How to Edit the Registry Offline Using Windows Recovery Environment

Sometimes, you may need to edit the Windows registry in offline mode to rectify a situation where Windows doesn’t boot after modifying some settings recently. Windows Recovery Environment (Windows RE) is an extremely useful platform that provides various system recovery options to diagnose and repair an unbootable Windows installation.

This post explains in detail how to edit the Windows registry offline, via Recovery Environment. The screenshots are from a Windows 10 computer. The instructions apply to Windows 11 as well.

How to Edit Windows Registry Offline

Step 1: Accessing the Recovery Environment

In Windows 8 and Windows 10, press WinKey+X to open the Power User menu. Click Shut down or sign out, press and hold the SHIFT key and click Restart. In Windows 10, you can also open Settings (WinKey + i), click Update and Security, click Recovery, and click the Restart Now button under Advanced startup.

If Windows doesn’t start, then boot the system using your Windows installation media to access the Recovery Options. Or you may use the Recovery drive if you’ve created one already.

If you’ve enabled BitLocker drive encryption on the OS drive, in most cases, you’ll need to use (boot the device using) the Windows 10/11 Setup disk to access the Windows RE. The Windows RE tools should be in a partition that’s separate from the Windows partition. The reagentc.exe /info command tells you the status of WinRE on the computer. In case you haven’t created a separate partition beforehand and moved WinRE there, use the Windows Setup USB disk to boot into Windows RE. And also be sure to have the BitLocker key ready.

In the Recovery Options, click Troubleshoot.

Click Advanced options

At this point, you’ll be offered various recovery options, such as:

  • System Restore
  • System Image Recovery
  • Startup Repair
  • Command Prompt
  • Startup Settings
  • Go back to the previous build

If a recent software installation or Malware attack has caused your system unbootable, a System Restore rollback would be an ideal option. On the other hand, if you want to fix a specific registry setting, or to delete a locked-down file or registry key that you can’t otherwise modify when Windows is running, click Command Prompt.

BitLocker-encrypted drive?

Note: If Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.

If your drive has been encrypted using BitLocker Drive Encryption, you’ll now see the recovery key prompt such as the one below:

windows re bitlocker recovery prompt

If you’ve forgotten the BitLocker recovery key or lost the printout, you can view the key by signing into your Microsoft account (that’s not the only way, though) and going to this URL:

Microsoft account | BitLocker recovery keys:
https://account.microsoft.com/devices/recoverykey

Find my BitLocker recovery key:
https://support.microsoft.com/en-us/windows/find-my-bitlocker-recovery-key-fd2b3501-a4b9-61e9-f5e6-2a545ad77b3e

Even if you manage to launch Command Prompt using the Shift + F10 key combination (by bypassing the BitLocker recovery screen) or clicking the “Skip this drive” option, you won’t be able to access the encrypted drive. You’ll be asked to unlock the drive via Control Panel.

In my case, I haven’t enabled BitLocker Drive Encryption. So, Command Prompt loaded right away.

Select your Windows user account, type the password on the next screen, and click Continue.

(If you’ve booted into Windows RE using the Windows installation disk or repair disk, you wouldn’t see the password prompt below.)

Command Prompt window would now show up.

Find your Windows drive letter (in Windows RE)

The next job is to find the drive letter of your Windows installation, as seen from Windows RE. This can be done by running the BCDEDIT command.

In the BCDEDIT command output, look for the boot loader entries containing the fields namely, path (pointing to winload.exe) or osdevice or systemroot, and make a note of the drive-letter, which in this case is D:\

It doesn’t have to be D:\ in every case; Depending upon the computer, the Windows drive letter (as seen from Windows RE) may be C:\ itself. It’s advisable to run BCDEDIT anyway.


Step 2: Edit the Windows Registry Offline via WinRE

In the Command Prompt window, type REGEDIT and press Enter to launch the Registry Editor.

Select the HKEY_USERS hive, click the File menu and click Load Hive…

The Load Hive… option would be available if you’re currently in HKEY_USERS or HKEY_LOCAL_MACHINE. In this case, we select HKEY_USERS, and click the Load Hive.. option.



Additional Information: Registry Hives

Registry hives are database files that store data. Here is the list of common registry hives and their description.

Registry Hive Filename Registry Key Location (in your Windows installation) Description
%windir%\system32\config\SAM HKEY_LOCAL_MACHINE\SAM Stores the local user account info and passwords.
%windir%\system32\config\SYSTEM HKEY_LOCAL_MACHINE\SYSTEM Contains services/devices/LKG configuration, etc.
%windir%\system32\config\SOFTWARE HKEY_LOCAL_MACHINE\SOFTWARE Contains entries added by programs, Product keys.
%windir%\system32\config\DEFAULT HKEY_USERS \.Default Profile used by the Local System account
%userprofile%\ntuser.dat HKEY_CURRENT_USER User registry hive. Stores per-user settings.
%localappdata\Local\Microsoft\Windows\usrClass.dat HKEY_CURRENT_USER\Software\Classes User registry hive. Stores per-user file association settings.

(In our case, we need to load the SOFTWARE registry hive and edit the WinlogonUserInit registry value. For instance, if you need to modify the services configuration or startup type, you need to load the SYSTEM registry hive instead of SOFTWARE. For the purposes of illustration in this article, let’s load the SOFTWARE hive.)

Browse or type the path to the SOFTWARE registry hive of your Windows installation, which is in D:\ drive in this example. The path to the SOFTWARE registry hive of your Windows installation (when seen from Windows RE) would be “d:\windows\system32\config\software“. Type the path and click Open.

Mention a name for the loaded hive.. it can be anything.

