Windows Recovery Environment (Windows RE) is an extremely useful platform which provides various system recovery options to diagnose and repair an unbootable Windows installation. This post explains you in detail and with plenty of screenshots on how to perform a offline registry editing of your Windows installation, via Recovery Environment. The screenshots are from a Windows 10 computer.
Accessing the Recovery Environment
In Windows 8 and Windows 10, press WinKey+X to open the Power User menu. Click Shut down or sign out, press and hold the SHIFT key and click Restart. In Windows 10, you can also open Settings (WinKey + i), click Update and Security, click Recovery, and click the Restart Now button under Advanced startup.
If Windows doesn’t start, then boot the system using your Windows installation media to access the Recovery Options. Or you may use the Recovery drive if you’ve created one already.
In the Recovery Options, click Troubleshoot.
Click Advanced options
At this point, you’ll be offered various recovery options, such as:
System Image Recovery
Go back to the previous build
If a recent software installation or Malware attack has caused your system unbootable, a System Restore rollback would be an ideal option. On the other hand, if you want to fix a specific registry setting, or to delete a locked down file or registry key which you can’t otherwise modify when Windows is running, click Command Prompt.
Select your user account, type the password in the next screen, and click Continue.
Command Prompt window would now show up.
Next job is to find the drive-letter of your Windows installation, as seen from Windows RE. This can be done by running the BCDEDIT command.
In the BCDEDIT command output, look for the boot loader entries containing the fields namely, path (pointing to winload.exe) or osdevice or systemroot, and make a note of the drive-letter, which in this case is D:\
Edit Registry Offline Using Recovery Environment
In the Command Prompt window, type REGEDIT and press ENTER to launch the Registry Editor.
Select the HKEY_USERS hive, click the File menu and click Load Hive…
The Load Hive… option would be available if you’re currently in HKEY_USERS or HKEY_LOCAL_MACHINE. In this case, we select HKEY_USERS, and click the Load Hive.. option.
Browse or type the path to the SOFTWARE registry hive of your Windows installation, which is in D:\ drive in this example. The actual path to the SOFTWARE registry hive would be "d:\windows\system32\config\software". Type the path and click Open.
Mention a name for the loaded hive.. it can be anything.
The SOFTWARE registry key is now mounted to a branch named MyKey.
The loaded SOFTWARE hive (MyKey) is actually nothing but the following registry path of your Windows installation:
Fixing a Registry Key/Value
Let’s assume you want to fix the Userinit registry value which was modified by Malware, and you’re unable to logon to your profile. To fix the Userinit value, go to the following branch:
Double-click the Userinit value, and fix the path accordingly.
Note: You’ll need to use the actual path to your Windows installation (NOT D:\ as seen from Win RE). If Windows is installed in C:\ then the userinit registry value data should be:
(Include the trailing comma as well)
Related post: Here is a case where a malware had modified the Userinit value (and locked down the Task Manager in some systems), thus blocking the user from logging on to their user account. Check out the post Fix "Can not find script file C:\WINDOWS\run.vbs" for more information.
Once the changes are made, it’s time to Unload the hive. To do so, go back to “MyKey” branch, click the File menu and choose Unload Hive…
That’s it! Type EXIT in the Command Prompt window and Turn off computer, or continue to Windows.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!