Help restoring deleted Registry file....

[Fallen Kell]

Ok, as the title says. A friend of mine seems to have inadvertantly deleted her registry file in Windows ME (at least that is the best I could diagnose from the system).

Symptoms:
It would not boot properly, always splashed the boot option screen as if the system had crashed. When selecting normal boot option, it would bring up the desktop default background color and a mouse pointer, but no subroutines or programs would be loaded or run (ctrl+alt+del showed an emptly list of things running). The same happens in safe mode, except it has the safe mode background...

With the step-by-step boot, I was able to get an error message that the registry was not found and could not be loaded. This would seem to also explain the behavior I have outlined above, so it seems that this really is the problem.

Since we were short on time, I thought of just doing a new install of the OS over the current system, thus allowing her to at least copy all her files and data off the system and then re-install all the applications, but its a Compac, and they didn't give her Windows ME CD's, only a recovery CD with the only options of re-imaging the system to factory defaults, thus deleting everything that is on the system.

It was then that we ran out of time before she had to go to a class and to make a long story short, in talking with her while going to class, I believe that the registry was deleted by her when she did a search for recent files and then deleted them, but she did not empty her trash bin before rebooting, and having the system not be able to reboot.

So my question to everyone here is, how would I best be able to get the registry out of the trash bin (assuming it is there) and place it into its proper place? I was thinking a Win98 boot disk possibly to get into a DOS shell and then hopefully find the files and copy them to the proper location, but failing that, what other options do I have? Would I be able to possibly copy the registry from another ME system just for the sake of booting the system and then backing up all her data, and then use the recovery option? The main problem is that I too only have Windows ME on a recovery CD (came with my toshiba laptop), and thus I don't have the ability to do a recovery install of the OS, even though between the 2 of us we have 3 lisences for Windows ME.

I can't really think of any other options that I might have, so I thought I would post here and see if someone else has actually had to do this before, or if you guys had any suggestions I did not think of. Thanks for any help you can give me.

UPDATE:
Ok, as stated below, I found a "how to" on restoring the regestry file. The problem is, NO BACKUPS WERE FOUND!

Since WinME itself makes a backup of the regestry for each of the last 5 successful boots, this means that somehow they were deleted as well. I am now thinking that this was not an accidental delete that my friend did, but something that someone else actually did to her system.

UPDATE:
Please read update that I posted lower in the thread, and thanks for all your help guys, this is one of the few things that I have never had happen to one of my systems before, and I really appriciate all the ideas and comments made so far.

 

[bsobel]

I was thinking a Win98 boot disk possibly to get into a DOS shell and then hopefully find the files and copy them to the proper location, but failing that, what other options do I have?

That should work if that is indeed what happened. The registry file *should* have been locked, so the delete (actually the move) should have failed. You can also look for the backup registry file (err, Win9x brain freeze, it's system. something) and trying putting that in place of system.

Would I be able to possibly copy the registry from another ME system just for the sake of booting the system and then backing up all her data, and then use the recovery option?

You could try but the system registry contains all the hardware dependant stuff, bad things would likely occur 😉

Bill

 

[Fallen Kell]

Thanks bsobel. I didn't know that it had a backup registry, did a quick search and came up with a nice little "how to" on restoring one of those backups to the real registry. Here is to hoping that it her comp was not hacked, or infected with a virus that delets the registry, and that it really was just a bad mistake which caused it to be deleted.

 

[earthman]

Registry files are system.dat and user.dat. There should be a backup of each at system.bak and user.bak. They are usually copied each time you have a successful boot. I do not believe there are 5 copies, though. If those files are not on the system, they have been deleted or renamed, either accidentally or maliciously. Since they are hidden files they should not have shown up on any list where she would have deleted them. Even if they had, there would have been a warning that "this is a system file, are you sure you want to delete it?" which would make it obvious that this would not be a wise thing. I suspect a virus.
As for copying a registry, the registry contains all unique information about the system, including everything installed, settings needed by programs, user information, etc. If you deleted the enum keys you would eliminate the hardware data, but you'd still get so many errors it would be very problematical.

