Sunday, July 12, 2009

How To Recover Our Registry In Our Computer

When you try to start or restart your Windows XP-based computer, you may receive one of the following error messages:

Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM 
Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE 
Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate 
System error: Lsass.exe
When trying to update a password the return status indicates that the value provided as the current password is not correct.

Manual steps to recover a corrupted registry that prevents Windows XP from starting

The procedure that this article describes uses Recovery Console and System Restore. This article also lists all the required steps in specific order to make sure that the process is fully completed. When you finish this procedure, the system returns to a state very close to the state before the problem occurred. If you have ever run NTBackup and completed a system state backup, you do not have to follow the procedures in parts two and three. You can go to part four.
Part one
In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost.

To complete part one, follow these steps: Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. 
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so. 
When the "Welcome to Setup" screen appears, press R to start the Recovery Console. 
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console. 
When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default
Type exit to quit Recovery Console. Your computer will restart.
Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. 
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so. 
When the "Welcome to Setup" screen appears, press R to start the Recovery Console. 
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console. 
When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default
Type exit to quit Recovery Console. Your computer will restart.
Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step five, and then create a text file called "Regcopy1.txt" (for example). To use this file, run the following command when you start in Recovery Console: 
batch regcopy1.txt
With the batch command in Recovery Console, you can process all the commands in a text file sequentially. When you use the batch command, you do not have to manually type as many commands. 
Part two
To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.

Note Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531. Step 7 contains a reference to the article. Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart).
Press the F8 key. 

On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu.
Use the arrow keys to select the appropriate Safe mode option, and then press ENTER.
If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER. 
Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart).
Press the F8 key. 

On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu.
Use the arrow keys to select the appropriate Safe mode option, and then press ENTER.
If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER. 
In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible: Start Windows Explorer.
On the Tools menu, click Folder options.
Click the View tab.
Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
Click Yes when the dialog box that confirms that you want to display these files appears.
Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.
Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder.

Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

Note You may receive the following error message:C:\System Volume Information is not accessible. Access is denied. 
C:\System Volume Information is not accessible. Access is denied. 
If you receive this message, see the following Microsoft Knowledge Base article to gain access to this folder and continue with the procedure:
309531 How to gain access to the System Volume Information folder 
Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.
Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder: _REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM
Rename the files in the C:\Windows\Tmp folder as follows: Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM
Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM
Start Windows Explorer.
On the Tools menu, click Folder options.
Click the View tab.
Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
Click Yes when the dialog box that confirms that you want to display these files appears.
Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.
Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder.

Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

Note You may receive the following error message:C:\System Volume Information is not accessible. Access is denied. 
C:\System Volume Information is not accessible. Access is denied. 
If you receive this message, see the following Microsoft Knowledge Base article to gain access to this folder and continue with the procedure:
309531 How to gain access to the System Volume Information folder 
Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.
Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder: _REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM
Rename the files in the C:\Windows\Tmp folder as follows: Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM
Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM
These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time. 

The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again. 

The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder. 

Note The procedure described in this section assumes that you are running your computer with the FAT32 file system. For more information about how to access the System Volume Information Folder with the NTFS file system, click the following article number to view the article in the Microsoft Knowledge Base: 
309531 How to gain access to the System Volume Information folder 
Part Three
In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder: Start Recovery Console.
At the command prompt, type the following lines, pressing ENTER after you type each line: 
del c:\windows\system32\config\sam 

del c:\windows\system32\config\security 

del c:\windows\system32\config\software 

del c:\windows\system32\config\default 

del c:\windows\system32\config\system 

copy c:\windows\tmp\software c:\windows\system32\config\software 

copy c:\windows\tmp\system c:\windows\system32\config\system 

copy c:\windows\tmp\sam c:\windows\system32\config\sam 

copy c:\windows\tmp\security c:\windows\system32\config\security 

copy c:\windows\tmp\default c:\windows\system32\config\default 
Note Some of these command lines may be wrapped for readability.
Type exit to quit Recovery Console. Your computer restarts.
Start Recovery Console.
At the command prompt, type the following lines, pressing ENTER after you type each line: 
del c:\windows\system32\config\sam 

del c:\windows\system32\config\security 

del c:\windows\system32\config\software 

del c:\windows\system32\config\default 

del c:\windows\system32\config\system 

copy c:\windows\tmp\software c:\windows\system32\config\software 

copy c:\windows\tmp\system c:\windows\system32\config\system 

copy c:\windows\tmp\sam c:\windows\system32\config\sam 

copy c:\windows\tmp\security c:\windows\system32\config\security 

copy c:\windows\tmp\default c:\windows\system32\config\default 
Note Some of these command lines may be wrapped for readability.
Type exit to quit Recovery Console. Your computer restarts.
Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called "Regcopy2.txt" (for example). To use this file, run the following command when you start in Recovery Console: 
batch regcopy2.txt
Part Four
Click Start, and then click All Programs.
Click Accessories, and then click System Tools.
Click System Restore, and then click Restore to a previous RestorePoint.
Posted by at No comments:

How To Remove Spyware And Adware In Your Computer




Removal of viruses using SAFE MODE
Windows has a useful feature called Safe Mode. This is used to start your computer in emergencies, when it otherwise will not start. Safe Mode can also be used for troubleshooting, and for removing viruses.

