Windows Registry is a massive jungle of various parameters and settings the operating system users to define its settings and ensure everything works as it should. It is a very sensitive are that should not be messed with. However, if something goes wrong doe to a file corruption, accidental deletion, malware infestation or else, Windows lets you restore the registry from backups it creates automatically.
In this guide, we will show how to restore Windows 10 Registry from a backup, or a system restore point (VSS snapshots). This article applies to Windows 10, 11, and earlier versions, such as now-unsupported Windows 8.
Note. You should schedule automatic system restore points creation to ensure you always have a backup of your working system. Alternatively, you can always create a restore point manually. You cannot restore Windows 10 Registry from a system restore point if you have never made one.
Table of Contents
How to Restore Registry from Backup in Windows 10 using Regback?
Where Windows 11 and 10 store Registry Backups? That is a question users frequently Google when trying to restore Windows 10 Registry copy. Here is your answer: Windows stores Registry backups in %windir%\System32\config\RegBack.
Windows keeps each registry hive in a separate file, resulting in five files total in the RegBack folder. Here ther are with indicated registry hives in brackets:
- DEFAULT (HKEY_USERS.DEFAULT)
- SAM (HKEY_LOCAL_MACHINE\SAM)
- SOFTWARE (HKEY_LOCAL_MACHINE\Software)
- SECURITY (KEY_LOCAL_MACHINE\Security)
- SYSTEM (HKEY_LOCAL_MACHINE\SYSTEM)
It is worth noting that Windows does not backup user’s registry hives automatically. These hives are stored inside each user’s profile folder on drive C. For example, C:\Users\Admin. They are hidden by default, so click View > Show > Hidden files. Then locate the NTUSER.DAT and USRCLASS.DAT. Copy these files to a safe directory to create a backup of the HKEY_CURRENT_USER hive.
If you want to restore Windows 10 Registry from a backup, copy the files stored inside the RegBack folder to the %windir%\System32\Config directory.
Note. Learn how to use Process Monitor (ProcMon) to track file and registry changes.
Windows creates Registry hives backups using a separate task RegIdleBack from the Automatic Maintenance subsystem every 10 days or when installing system updates, drivers, or programs. To find a task that is responsible for backing up the registry, open Windows Scheduler (press Win + R and type Taskschd.msc), then go to the section Task Scheduler Library > Microsoft > Windows > Registry.
As you can see, the RegIdleBack task is active (Ready), and the operation went smooth the last time Windows made a Registry backup (Last Run Result: The operation completed successfully – 0x0).
You can run this task manually by right-clicking the task name and selecting Run.
Cannot Copy Windows 10 Registry Backup Files
Another thing worth noting is that restoring Windows 10 Registry Backup is not as easy as copying a file from one folder to another. If your computer with Windows 10 is turned on (online), you can’t replace the original registry files in the %windir%\System32\Config since they are locked by the operating system.
However, you can use the registry recovery procedure when your Windows is not booting. In this case, you can replace the damaged registry files using WinPE in Command Prompt by booting your computer into the Windows 10 recovery environment or from Windows 10 installation media.
Restoring Registry Backup Task in Windows 10 1803 and Higher
Microsoft changed how the default Registry backup procedure works in Windows 10 1803 (and in all subsequent Windows 10 and 11 versions. The C:\Windows\System32\Config\RegBack directory is empty or contains hive files with the size of 0 bytes. What is interesting is that the task RegIdleBackup is active and performs as it should.
According to Microsoft, the automatic backup task was disabled to save space. It also allows you to extract old versions of registry hives from system recovery points (if they are enabled).
You can enable automatic registry backups to the RegBack folder using Windows Registry. Here is how to do that:
- Press Win + R and type regedit.
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager. Copy the path and paste it into the address bar inside the editor.
- Create a new DWORD parameter and rename it to EnablePeriodicBackup. Open the parameter and change it value data to 1;
- Close the registry editor and restart the computer. Windows will create registry backups the next time you start automatic system maintenance (if you have not disabled it).