 

[bsobel]

I do not believe there are 5 copies, though

98SE and above make multiple registry backups automatically unless you disable it...
Bill

 

[Fallen Kell]

Thanks everyone for your help so far, and I agree, I am leaning towards this being a virus or a hack now as well. The system is/was on a network that had file sharing opened, so some malicious person could have done this. I'll post more about this probably Tuesday when I get a chance again to work on the computer.

I wanted to state that the automatic backups that bsobel is talking about were the ones that are not in existance (i.e. the ones that you recover using "c:\windows\command\scanreg /restore"). I forgot that there might also be a renamed backup in c:\windows called system.da1 and users.da1 (or somthing like that), so that is what I am next going to look for, as well as look in the recycle bin (now that I figured out how to access it from DOS! "ATTRIB -h recycled"). So here is to hoping that one of those options will work, otherwise I am going to deal with just using another registry file from a different computer and deal with all the errors just to get it to boot and then reinstall the drivers for her network card, reinstall a virus scan software, scan the system, then dump here files across the network to my laptop and burn them to CD's. After that, I'll re-image her system with the "recovery CD".

 

[VirtualLarry]

Originally posted by: Fallen Kell
Thanks everyone for your help so far, and I agree, I am leaning towards this being a virus or a hack now as well. The system is/was on a network that had file sharing opened, so some malicious person could have done this. I'll post more about this probably Tuesday when I get a chance again to work on the computer.

I wanted to state that the automatic backups that bsobel is talking about were the ones that are not in existance (i.e. the ones that you recover using "c:\windows\command\scanreg /restore"). I forgot that there might also be a renamed backup in c:\windows called system.da1 and users.da1 (or somthing like that), so that is what I am next going to look for, as well as look in the recycle bin (now that I figured out how to access it from DOS! "ATTRIB -h recycled"). So here is to hoping that one of those options will work, otherwise I am going to deal with just using another registry file from a different computer and deal with all the errors just to get it to boot and then reinstall the drivers for her network card, reinstall a virus scan software, scan the system, then dump here files across the network to my laptop and burn them to CD's. After that, I'll re-image her system with the "recovery CD".

The automatic backups that Win98se makes, should be in %WINDIR%\SYSBCKUP\RB????.CAB. They may be marked with hidden or system attributes, so you might have to use DIR /a to see them.

The initial install registry backup is C:\SYSTEM.1ST, and that one is definately marked hidden, system, read-only. Note that if you do a full re-install OVER an existing installation, that also updates this file.

You can use REGEDIT /C to create a new "blank" user registry file if you need to. I don't think there is any sort of initial install backup of the user registry file. (You need to create a "blank" USER.REG registry script first, check REGEDIT /? for details.)

 

[Fallen Kell]

Update:

Just wanted to thank everyone here for their suggestions and help.

I was able to restore it, but it was a pain in the @$$. Why in the world does MS rename the files that get placed into C:\Recycled ?!? I had to use trial and error to figure out what file was the SYSTEM.DAT, USER.DAT, and CLASSES.DAT!!! And that was with 14 files that had the .DAT extention in that directory!!! I eventually got it correct, but it would have also been much easier if scanreg /restore could just be invoked with you being able to specify a file or directory to use as well! Because, guess what, the SYSBACKUP directory was deleted as well (and since in DOS mode you can not create a directory with more then 8 characters all I could created was C:\windows\SYSBACKU which scanreg couldn't care less about even though I had the rb000-005.CAB files copied in there). If I could have just called scanreg /restore <filename.cab> it would have saved me from 3 hours of guessing which .BAT was the actuall SYSTEM.BAT, USER.BAT, and CLASSES.BAT based only on their FILESIZES!!!!

Anyway, I eventually got it right, and scanreg reported that there was no problems with the registry and I rebooted to regular WinME on the system and it came up just fine, but what should have been a 3 minute fix (if the files retained their origional file names in the recycle bin, or if scanreg /restore accepted a .CAB file as an argument) took 3 hours.