The SOFTWARE registry key is now mounted to a branch named MyKey.

The loaded SOFTWARE hive (MyKey) is actually nothing but the following registry path of your Windows installation:

HKEY_LOCAL_MACHINE\Software

Fixing a Registry Key/Value

Let’s assume you want to fix the Userinit registry value which was modified by Malware, and you’re unable to log on to your profile. To fix the Userinit value, go to the following branch:

HKEY_USERS\MyKey\Microsoft\Windows NT\CurrentVersion\Winlogon

Double-click the Userinit value, and fix the path accordingly.

Note: You’ll need to use the actual path to your Windows installation (NOT the Win RE assigned drive letter D:\). If Windows is installed in C:\ then the Userinit registry value data should be:

C:\Windows\System32\Userinit.exe,

(You must include the trailing comma as well)

Related post: Here is a case where malware had modified the Userinit value (and locked down the Task Manager in some systems), thus blocking the user from logging on to their user account. Check out the post Fix “Can not find script file C:\WINDOWS\run.vbs”  for more information.

Once the changes are made, it’s time to Unload the hive. To do so, go back to the “MyKey” branch, click the File menu and choose Unload Hive…

That’s it! Type EXIT in the Command Prompt window and Turn off the computer, or continue to Windows.

Optionally, once you’re successfully logged on to your user account, load the Registry Editor and you’ll see that the value you modified offline is reflected there.

offline registry hive edit

The above step is not needed anyway. It’s just in case you’re curious if the offline registry editing has worked.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

25 thoughts on “How to Edit the Registry Offline Using Windows Recovery Environment”

  1. You sir, have saved my PC. Thanks for the knowledge. I’m now trying to get AVG to remove the malware permanently and uninstalling all the malware affiliated software. Thank you sooo much

    Reply
  2. Hi Ramesh. This is a fantastic tutorial, as are all your blog entries. When I was working this example, I performed “load hive” on the HKEY_LOCAL_MACHINE branch because I wanted to check out whether the CurrentControlSet subkey exists offline. As I suspected, it does not. Went I went to perform “unload hive” on the HKEY_LOCAL_MACHINE branch, that option was not available. However, it was available on “MyKey” so I unloaded that temp hive. I then performed the load hive on the HKEY_USERS branch and the same thing happened (unload hive option was only available on “MyKey”). Does this sound right?

    Reply
  3. You saved my ars, and my gaming rig!!!

    For Info:
    Updated Win 10 to 19xx
    Steam does not start correct, always at 3 time!
    Disabled ram compression all ok

    regedit services ipxx and RT values to start 1 (instead of 2)
    Reboot loop

    Got ashen!

    started NB – searched google for “window 10 edit registry in restore mode
    clicked all the entries, till found your in place 5 (after all usless infos and ads)

    got ashen again at the point “load hive” is grayed! Paniced!
    googled again – found entry in superuser
    back to ur site, reread the part, face palm ! you had wrote it …

    loaded hive, reseted all the service remembered to start 2 or 3.
    Unloaded, restarted, took 10 seconds longer, ashed again at the blank screen!

    BAM login was there !

    Thank you, you made the job MS disabled:
    Registry auto backup and load last state!

    Reply
  4. While loading hive, I am getting below error:

    Cannot Load X:\Windows\System32\config\SOFTWARE: The process cannot access the file because it is being used by another process.

    Reply
    • @Nitin: Use the correct drive-letter. When you’re in WinRE X:\ will be drive-letter for WinRE environment, and not the drive-letter of your Windows installation. Use Bcdedit as mentioned in the article to find out the right drive-letter.

  5. You are my hero, thankyou now i can log in to windows, because i accidentally running chkdsk and somehow stuck at 10% and i followed loading hive as your instructions but in “system” hive and edit bootexecute for autochk as default and poof work as magic after hours

    Reply
  6. Let’s say you exported the registry to a file when the system was in an OK state. How would you restore this backup from the WinRE?

    For…abstract reasons, my installation now freezes some random (but relatively short — i.e. short enough that I’m afraid of even running an upgrade install at this point) time following each reboot. At first I thought it was the GPU driver…but the more I tried to fix it, the more heinous the problem seemed to be getting.

    So anyway, I created an export of the registry (using RegEdit -> Right click Computer & Export) a few weeks ago, which I’m now thinking of restoring. But when I try to restore the .reg file, it ends up with an error (same when I try reg.exe import exportfile.reg — in both cases, after minutes, it says error accessing the registry).

    I assume this is because the registry is in use on a running system, so perhaps I might have more luck from WinRE…anyway, any ideas?

    P.S. I tried to submit this just now and it was blocked, supposedly due to presence of HTML code. If you are seeing this, it means I changed “less than” exportfile “greater than” .reg to exportfile.reg (two paragraphs up). IOW, the blocking mechanism detected a false positive.

    Reply
  7. I just wanted to say thank you soo much for this tutorial. I literally searched the internet for 4 hrs straight before stumbling on your post. Honestly I don’t know how to thank you. Thank you, thank you, thank you. Thank you again. God bless.

    Reply
  8. Unbelievable! Saved me having to do a full reinstall. You’re a hero. I’m sure this will prove useful to me again and again.

    Reply
  9. Hi Ramesh – hoping you can help me. I have 2 profiles on my computer (myself and default account). The default account is the administrator. I don’t want the default account to be the administrator; I need to have administrator access. How can I change that? Thank you!

    Reply
    • @Mary: You can change the account type via Settings.

      Start > Settings > Accounts > Under Family & other users. Select the account owner name (you should see “Local Account” below the name), then select Change account type.

Leave a Comment