If you want to run Windows Registry backup manually, execute the following command:
schtasks /run /i /tn "Microsoft\Windows\Registry\RegIdleBackup"
Tip. You can also make changes to the registry using the command:
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager" /v EnablePeriodicBackup /t REG_DWORD /d 1
You can also use your own scheduler task (with schtasks) to backup Windows Registry to a separate location (you can also place backup on a separate disk) using the commands:
md C:\PS\RegBack
schtasks /create /ru system /sc weekly /st 12:00:00 /tn "MyRegIdleBackup" /tr "cmd /c del /f /q C:\PS\RegBack & cd /d C:\PS\RegBack & reg save HKLM\SAM SAM & reg save HKLM\SECURITY SECURITY & reg save HKLM\SOFTWARE SOFTWARE & reg save HKLM\SYSTEM SYSTEM & reg save HKU.DEFAULT DEFAULT"
You can manually back up important registry hives or make a full registry backup. Select the required registry hive (or select the registry root) and click Export from the context menu. Specify the name of the reg file in which you want to save your registry.
Restore Windows 10 Registry from Command Prompt
As mentioned earlier, you cannot restore Windows 10 Registry on the go while the system is online. Begin with booting your computer into recovery and launching Command Prompt. To do so, you need to interrupt the boot procedure three times in a row using the Power button. Then select Troubleshoot > Advanced Options > Command prompt. Alternatively, if your computer operates as it should, hold the Shift button and click Restart from the power menu.
Alternatively, you can use a Windows Install Media. Boot from a Windows 10 or 11 install DVD or USB, then press Shift + F10 on the welcome screen. Note that some keyboards and laptops use the F1-F12 rows as media keys by default, so you have to press Shift + Fn + F10 if the standard shortcut does not work.
Your system drive’s letter assigned in the WinPE recovery environment may be different from C:\. To find out what drive letter is assigned to your system partition, enter one by one the following commands:
- diskpart
- list volume
- exit
You can easily detect your system partition by the large disk size. In our case, it’s the drive with the letter D:\ (volume 2).
Now use Command prompt to restore the registry from backup:
Xcopy d:\Windows\System32\config\regback d:\Windows\System32\config
Confirm the replacement of files using key A.
After the command execution finishes, all the registry files will be replaced with their backups. You can close Command prompt and reboot the computer to check if restoring Windows 10 Registry from a backup fixed issues or bugs.
If the registry files in the backup are corrupt, try restoring the older version of the registry files from a System Restore point manually.
Boot into WinPE environment as described earlier and go to the windows\system32 directory:
d:\
cd d:\windows\system32
Display the list of all available restore points with the following command:
vssadmin.exe list shadows
In this example, Windows made the last shadow copy on 10/20/2016 4:02:40 AM. It has a Shadow Copy Volume path ?GLOBALROOT\Device\HarddiskVolumeShadowCopy6.
Mount the restore point (snapshot) in the Read-only mode to the folder d:\ShadowCopy using the mklink tool:
mklink /D d:\ShadowCopy ?GLOBALROOT\Device\HarddiskVolumeShadowCopy6
Now you can access files stored in the shadow volume. Simply copy and replace registry files using the following commands:
xcopy d:\shadowCopy Windows\System32\config\DEFAULT d:\Windows\System32\config
xcopy d:\shadowCopy Windows\System32\config\SAM d:\Windows\System32\config
xcopy d:\shadowCopy Windows\System32\config\SOFTWARE d:\Windows\System32\config
xcopy d:\shadowCopy Windows\System32\config\SECURITY d:\Windows\System32\config
xcopy d:\shadowCopy Windows\System32\config\SYSTEM d:\Windows\System32\config
Reboot your computer.
That is it. Now you know how to restore Windows 10 and 11 Registry backup using Command Prompt and system restore points. If nothing helped, you can try fixing your Windows installation by resetting it to the default state. You can do that by keeping your local files or purging everything, including apps. Alternatively, reinstall Windows, which is an easy process even an unexperienced users can pull off.
1 comment
Well written and clearly explained for the most part, but I am confused about using the D drive with the restore point data and uncorruped Registry. Is the D drive supposed to be empty (mine is) and its only purpose is to place the restore point data on it, copy the uncorrupted Registry entries to it, and then boot from it? If so, do you have to mess with the BIOS to point to D as where to boot from?
If not, can someone please clarify the purpose of the D drive?
Thanks!