reported that everything went fine, it will become LastKnownGood.
 
Top Backup on several diskettes
If your ERD is full because the registry is too big :
1.   Run RDisk.exe to update your repair information in Winnt\Repair.
2.   Open the folder Winnt\Repair.
3.   Copy Setup.log, Config.nt and AutoExec.nt on your DRU.
4.   For a full backup, the following files are necessary too :
Default._   Sam._   Software._
Ntuser.da_   Security._   System._
5.   On your DRU copy what fits on the diskette from the files listed above.
6.   Repeat the procedure with as many diskettes as necessary : on each diskette, copy Setup.log, Config.nt and AutoExec.nt as well as what fits from the files listed above until you have a complete set of diskettes.
7.   Make as many repairs as DRUs you have copied by booting with Windows NT's installation diskette.

 

© Franck Kiechel 2000-2001