How to Edit the Registry Offline Using Windows Recovery Environment?

Windows Recovery Environment (Windows RE) is an extremely useful platform which provides various system recovery options to diagnose and repair an unbootable Windows installation. This post explains you in detail and with plenty of screenshots on how to perform a offline registry editing of your Windows installation, via Recovery Environment. The screenshots are from a Windows 10 computer.

Accessing the Recovery Environment

In Windows 8 and Windows 10, press WinKey+X to open the Power User menu. Click Shut down or sign out, press and hold the SHIFT key and click Restart. In Windows 10, you can also open Settings (WinKey + i), click Update and Security, click Recovery, and click the Restart Now button under Advanced startup.

If Windows doesn’t start, then boot the system using your Windows installation media to access the Recovery Options. Or you may use the Recovery drive if you’ve created one already.

In the Recovery Options, click Troubleshoot.

Click Advanced options

At this point, you’ll be offered various recovery options, such as:

  • System Restore

  • System Image Recovery

  • Startup Repair

  • Command Prompt

  • Startup Settings

  • Go back to the previous build

If a recent software installation or Malware attack has caused your system unbootable, a System Restore rollback would be an ideal option. On the other hand, if you want to fix a specific registry setting, or to delete a locked down file or registry key which you can’t otherwise modify when Windows is running, click Command Prompt.

Select your user account, type the password in the next screen, and click Continue.

Command Prompt window would now show up.

Next job is to find the drive-letter of your Windows installation, as seen from Windows RE. This can be done by running the BCDEDIT command.

In the BCDEDIT command output, look for the boot loader entries containing the fields namely, path (pointing to winload.exe) or osdevice or systemroot, and make a note of the drive-letter, which in this case is D:\

Edit Registry Offline Using Recovery Environment

In the Command Prompt window, type REGEDIT and press ENTER to launch the Registry Editor.

Select the HKEY_USERS hive, click the File menu and click Load Hive…

The Load Hive… option would be available if you’re currently in HKEY_USERS or HKEY_LOCAL_MACHINE. In this case, we select HKEY_USERS, and click the Load Hive.. option.

Browse or type the path to the SOFTWARE registry hive of your Windows installation, which is in D:\ drive in this example. The actual path to the SOFTWARE registry hive would be "d:\windows\system32\config\software". Type the path and click Open.



Mention a name for the loaded hive.. it can be anything.

The SOFTWARE registry key is now mounted to a branch named MyKey.

The loaded SOFTWARE hive (MyKey) is actually nothing but the following registry path of your Windows installation:

HKEY_LOCAL_MACHINE\Software

Fixing a Registry Key/Value

Let’s assume you want to fix the Userinit registry value which was modified by Malware, and you’re unable to logon to your profile. To fix the Userinit value, go to the following branch:

HKEY_USERS\MyKey\Microsoft\Windows NT\CurrentVersion\Winlogon

Double-click the Userinit value, and fix the path accordingly.

Note: You’ll need to use the actual path to your Windows installation (NOT D:\ as seen from Win RE). If Windows is installed in C:\ then the userinit registry value data should be:

C:\Windows\System32\Userinit.exe,

(Include the trailing comma as well)

Related post: Here is a case where a malware had modified the Userinit value (and locked down the Task Manager in some systems), thus blocking the user from logging on to their user account. Check out the post Fix "Can not find script file C:\WINDOWS\run.vbs"  for more information.

Once the changes are made, it’s time to Unload the hive. To do so, go back to “MyKey” branch, click the File menu and choose Unload Hive…

That’s it! Type EXIT in the Command Prompt window and Turn off computer, or continue to Windows.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

13 thoughts on “How to Edit the Registry Offline Using Windows Recovery Environment?”

  1. You sir, have saved my PC. Thanks for the knowledge. I’m now trying to get AVG to remove the malware permanently and uninstalling all the malware affiliated software. Thank you sooo much

  2. Hi Ramesh. This is a fantastic tutorial, as are all your blog entries. When I was working this example, I performed “load hive” on the HKEY_LOCAL_MACHINE branch because I wanted to check out whether the CurrentControlSet subkey exists offline. As I suspected, it does not. Went I went to perform “unload hive” on the HKEY_LOCAL_MACHINE branch, that option was not available. However, it was available on “MyKey” so I unloaded that temp hive. I then performed the load hive on the HKEY_USERS branch and the same thing happened (unload hive option was only available on “MyKey”). Does this sound right?

Leave a Comment