Corrupt RegBack file on Windows 7

Question

I searched on this site how to repair a Windows 7 boot that is reporting a "Corrupt Registry". Most accepted answers suggest to backup the the files in

C:\Windows\System32\config

and

C:\Windows\System32\config\RegBack

to any safe directory or drive, and then replace the ones in config with the ones in config\RegBack

I did the same and Windows still reports "Corrupt Registry" on boot.

Out of curiosity I mounted the NTFS partition read-only on a Linux system and tried to check those files. Running file on all of them except one (SECURITY, SOFTWARE, SAM, DEFAULT) report this file type:

MS Windows registry file, NT/2000 or above

However, for the SYSTEM file it reports

data

and for RegBack\SYSTEM it reports

zlib compressed data

Looks like file didn't identify this file right, as any programs supporting zlib failed to read it too. Anyway, I guess the type should be MS Windows registry file, NT/2000 or above for both. Is this correct, or the SYSTEM file is different to the other ones? Do I have both corrupt files (original and backup)?

Answer 1

Analysis

According to this forensic article, the file type of SYSTEM should also be "MS Windows registry file".

Conclusion : Your SYSTEM hive is indeed corrupted. You may also yourself check its signature, which resides in the first 4 bytes, which should contain the ASCII string "regf".

The above article uses the metasploit testing framework, which you may also use to test the contents of your SYSTEM hive, if very curious.

Restore method 1 : Restore system image

If you have an image backup of the system disk, you should restore it. If you don't, then read on.

Restore method 2 : Restore a System Restore point using System Repair Disc

If System Restore was enabled, then you might find a working set of your registry hives in a previous system restore point. If it was disabled, skip to Method 4.

If you did Create a System Repair Disc, then it can restore from a restore point (link):

• Boot with System Repair Disc
• Select your keyboard language preferences and click on Next
• Click on Repair your computer
• Select which operating system you want to restore and the click on Next
• Select System Restore

This won't affect your personal files, but it will remove recently installed apps, drivers, and updates that might be causing your PC problems.

Restore method 3 : Restore from System Restore point using Windows boot media

If you have never created a recovery drive, not all is lost :

• On a working PC, go to the Microsoft software download website and download a matching ISO. This requires a valid product activation key.
• Use the Windows USB/DVD Download Tool to create the boot media.
• Connect the installation media you created to your nonfunctional PC and turn it on. (Ensure that the computer will boot from that media, you might need to change your PC's boot order.)
• Choose System Recovery Options
• Select System Restore and continue as above.

The following article has more info and screenshots :
How to Do a System Restore in Windows 7.

Method 4 : Save your data and do a fresh install

If you did not enable System Restore, then I think that you will need to reinstall Windows.

You may still save your files by either :

• Windows 7: Command Prompt at Startup,
• Boot with a Linux live boot media.

When the time comes for restoring Windows, reinstall from the Windows 7 boot media.

Answer 2

I would suggest to replace a file C:\Windows\System32\config\SYSTEM from a similar computer (OS version, OS configuration, UI languages, layouts should be the same).

This file refers to the HKEY_LOCAL_MACHINE\SYSTEM hive which contains mostly global system settings not related to the applications installed, so the apps installed may be different on 2 computers.

Even if some settings will be different on a source and destination computer it should give you a clue if the your SYSTEM files is damaged or not.