How to Restore the Registry Hives from a System Restore Snapshot in Windows XP

This article describes how to restore the registry hives from a recent System Restore snapshot in Windows XP, in the event of registry corruption that prevents your Windows XP computer from starting. If the registry hives become corrupted, the following errors are displayed when starting up.

Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE

Here are the methods that you can use to fix this problem, short of reinstalling Windows:

Method 1: Perform a System Restore Rollback Offline

You can perform a System Restore rollback offline using ERD Commander’s System Restore Wizard. For more information, see our article Perform a System Restore rollback on a non-bootable Windows XP Computer. This is probably the easiest method. If you need to restore the registry hives manually for some reason, use Method 2.

Method 2: Restore registry hives from the System Restore store folder

The System Restore snapshots are stored in a folder named System Volume Information. Each snapshot folder stores the registry hives, system files and other data. Microsoft Knowledgebase article 307545 tells you how to restore the registry from the Windows\Repair directory, and then restore the most recent registry hives from the System Volume Information folder. A brief synopsis of that article follows:

Part I

  • Start Windows XP Recovery Console.
  • Copy the five registry hives (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT) from C:\Windows\System32\Config to C:\Windows\Tmp, adding the .bak extension.
  • Delete the five registry hives from C:\Windows\System32\Config
  • Copy the five registry hives from C:\Windows\Repair folder to C:\Windows\System32\Config

With this done, you should be able to start Windows XP using the registry that was created during the initial setup of Windows XP. As a result, any changes and settings that occurred after the Setup program was finished are lost.

Part II

  • Start Windows XP in Safe mode
  • Explore the System Volume Information folder in the drive where Windows XP is installed. If you’re denied access to the folder, read this article to know how to gain access to the System Volume Information folder.
  • Double-click the _Restore… folder, and locate the recent restore point, identified by the Restore Point Sequence ID (RP1, RP2, RP3, and so forth…). Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time.
  • Double-click the folder named snapshot
  • Copy the five registry hives to C:\Windows\Tmp

Part III

  • Start Windows XP Recovery Console
  • Copy the five registry hives from C:\Windows\Tmp to C:\Windows\System32\Config
  • Start Windows XP
  • Perform a System Restore rollback.

Easier Method

If you find the steps in KB307545 tedious, you can accomplish the task using a bootable live Windows CD like BartPE or ERD Commander Boot CD. Here are the instructions for ERD Commander Boot CD.

Using the ERD Commander Boot CD

ERD Commander is part of the Microsoft Diagnostics and Recovery Toolset (DaRT) whose 30 day evaluation is available here (MSDaRT50Eval.msi – 64.2 MB). We’ve covered MS DaRT earlier in article Perform a System Restore rollback on a non-bootable Windows XP computer. Follow steps 1-7 in that article to create a ERD Commander Boot CD.

1. Insert the ERD Commander Boot CD into the drive and restart the system

2. Boot the computer using ERD Commander Boot CD. You may have to set the boot order in the BIOS first.

3. Select your Windows XP installation and click OK.

4. Double-click the My Computer icon on the Desktop

5. Open the C:\Windows\System32\Config folder

6. Rename the five registry hives (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT) by adding .bak extension to them.

5. Double-click the drive-letter where Windows is installed.

6. Open the System Volume Information folder, and double-click the _restore{…} folder.



7. Locate the recent snapshot, identified by the Restore Point Sequence ID (RP1, RP2, RP3 and so forth…). The highest number indicates the most recent snapshot, and the lowest number indicates the oldest snapshot. Choose the one that you want to restore. Alternately, you can also sort the System Restore snapshots using the Date column.

8. Double-click the appropriate folder (say, RP20) and double-click the folder named snapshot

9. Select the following files (Use the CTRL key to select multiple files.)

  • _REGISTRY_MACHINE_SAM
  • _REGISTRY_MACHINE_SECURITY
  • _REGISTRY_MACHINE_SYSTEM
  • _REGISTRY_MACHINE_SOFTWARE
  • _REGISTRY_USER_.DEFAULT

10. Right-click the selection and choose Copy to…

11. Select C:\Windows\System32\Config as the destination path, and click OK.

The items will be copied now.

12. Open C:\Windows\System32\Config and rename the hives, as follows:

  • Rename _REGISTRY_MACHINE_SAM to SAM
  • Rename _REGISTRY_MACHINE_SECURITY to SECURITY
  • Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
  • Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
  • Rename _REGISTRY_USER_.DEFAULT to DEFAULT

13. Remove the ERD Commander Boot CD and restart Windows XP. Now that you’ve only done a registry rollback. To complete the procedure, click Start, and then click All Programs. Click Accessories, and then click System Tools. Click System Restore, and then click Restore to a previous RestorePoint. Complete the System Restore process.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

4 thoughts on “How to Restore the Registry Hives from a System Restore Snapshot in Windows XP”

  1. I’ve done this before with restoring the original fresh install registry but never thought about using the system restore regs. I restored the system side and was back up and running.

  2. Problem with ERD Commander. When I try to rename the five reg hives you mention (System, etc.) to .bak I get this message – “the process cannot access the file because it is being used by another process.’ I cannot proceed.
    (ERD 2007, Win XP SP3.)

Comments are closed.