Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Windows Vista Windows Vista
Search Search
Search for:
Tech Support Guy > > >

Manually Restoring Computer From Restore Point Using Boot CD


(!)

mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
06-Apr-2010, 02:24 PM #1
Manually Restoring Computer From Restore Point Using Boot CD
Hello,

In Windows XP, with an unbootable computer, I used to be able to manually restore the registry back to an older point in time by just copying the System, Sam, Security, Software, and Default files from an old Restore Point back to the system32/config folder using a Boot CD. How do I manually restore the registry files back in Vista using a Boot CD?

Sometimes when I am on a Vista computer and use a Vista Boot DVD or Vista Recovery CD--I use the System Restore function on the System Recovery Options Menu of Vista Boot Disc, but then it falsely says there are no restore points available. I know the program is wrong because I can see the large restore point files when browsing hard drive with a boot CD

I need to be able to have the same ability to manually copy back old registry files as I did in Windows XP. Anyone know how to do this--is it possible with some editing of giant restore point files?

Thanks
Mumbodog's Avatar
Member with 7,891 posts.
 
Join Date: Oct 2007
Experience: Advanced
06-Apr-2010, 06:17 PM #2
yes, Vista and W7 keep the restore points in a folder called "System Volume Information", but its a permissions locked folder.

Also I am not sure what format restore points are stored in, I cannot find any info on how to do it manually like we did in XP either....

Maybe someone smarter than me will come by and post the method.

.
mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
06-Apr-2010, 07:08 PM #3
I wish Microsoft would have left System Restore alone or at least preserved some of the functionality/file types that allowed us to do quick restores manually using a Boot CD. They could have had the new System Restore files along with creating backups going back weeks of just Registry Hives and NTUSER.DAT etc in a separate, accessible folder.

Anybody figured out how to do this--there must be someone on TSG site that has solved this?

I am trying to help my Cousin by phone in Florida, but I need him to roll Vista system back so I can get remote access to remove malware that got on computer and the malware has broken the association with EXE files and System Restore and prevents my usual removal tools from running even in Safe-Mode.

I tried some registry steps over phone --but it is very time consuming and difficult doing it this way with him
Isn't there a way to extract the Registry Hives from those large restore files in Vista System Volume Information folder?

You can take ownership and/or most likely give your Username login permission to read/write the System Volume Information folder (SVI). I don't have Vista in front of me, but you can probably right click SVI folder--choose Properties and look for Security tab and add your User login name to permissions list and check all read/write boxes for changing files etc. Than you should be able to read SVI folder even after it gives you an error warning that it could not set permissions. I did it a few months back on a Vista computer and it worked. The files are very large and have long, random alphanumeric file names

I do a similar method with XP SVI folder by trying to share the folder and checking both boxes to allow changes etc and than it says there was an error or gives warning but when you open SVI folder in XP you can see all the restore points
Mumbodog's Avatar
Member with 7,891 posts.
 
Join Date: Oct 2007
Experience: Advanced
06-Apr-2010, 07:18 PM #4
Have him/her fix the exe file association

http://www.winhelponline.com/article...ows-Vista.html


Quote:
Isn't there a way to extract the Registry Hives from those large restore files in Vista System Volume Information folder?
I have been looking for that myself, no luck yet.

.

,
TheOutcaste's Avatar
Computer Specs
Member with 9,028 posts.
 
Join Date: Aug 2007
Location: Oregon, USA
Experience: Intermediate
06-Apr-2010, 07:45 PM #5
I've not actually looked at doing this manually, as booting from the DVD gives access (usually) to System Restore. Obviously not always the case.

Vista and Win 7 do have an improved equivalent of the Repair folder that XP has though, located here:
C:\Windows\System32\config\RegBack

There are copies of the registry hives in that folder that seem to be updated regularly.
On a Vista VM, they were updated when I booted up the system. The previous logs show a date of 3/11, which is the last date that I saved changes to the virtual hard drive.
My Win 7 system has hives dated 3/31. It's three hours after a restore point was made, and there are two restore points after it. It was booted 1 1/2 hours before those backups were made, so I'm not sure of the timing on these being created, or what service does it.

It may be automatically updated if they are more than a week old; mine should should be updated today or tomorrow if that's the case. So this may or may not be useful, depending on how old the hives are.

