Recover Registry Keys from a System Restore Point in Windows

System Restore snapshots or volume shadow copies contain registry hives as well as critical system files. Sometimes you may need to extract individual registry keys from an earlier restore point but don’t want to do a complete System Restore rollback.

Previously we saw how to open the registry hives from shadow copies using “Previous Versions” tab and load the registry hives to extract the required keys. There is now a more comfortable option to extract specific registry keys from a restore point.

Check out one of the latest utilities from Nirsoft.net, named RegistryChangesView. While the primary purpose of this program is to compare snapshots of Windows Registry, it can also be used to extract registry data from an existing shadow copy or restore point. It can be used to recover registry keys which may have accidentally deleted.

Scenario: Let’s say you’ve accidentally deleted the Print Spooler service, and want to recover the following Print Spooler service registry key from a restore point.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler

Extract Registry Keys from a System Restore Point

  1. Start RegistryChangesView and configure it as shown below.
    registrychangesview options
  2. Set “Registry Data Source 1” to Current Registry
  3. Set “Registry Data Source 2” to Shadow Copy
  4. Select one of the shadow copy paths from the list shown.

    The highest numbered item in the Shadow Copy Path list represents the most recent shadow copy or restore point. You can find the list of shadow copies using vssadmin list shadows command-line from an admin Command Prompt window. For more information, check out the article How to Delete Individual System Restore Points in Windows.

  5. Select the appropriate registry hives to include for comparison. For this article, we’ll be selecting the following checkbox only, as that’s the location which stores the Services registry keys:
    HKEY_LOCAL_MACHINE\SYSTEM
  6. Click OK. RegistryChangesView will enumerate and compare the selected keys in the source and destination registry hives and show the results.
  7. From the View menu, enable the option named Use Quick Filter. [Ctrl + Q]registrychangesview use quick filter
  8. In the Quick Filter text box, type in \spooler or services\spooler to filter entries where the keys start with the word “spooler”. The idea is to limit the results to the following key and subkeys only.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler

    registrychangesview results window

  9. Select all the entries (that contain the above branch), and press Ctrl + E to export the results to a REG file. Or, click File > Export Selected Items to .Reg file
  10. Save the REG file to Desktop, and open it with Notepad.
    registrychangesview export .reg
  11. Replace every occurrence of the string ControlSet001 with CurrentControlSet, and save the file.
    registrychangesview .reg export
  12. Double-click the REG file to add its contents (“Spooler” key) to the registry.

You have now restored the missing Print Spooler service registry key!

Small glitch

One small problem I noticed is that the current version of RegistryChangesView, when exporting the entries to the REG file, writes expandable string values as REG_SZ value type. For example, the ImagePath registry value contains an environment variable, and the value type should be REG_EXPAND_SZ instead of REG_SZ.

registrychangesview expandable string



You’ll need to edit the registry to fix such flaws manually. Note down the value name and value data in Notepad, delete the value name from the registry and create a value with the same name and value data, but of type REG_EXPAND_SZ.

registrychangesview expandable string value

That’s about it! As always, there are other ways to restore the registry data. You can also mount the shadow copy volume using ShadowCopyView or ShadowExplorer utilities, and load/extract the registry hives. Check out article ShadowCopyView Recovers Files From Volume Shadow Copy Snapshots and Restore Previous Versions of Registry Hives From System Restore Snapshots in Windows for more details.

The RegistryChangesView method discussed in this post should work on any version of Windows, up to Windows 10. Both 32-bit and 64-bit systems are supported.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

4 thoughts on “Recover Registry Keys from a System Restore Point in Windows”

  1. Thanks for this super helpful article! I just managed to restore a bunch of PuTTY sessions that a badly written program called ExtraPuTTY managed to delete.
    Also thanks to Nir for writing yet another useful Windows utility…

    Reply
  2. Thanks for writing this up. I was having a hard time getting Windows Update to work. Trying all the other tricks with SFC and DSIM didn’t work. A few Google searches later I stumble across this post and managed to get it working again.

    Reply
  3. This article helped me recover my User Variable’s Path, thank you so much!

    I accidentally deleted the user variable’s path while making an edit to it. I tried System Restore Point but it failed and I didn’t know what else to do. Luckily I got to this article and it was a great help.

    Reply

Leave a Reply