WinXP Hives Backup and Restore

- save yourself from disaster -
- also see the XP won't Boot page -

*** this method works with FAT32 hard drives only ***
(you can't access NTFS files with a Win98 boot disk)

I cannot tell you how many times I have personally saved my system by going back to a previous set of registry hives !!!   It is basically the same as going to a previous Restore point, but does not require you to boot into Windows.  Here again, to do this you need a FAT32 drive - not NTFS. 

IMPORTANT:  Keep in mind that even if you have never backed up your hives - there is always a backed up set of them in your Windows\Repair folder.  This will be an older set, however - as it is created when you first install Windows.  So back up your hives once in a while as a safety measure.

What is a Hive ??  unlike Win98 where the registry is contained completely within 2 files, the WinXP registry is broken up into multiple sections, called "hives".  Each hive is a portion of your registry - which includes keys, subkeys, and values in the registry, that has a set of supporting files containing backups of its data. Microsoft lists 7 "hives" (see bottom of this page), but for the purpose of disaster recovery, there are only 5 that you need to be concerned with. 

Why not use System Restore Instead?

System restore will also restore an earlier set of hives.  However, if you cannot boot into Windows, you cannot run System Restore.  Also, Windows may boot, but it can be corrupted to the point where System Restore will not work.  Lastly, some antivirus and anti-spyware utilities require the deletion of system restore points so that it does not get re-infected.

Why not use NTbackup Instead?

NTBACKUP can backup and restore an earlier set of hives, along with a tone of other data.  However, it is slow, complicated, and requires a lot of disk space, so it is best to stay away from. In addition, like System Restore, it cannot be used if WinXP will not boot, and may not run if WinXP is corrupted. 

 

The 5 Hives

These are files without extensions, and they are located in the  windows\system32\config  folder.  

Unlike Win95-98-ME where the registry is contained in two files (system.dat and user.dat), the Windows XP registry is contained in 5 hives :

security
system
software
sam
default

The 6th Hive ??

There is yet another hive in the \windows\system32\config\systemprofile folder:

ntuser.dat

This file has an extension, and is a different folder than the 5 main hive files, so I question whether it should be called a hive  .  .  .  but Microsoft calls it that.  You can back this file up also, but the many times that I have fixed my own computer by restoring the hives - I only needed the 5 main hives - not this one.

 

Why backup the Hives ??

i.e. why not use NTbackup or set a System Restore Point instead?

You can, of course, backup your entire system using ntbackup.  However, this requires a ton of disk space, and since the majority of XP disasters are caused by corrupted registries - backing up your hives gives you a quick fix.

You can also set a system restore point.  However, WinXP only keeps a few restore points, because like NTbackup - they take up a significant amount of disk space.  Also, if you have added or moved files - going to a previous system restore point will often remove those files !!!

The hives, on the other hand, are a series of small files - which are the primary location for WinXP corruption.  If you can't boot, or if your core apps such as IE are acting up (and you can't un-install IE) - a good backup of your hives will usually take care of it !!

Locked Hives

The hives are locked while you are in Windows and cannot be copied.  NTbackup has a workaround for that, but you won't - so you must copy them within a DOS or Win98 (which simulates DOS) command prompt boot.  You cannot copy them by starting up a DOS box within Windows !! 

The easiest method is to use a Win98 boot disk, and copy the hives to a backup folder.

FAT32 vs NTFS Drives

The Win98 boot disk cannot access NTFS hard drives !!  So you must have WinXP running on a FAT32 drive in order to copy the hives !!  There is an NTFS boot disk available, but the shareware version is Read-Only, and the full, Read/Write version is very expensive.

So, if you are already running WinXP on an NTFS drive - forget about this, and instead use system restore points and use NTBACKUP to backup your system files and registry occasionally.

Backing up the Hives

You will want to periodically backup your hives (once every 2 to 3 months is fine).  Make sure your XP setup is working fine before you do this, so that your hives are fine.

  1. reboot with a Win98 boot diskette (click Here to download a Win98 or Win98SE boot disk image).  Or if you have a dual-boot system with both Win98 and WinXP (recommended for any "power user"), simply boot up and select Win98.
  2. make a backup folder for the hives - preferably on a 2nd hard drive if you have one - but if not just use your boot drive
  3. cd to the folder containing your hives, which is on your WinXP drive partition and located at  \windows\system32\config
  4. now copy the 5 hives to the folder you created - default, security, system, software, and sam.  Note that these file names are very unusual, because they have no extensions.

