Recover Registry Keys from a System Restore Point in Windows


System Restore snapshots or volume shadow copies contain registry hives as well as critical system files. Sometimes you may need to extract individual registry keys from an earlier restore point but don’t want to do a complete System Restore rollback.

Previously we saw how to open the registry hives from shadow copies using “Previous Versions” tab and load the registry hives to extract the required keys. There is now a more comfortable option to extract specific registry keys from an existing restore point.

Check out one of the latest utilities from, named RegistryChangesView. While the primary purpose of this program is to compare snapshots of Windows Registry, it can also be used to extract registry data from an existing shadow copy or restore point.


Let’s say you’ve accidentally deleted the Print Spooler service, and want to recover the following Print Spooler service registry key from a restore point.


Extract Registry Keys from a System Restore Point

1. Start RegistryChangesView and configure it as shown below.

registrychangesview options

2. Set “Registry Data Source 1” to Current Registry

3. Set “Registry Data Source 2” to Shadow Copy

4. Select one of the shadow copy paths from the list shown.

Additional tip: Highest numbered item in the Shadow Copy Path list represents the most recent shadow copy or restore point. You can find the list of shadow copies using vssadmin list shadows command-line from an admin Command Prompt window. For more information, check out article How to Delete Individual System Restore Points in Windows.

5. Select the appropriate registry hives to include for comparison. For this article, we’ll be selecting the following checkbox only, as that’s the location which stores the Services registry keys:


6. Click OK. RegistryChangesView will enumerate and compare the selected keys in the source and destination registry hives and show the results.

7. From the View menu, enable the option named Use Quick Filter. [Keyboard shortcut: Ctrl + Q]

registrychangesview use quick filter

8. In the Quick Filter text box, type in \spooler or services\spooler to filter entries where the keys start with the word “spooler”. The idea is to limit the results to the following key and subkeys only.


registrychangesview results window

9. Select all the entries (that contain the above branch), and press Ctrl + E to export the results to a REG file. [Alternately, click the File menu and select Export Selected Items to .Reg file]

10. Save the REG file to Desktop, and open it with Notepad.

registrychangesview export .reg

11. Replace every occurrence of the string ControlSet001 with CurrentControlSet, and save the file.

registrychangesview .reg export

12. Double-click the REG file to add its contents (“Spooler” key) to the registry.

You have now restored the missing Print Spooler service registry key!

Small glitch

One small problem I noticed is that RegistryChangesView, when exporting the entries to the REG file, writes expandable string values as REG_SZ value type. For example, the ImagePath registry value contains an environment variable, and the value type should be REG_EXPAND_SZ instead of REG_SZ.

registrychangesview expandable string

You’ll need to edit the registry to fix such flaws manually. Simply note down the value name and value data in Notepad, delete the value name from the registry and create a value with the same name and value data, but of type REG_EXPAND_SZ.

registrychangesview expandable string value

That’s about it! As always, there are other ways to restore the registry data. You can also mount the shadow copy volume using ShadowCopyView or ShadowExplorer utilities, and load/extract the registry hives. Check out article ShadowCopyView Recovers Files From Volume Shadow Copy Snapshots and Restore Previous Versions of Registry Hives From System Restore Snapshots in Windows for more details.

The RegistryChangesView method discussed in this post should work on any version of Windows, up to Windows 10. Both 32-bit and 64-bit systems are supported.


About the author

Ramesh Srinivasan founded back in 2005. He is passionate about Microsoft technologies and has a vast experience in Windows — delivering support for Microsoft's consumer products. He has been a Microsoft MVP (2003-2012) who contributes to various Windows support forums.

1 thought on “Recover Registry Keys from a System Restore Point in Windows”

  1. Thanks for this super helpful article! I just managed to restore a bunch of PuTTY sessions that a badly written program called ExtraPuTTY managed to delete.
    Also thanks to Nir for writing yet another useful Windows utility…

Leave a Comment