Sometimes, you may need to edit the Windows registry in offline mode to rectify a situation where Windows doesn’t boot after modifying some settings recently. Windows Recovery Environment (Windows RE) is an extremely useful platform that provides various system recovery options to diagnose and repair an unbootable Windows installation.
This post explains in detail how to edit the Windows registry offline, via Recovery Environment. The screenshots are from a Windows 10 computer. The instructions apply to Windows 11 as well.
How to Edit Windows Registry Offline
Step 1: Accessing the Recovery Environment
In Windows 8 and Windows 10, press WinKey+X to open the Power User menu. Click Shut down or sign out, press and hold the SHIFT key and click Restart. In Windows 10, you can also open Settings (WinKey + i), click Update and Security, click Recovery, and click the Restart Now button under Advanced startup.
If Windows doesn’t start, then boot the system using your Windows installation media to access the Recovery Options. Or you may use the Recovery drive if you’ve created one already.
If you’ve enabled BitLocker drive encryption on the OS drive, in most cases, you’ll need to use (boot the device using) the Windows 10/11 Setup disk to access the Windows RE. The Windows RE tools should be in a partition that’s separate from the Windows partition. The reagentc.exe /info command tells you the status of WinRE on the computer. In case you haven’t created a separate partition beforehand and moved WinRE there, use the Windows Setup USB disk to boot into Windows RE. And also be sure to have the BitLocker key ready.
In the Recovery Options, click Troubleshoot.
.png)
Click Advanced options
.png)
At this point, you’ll be offered various recovery options, such as:
- System Restore
- System Image Recovery
- Startup Repair
- Command Prompt
- Startup Settings
- Go back to the previous build
.png)
If a recent software installation or Malware attack has caused your system unbootable, a System Restore rollback would be an ideal option. On the other hand, if you want to fix a specific registry setting, or to delete a locked-down file or registry key that you can’t otherwise modify when Windows is running, click Command Prompt.
BitLocker-encrypted drive?
Note: If Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
If your drive has been encrypted using BitLocker Drive Encryption, you’ll now see the recovery key prompt such as the one below:
If you’ve forgotten the BitLocker recovery key or lost the printout, you can view the key by signing into your Microsoft account (that’s not the only way, though) and going to this URL:
Microsoft account | BitLocker recovery keys: https://account.microsoft.com/devices/recoverykey Find my BitLocker recovery key: https://support.microsoft.com/en-us/windows/find-my-bitlocker-recovery-key-fd2b3501-a4b9-61e9-f5e6-2a545ad77b3e
Even if you manage to launch Command Prompt using the Shift + F10 key combination (by bypassing the BitLocker recovery screen) or clicking the “Skip this drive” option, you won’t be able to access the encrypted drive. You’ll be asked to unlock the drive via Control Panel.
In my case, I haven’t enabled BitLocker Drive Encryption. So, Command Prompt loaded right away.
.png)
Select your Windows user account, type the password on the next screen, and click Continue.
(If you’ve booted into Windows RE using the Windows installation disk or repair disk, you wouldn’t see the password prompt below.)
.png)
.png)
Command Prompt window would now show up.
Find your Windows drive letter (in Windows RE)
The next job is to find the drive letter of your Windows installation, as seen from Windows RE. This can be done by running the BCDEDIT command.
.png)
In the BCDEDIT command output, look for the boot loader entries containing the fields namely, path (pointing to winload.exe) or osdevice or systemroot, and make a note of the drive-letter, which in this case is D:\
It doesn’t have to be D:\ in every case; Depending upon the computer, the Windows drive letter (as seen from Windows RE) may be C:\ itself. It’s advisable to run BCDEDIT anyway.
Step 2: Edit the Windows Registry Offline via WinRE
In the Command Prompt window, type REGEDIT and press Enter to launch the Registry Editor.
.png)
Select the HKEY_USERS hive, click the File menu and click Load Hive…
The Load Hive… option would be available if you’re currently in HKEY_USERS or HKEY_LOCAL_MACHINE. In this case, we select HKEY_USERS, and click the Load Hive.. option.
.png)
Additional Information: Registry Hives
Registry hives are database files that store data. Here is the list of common registry hives and their description.
| Registry Hive Filename | Registry Key Location (in your Windows installation) | Description |
| %windir%\system32\config\SAM | HKEY_LOCAL_MACHINE\SAM | Stores the local user account info and passwords. |
| %windir%\system32\config\SYSTEM | HKEY_LOCAL_MACHINE\SYSTEM | Contains services/devices/LKG configuration, etc. |
| %windir%\system32\config\SOFTWARE | HKEY_LOCAL_MACHINE\SOFTWARE | Contains entries added by programs, Product keys. |
| %windir%\system32\config\DEFAULT | HKEY_USERS \.Default | Profile used by the Local System account |
| %userprofile%\ntuser.dat | HKEY_CURRENT_USER | User registry hive. Stores per-user settings. |
| %localappdata\Local\Microsoft\Windows\usrClass.dat | HKEY_CURRENT_USER\Software\Classes | User registry hive. Stores per-user file association settings. |
(In our case, we need to load the SOFTWARE registry hive and edit the Winlogon → UserInit registry value. For instance, if you need to modify the services configuration or startup type, you need to load the SYSTEM registry hive instead of SOFTWARE. For the purposes of illustration in this article, let’s load the SOFTWARE hive.)
Browse or type the path to the SOFTWARE registry hive of your Windows installation, which is in D:\ drive in this example. The path to the SOFTWARE registry hive of your Windows installation (when seen from Windows RE) would be “d:\windows\system32\config\software“. Type the path and click Open.
Mention a name for the loaded hive.. it can be anything.
.png)
The SOFTWARE registry key is now mounted to a branch named MyKey.
.png)
The loaded SOFTWARE hive (MyKey) is actually nothing but the following registry path of your Windows installation:
HKEY_LOCAL_MACHINE\Software
Fixing a Registry Key/Value
Let’s assume you want to fix the Userinit registry value which was modified by Malware, and you’re unable to log on to your profile. To fix the Userinit value, go to the following branch:
HKEY_USERS\MyKey\Microsoft\Windows NT\CurrentVersion\Winlogon
Double-click the Userinit value, and fix the path accordingly.
.png)
Note: You’ll need to use the actual path to your Windows installation (NOT the Win RE assigned drive letter D:\). If Windows is installed in C:\ then the Userinit registry value data should be:
C:\Windows\System32\Userinit.exe,
(You must include the trailing comma as well)
Related post: Here is a case where malware had modified the Userinit value (and locked down the Task Manager in some systems), thus blocking the user from logging on to their user account. Check out the post Fix “Can not find script file C:\WINDOWS\run.vbs” for more information.
Once the changes are made, it’s time to Unload the hive. To do so, go back to the “MyKey” branch, click the File menu and choose Unload Hive…
.png)
That’s it! Type EXIT in the Command Prompt window and Turn off the computer, or continue to Windows.
Optionally, once you’re successfully logged on to your user account, load the Registry Editor and you’ll see that the value you modified offline is reflected there.
The above step is not needed anyway. It’s just in case you’re curious if the offline registry editing has worked.