System Restore snapshots or volume shadow copies contain registry hives as well as critical system files. Sometimes you may need to extract individual registry keys from an earlier restore point but don’t want to do a complete System Restore rollback.
Previously we saw how to open the registry hives from shadow copies using “Previous Versions” tab and load the registry hives to extract the required keys. There is now a more comfortable option to extract specific registry keys from a restore point.
Check out one of the latest utilities from Nirsoft.net, named RegistryChangesView. While the primary purpose of this program is to compare snapshots of Windows Registry, it can also be used to extract registry data from an existing shadow copy or restore point. It can be used to recover registry keys which may have accidentally deleted.
Scenario: Let’s say you’ve accidentally deleted the Print Spooler service, and want to recover the following Print Spooler service registry key from a restore point.
Extract Registry Keys from a System Restore Point
- Start RegistryChangesView and configure it as shown below.
- Set “Registry Data Source 1” to Current Registry
- Set “Registry Data Source 2” to Shadow Copy
- Select one of the shadow copy paths from the list shown.
The highest numbered item in the Shadow Copy Path list represents the most recent shadow copy or restore point. You can find the list of shadow copies using
vssadmin list shadowscommand-line from an admin Command Prompt window. For more information, check out the article How to Delete Individual System Restore Points in Windows.
- Select the appropriate registry hives to include for comparison. For this article, we’ll be selecting the following checkbox only, as that’s the location which stores the Services registry keys:
- Click OK. RegistryChangesView will enumerate and compare the selected keys in the source and destination registry hives and show the results.
- From the View menu, enable the option named Use Quick Filter. [Ctrl + Q]
- In the Quick Filter text box, type in
services\spoolerto filter entries where the keys start with the word “spooler”. The idea is to limit the results to the following key and subkeys only.
- Select all the entries (that contain the above branch), and press Ctrl + E to export the results to a REG file. Or, click File > Export Selected Items to .Reg file
- Save the REG file to Desktop, and open it with Notepad.
- Replace every occurrence of the string
CurrentControlSet, and save the file.
- Double-click the REG file to add its contents (“Spooler” key) to the registry.
You have now restored the missing Print Spooler service registry key!
One small problem I noticed is that the current version of RegistryChangesView, when exporting the entries to the REG file, writes expandable string values as
REG_SZ value type. For example, the
ImagePath registry value contains an environment variable, and the value type should be
REG_EXPAND_SZ instead of
You’ll need to edit the registry to fix such flaws manually. Note down the value name and value data in Notepad, delete the value name from the registry and create a value with the same name and value data, but of type
That’s about it! As always, there are other ways to restore the registry data. You can also mount the shadow copy volume using ShadowCopyView or ShadowExplorer utilities, and load/extract the registry hives. Check out article ShadowCopyView Recovers Files From Volume Shadow Copy Snapshots and Restore Previous Versions of Registry Hives From System Restore Snapshots in Windows for more details.
The RegistryChangesView method discussed in this post should work on any version of Windows, up to Windows 10. Both 32-bit and 64-bit systems are supported.