Batch File to keep two Backups of your Hives and your WinXP Boot Files

Here is a simple batch file that will do the work for you - copy and paste this into Notepad and save it to a batch file, such as "hivesbak.bat".  Make sure that you copy "deltree.exe" to your boot disk.  If you do not have a Win98 boot disk, click Here to download.  This routine keeps two backups of your Hives.  It deletes Hives2, then copies Hives1 to Hives2, deletes Hives1, and replaces it with your current hives from your XP boot drive:

REM Backup your Hives
c:
cd\
deltree /y Hives2
md Hives2
if exist Hives1\*.* copy hives\*.* hives2
deltree /y Hives1
md Hives1
cd\windows\system32\config
copy sam \Hives1
copy system \Hives1
copy security \Hives1
copy software \Hives1
copy default \Hives1

REM Copy Boot Files in Root of C Drive (optional)
cd\
if exist RootBak\*.* deltree /y ootBak
md RootBak
attrib boot.ini -h -s -r
attrib ntldr -h -s -r
attrib NTdetect.com -h -s -r
copy boot.ini c:\RootBak
copy ntldr c:\RootBak
copy NTdetect.com c:\RootBak
exit

Optional - keep multiple backups of your Hives - after running the batch file from the Win98 boot diskette, remove the diskette, reboot into windows, and copy the hives folder to another location, and rename the folder - include the date of the backup in the new folder name.  For example:

"hivesback 8-2-2003"

Restoring the Hives

Do this if you have an XP problem that you just can't fix.  Of course - try everything else first (see XP won't Boot)  .  .  .  such as  . . . update your WinXP files from the MS update site, run antivirus scan, run disk utilities, etc.  If all else fails to fix the problem, do the following:

*** remember - in case you have not backed up your hives, or in case your backed up hives fail for some reason - there is always a backed up set of them in your Windows\Repair folder.  In addition, WinXP creates a backup set during installation in the same folder, and names each file with a ".sav" extension.  However, these should generally not be used because they are created when Windows is not really completely finished installing ***

 

Additional Info

(from Microsoft at  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/registry_hives.asp  )

A hive is a group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. The setup phase of the Windows boot process automatically retrieves data from these supporting files. You can also retrieve data manually using the Import Registry File menu item of the Registry Editor (Regedit.exe). When you shut down Windows, the operating system automatically writes the hive data to the supporting files. You can also back up the hive data manually using the Export Registry File menu item of the Registry Editor.

The supporting files for all hives except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config directory; the supporting files for HKEY_CURRENT_USER are in the %SystemRoot%\Profiles\Username directory. The file name extensions of the files in these directories, and in some cases a lack of an extension, indicate the type of data they contain. The following table lists these extensions along with a description of the data in the file.

Extension Description
No extension A complete copy of the hive data.
.alt A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.
.log A transaction log of changes to the keys and value entries in the hive.
.sav Copies of the hive files as they looked at the end of the text-mode stage in Setup.

Setup has two stages: text mode and graphics mode. The hive is copied to a .sav file after the text-mode stage of setup to protect it from errors that might occur if the graphics-mode stage of setup fails. If setup fails during the graphics-mode stage, only the graphics-mode stage is repeated when the computer is restarted; the .sav file is used to restore the hive data


The following table lists the standard hives and their supporting files.
Registry hive Supporting files
HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT Default, Default.log, Default.sav

Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user's hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.

The supporting file for the user profile hive for a particular user is located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList\SID\ProfileImagePath, and is named Ntuser.dat. The value of ProfileImagePath is a binary representation of the directory name of the user's profile, which includes the user's name. Use the Registry Editor to display this binary value as a string.

Standard vs Latest Hives

Registry files have the following two formats:

Standard Hives - the only format supported by Windows 2000 and Windows NT. It is also supported by later versions of Windows for backward compatibility.

Latest Hives - supported by Windows XP and any version of Windows thereafter (such as Windows 2003).

On versions of Windows that support the latest format, the following hives still use the standard format:

*** all other hives use the latest format.