Monday, December 16, 2013

Quick Registry Snapshot

I came across a neat trick when looking into taking registry backups and would like to share what I found. This trick will work on Windows 7 and later operating systems.
First a little background. Let's take a look at the folder that the registry resides in and the core registry files (DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM):

%systemroot%\system32\config


 There is one folder in particular that we are interested in:

%systemroot%\system32\config\RegBack


We can see that the RegBack folder is a copy of each of the registry hives. This is really cool because it allows us have at least one good copy of the registry that we can use to restore in case Windows gets to a state where it is unable to boot.

The question now is, how does this get backed up? There is a hidden scheduled task:

"\Microsoft\Windows\Registry\RegIdleBackup"

This is the task responsible for taking the snapshot that is saved in the RegBack folder. The problem is, this task in only scheduled to run once every 10 days. Some people might want to run it more often, or be able to run it on demand. Here is how to do it:

Open CMD as administrator
Type the following command:

schtasks.exe /run /TN "\Microsoft\Windows\Registry\RegIdleBackup"


Now you have a current snapshot of the registry! This can be restored manually from any PE environment that allows access to the file system.

No comments:

Post a Comment