Safe Mode is a viable option for removal of a lot of advanced infections. Some of these are very hard to remove when the virus is running, but the virus will not be running in Safe Mode. Simply boot Windows into Safe Mode, instead of normal Windows mode. When finished, restart the computer as normal and let it load up normal Windows mode.

To get to Safe Mode, follow these instructions

1) Restart your computer. After the first screen(s) of information, but BEFORE Windows starts to load, press F8. This might take you a few tries, and depending on the manufacturer, you may need to start pressing F8 quickly as soon as the PC starts up. Most computers will take a few seconds before showing a black screen, and then Windows starts to load. Start pressing F8 at this black screen.

2) When you see the STARTUP MENU, choose the option SAFE MODE. There will be additional Safe Mode options, such as Safe Mode with Networking. If you are an advanced user this could help, but for most just ignore these options and choose the SAFE MODE option.

3) Windows loads slower in this mode, give it some time and it will load up. If asked if you are sure you want to use Safe Mode, choose YES.

4) Now you are in Windows Safe Mode. Run your antivirus scanner and delete any detected malware. If you have the virus filename from previous steps, you can delete the file manually. This is only recommended if you are sure, most scanners will run in Safe Mode and can be used to make sure everything gets deleted properly.


Free and easy virus removal tips
This page is a general guide to removing viruses, trojans, spyware and lots of other nasties. It's very common for someone with an antivirus scanner to have problems removing something the scanner detected. Even without a scanner, quite often the removal can be achieved very easily, and without buying another software program! This guide is very general, however the information outlined here is nearly always enough to remove a pesky malware. The first thing of course is to try your virus scanner. In some cases it won't work, you may get a generic error like "access denied" or just something like "unable to delete file". Here's what you need to know, and where to start!

Note - beware of false positives. False alarms DO occur, so before proceeding try to get a second opinion by scanning the file online. If you are unsure, email the file to the scanner's support team to verify an infection.

FILENAME
1) Determine the full filename and location. Either use your antivirus scanner alarm window, or any DETAILS or INFO buttons to find what the virus is called. The full filename and location may be presented like this

c:\Windows\System32\virus.exe
or
File- virus.exe Location- C:\Windows\System32

Both mean the same thing. In the "C" drive there is a folder called Windows. In the "Windows" folder there is a folder called System32. In this "System32" folder, is a file called virus.exe. This is the infected object.

Special case - archives
If the file is located inside an archive, some virus scanners will simply not delete the file. Some common archive types include ZIP, RAR, or CAB files, but you may encounter others like DBX mailboxes. Usually scanner logs will use forward slashes to indicate a compound object like an archive, so in the first example imagine the file virus.exe is in a CAB file called virus.cab. Scanners would likely show the object in this way

c:\Windows\System32\virus.cab/virus.exe

In archive file situations, you have two options - delete the entire archive, or extract any needed files first, then delete it. For example a ZIP file could have a few legitmate files in it, plus one virus. You could check if some more files were in the zip, unzip them, and delete the ZIP file. Then zip up only the clean files for storage reasons.

REMOVAL
2) Now we know the filename, we can go about manual or otherwise removing the file. At this stage, simply deleting the file is not going to work if you already tried with the antivirus "clean", "delete" or "quarantine" options. The file must be "in use". When a file is being used, it cannot be deleted. In the case of an EXE file, it is either running or some program has protected the file from being deleted.

First, check these possibilities..

Is the file in a folder called System Volume Information (WinXP) or _RESTORE (WinME) ?
These are easy to remove ! See Removing viruses from System Restore

Try deleting the file in Safe Mode. Be sure to update your antivirus databases and any other scanners first!
See this link removing viruses from Safe Mode

Try killing the program with a Task List program (like Task Manager).
Does the virus show up as a running file ? In our example, it would show as "virus.exe" in Task Manager, without the location - so be careful of getting the wrong file! Try our tool APT - Advanced Process Termination. Terminate any Windows program!
With APT, the full path is shown - so the example would show as C:\Windows\System32\virus.exe

Start the computer but don't allow the file to run, then delete it!
ProcessGuard users can try blocking the file from running, then reboot and just delete the file.
See this ProcessGuard article for detailed info. If it can't start, it can nearly always be deleted!!

SUPPORT
3) Contacting your software vendor for support should be the next course of action. The virus or spyware scanner you are using could have problems with a particular virus or type of file, and sometimes specialist removal tools could be available just for that virus

Posted by at No comments:
Subscribe to: Posts (Atom)