Have to go diving into the System Volume Information folder to see if the hives can be easily recovered without needing something like Shadow Explorer to view it. Not sure if Shadow Explorer would run in the WinRE environment.

To access the System Volume Information folder is sometimes a bit picky, doesn't seem to work if you add the Administrators group, you have to add a specific user. Here's the procedure I use, it's always worked for me:
To gain access to the System Volume Information folder:
  1. Right click the System Volume Information folder, click Properties
  2. Click the Security tab.
  3. Click the Advanced button
  4. Click the Permissions tab if not already on that tab
  5. Click the Continue button.
    You'll get a UAC Prompt, click Continue
  6. Click the Add... button
  7. Click the Advanced... button
  8. Click the Find Now button
    Click on your User account
  9. Click OK
    Check the Full Control box in the Allow column
    Make sure the Apply to: drop down shows This folder, subfolders and files
  10. Click OK
  11. Click OK
    You'll get multiple error dialogs saying:
    An error occurred applying security information to:
    ..\{GUID}{GUID}
    Access Denied

    Where GUID is a long string of hexadecimal characters like this:
    {1fe55d27-f9b6-11de-b74a-0003ffbf1f97}{3808876b-c176-4e48-b7ae-04046e6cc752}.
    Just click Continue on all of them
  12. Click OK
  13. Click OK
You can now double click the folder to access it and see what is inside.

To remove your account from the System Volume Information folder:
  1. Right click the System Volume Information folder, click Properties
  2. Click the Security tab.
  3. Click the Edit button
  4. Highlight your account
    Move the Permissions for System Volume Information dialog window to the right side of the screen
    This will prevent accidentally removing the System account
  5. Click the Remove button
  6. Click OK
    You'll get multiple error dialogs saying:
    An error occurred applying security information to:
    ..\{GUID}{GUID}
    Access Denied

    Just click Continue on all of them
    Be Careful! If you didn't move the Permissions for System Volume Information dialog window to the side you may end up clicking Remove after the last Error Dialog and end up removing the System account.
    Your account will still appear in the list after the last error dialog.
  7. Click OK
You will now no longer have access to the folder.
mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
06-Apr-2010, 08:11 PM #6
Thanks Mumbodog and TheOutcaste for the detailed information!

I tried a registry fix to get EXE files opening normally instead of the underlying virus or asking what program to use--but the one I tried last night did not do the trick

I will try the downloadable registry fix file from your link--it looks very promising and is different REG info from the one I tried with my cousin last night

He is calling me in about 30 minutes so I will have him try that first

That is a great step by step to get access to SVI in Vista!

These two tools/info go in my bag-of-tricks folder!

PS--His computer has been having problems/infected since St Patrick's Day--so who knows if those extra REG files you mentioned exist before that date. I'll have him check that as soon as he calls too
mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
07-Apr-2010, 12:50 AM #7
Mumbodog your EXE file association registry fix worked that I downloaded from link you provided above--thanks again
mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
07-Apr-2010, 02:28 AM #8
I was able to get remote access to my cousin's computer once he applied registry fix file--luckily he was able to get access again to Internet Explorer and he downloaded and merged data back into registry

I tried getting him to install Firefox last night but it would not install because of EXE problem. I am connected remotely now and ran Malwarebytes and It found about a dozen nasty trojans, fake anti-virus scanners and EXE hijacker files

I am running a NOD scan of his hard drive and it has found a few more including something called BAT/Killfiles.NCB Trojan sitting right on the Desktop (in the User login name Desktop folder)

He has Comodo Internet Security Free but it obviously let a lot get past--so I'll have to talk him into buying NOD Smart Security instead



I
mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
07-Apr-2010, 02:30 AM #9
I still want to figure out how to manually restore registry files back on a Vista system--it will definitely be needed someday soon

Please post any hints, clues or links that might lead me in the right direction to figure this out---thanks
mocks1's Avatar
mocks1 mocks1 is offline
Member with 118 posts.
THREAD STARTER
 
Join Date: Aug 2002
17-Apr-2010, 05:43 AM #10
Anyone here on TSG figured out how Microsoft stores registry/restore point data in all those huge files in Vista System Volume folder. Is the data encrypted or is there a way to extract just registry hives from the files using some new method or obscure program to read the contents of these files?
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