No longer able to back up registry using regedit in Windows 8

Topic

New Reply

We have all learned how important it is to backup the registry before tinkering with it. In the past I have always used the export function in regedit to backup the registry. This creates a .reg file. Double-clicking on the .reg file merges this file back into the registry and restores it to its original condition. This works with the entire registry or a selected registry key. This procedure always worked fine and allowed me to keep a fresh backup of the registry. Now comes along Windows 8. The above procedure simply will not work in Windows 8. The .reg file seems to be created OK but when you try to merge it back into the registry by double-clicking on it or right-clicking and selecting “merge”, you get the usual warning message, then you get the error message:

Cannot import : not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operation.

Exactly what causes this error and why won’t it work as it did before Windows 8? No other programs are running and I have no idea what processes could cause it. I have taken ownership privileges of the registry key I am trying to backup and the .reg file. This has stumped me for over three weeks and any help would surely be appreciated.

John

Reply | Quote

Replies

John,

Have you attempted to read the file with Administrator Privileges? Try opening an elevated command prompt then navigate to the folder with your .reg file. Once there just enter the name of the registry file and press Enter. You’ll be prompted just as if you double clicked on it. HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I tried your suggestion but get the exact same error. Its strange how this worked in previous versions of Windows but won’t work in Windows 8.
Thanks for your help. Any more suggestions would be appreciated.

John

Reply | Quote

I tried your suggestion but get the exact same error. Its strange how this worked in previous versions of Windows but won’t work in Windows 8.
Thanks for your help. Any more suggestions would be appreciated.

John,

Hello..Have you tried to enter Safe Mode? Last known etc. This might help Windows 8 Safe Mode :cheers: Regards Fred

Reply | Quote

This has stumped me for over three weeks and any help would surely be appreciated.

John,

Hello.. I know it’s too late now …but in the future…. “Image” …There are programs that will do “System State” and others that will Image with compression the whole OS … I use both free and “Pay for” ones …I can recommend a free one to start ….Macrium Reflect Free …:cheers: Regards Fred

Reply | Quote

I regularly use Acronis True Image and the Windows program to create images of my C: drive but unfortunately all the images I have contain the defective registry I want to restore. Windows Defender is broken and I need to fix it. The problem is the Windows Defender Service is missing and I need to import the proper registry key from a computer where WD is working properly into the machine where WD is broken to restore the WD Service. This is where I get into trouble as Windows won’t let me merge the .reg file as described above.

Thanks for your suggestion.

John

Reply | Quote

Windows Defender is broken and I need to fix it. The problem is the Windows Defender Service is missing and I need to import the proper registry key from a computer where WD is working properly into the machine where WD is broken to restore the WD Service. This is where I get into trouble as Windows won’t let me merge the .reg file as described above.

Sometimes one has to resort to operating on the Registry while it’s off line. http://www.pogostick.net/~pnh/ntpasswd/bootdisk.html contains one mechanism (though it doesn’t appear to have been tested on Win 8). REGEDT32 allows one to load a Registry hive from somewhere else (e.g., if you multi-boot with another Windows system you could use for this purpose or could temporarily move your disk to another machine to do so), operate upon it, and save the result on older NT-based systems, but I have no experience doing this on Win 8.

Reply | Quote

The HP method is essentially what I am doing and it simply DOES NOT WORK! I have tried this on several computers, all running Windows 8 and it won’t work on any of them. Most have minimal software installed and all are clean and working perfectly.

Still looking for an answer.

John

Reply | Quote

Rebooting into Safe Mode is one of the first things I tried. No better, works the same way. Also loading a previous Restore Point didn’t work. Apparently the bad registry is in all previous Restore Points as Windows Defender is still broken. The plan as of now is to abandon Windows Defender completely and load AVG as my primary, on-line AV program. But still would like to know why I can’t restore a .reg file.

John

Reply | Quote

Rebooting into Safe Mode is one of the first things I tried. No better, works the same way. Also loading a previous Restore Point didn’t work. Apparently the bad registry is in all previous Restore Points as Windows Defender is still broken. The plan as of now is to abandon Windows Defender completely and load AVG as my primary, on-line AV program. But still would like to know why I can’t restore a .reg file.

John,
Hello…. Have you tried to run “sfc /scannow” from an “Elevated Command” prompt ? Space after sfc and no quotes …Regards Fred

Reply | Quote

Fred–
Yes. I did try “sfc /scannow” from an elevated command prompt and it found no problems. Not sure if this would detect a corrupt registry.

John

Reply | Quote

John,

Hello.. I know it’s too late now …but in the future…. “Image” …There are programs that will do “System State” and others that will Image with compression the whole OS … I use both free and “Pay for” ones …I can recommend a free one to start ….Macrium Reflect Free …:cheers: Regards Fred

When all one wants to do is back up the Registry, taking a full image seems like overkill.

http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&dlc=en&docname=c03485724 is HP’s description of how to back up and restore the Win 8 Registry. It’s pretty much the way jarome described it, though does explicitly refer to logging in as an administrator and using the ‘import’ function in regedit rather than simply double-clicking on the .reg file to perform the restore. Other descriptions found with a quick Google are similar, which suggests that jarome’s system may in some way be unusual.

Reply | Quote

I do not believe it is ever overkill to create a new Image. I realize just backing up the registry is sufficient for what the OP wants to do, but keeping an Up To Date Image is always appropriate in my view. I create a new Image every time I install updates on patch Tuesday. In this way my Image is quite up to date. I just installed a new beta AVG 2014 and I created an Image just prior to installing the beta app.

Reply | Quote

I do not believe it is ever overkill to create a new Image.

Does this mean, for example, that you’d create an entire series of images simply to ensure that you’d have a very up-to-date copy (and perhaps some previous versions as well) of a single file that you were actively updating just in case of a system malfunction? If not, I’ll suggest that you’re indulging in a bit of hyperbole and reiterate my statement that if all you want to do is back up your Registry (for whatever reasons, which in the absence of direct evidence to the contrary one should accord the poster the respect of assuming are good ones) then taking a full image indeed seems like overkill.

Reply | Quote

What is the problem with Windows Defender?

Also, I do a lot of manual registry editing. The only thing I ever backup is the key I’m working on.

When I’m doing a major overhaul (as in carving up Windows and putting it back together my way) I make a drive image at each successful stage.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Windows Defender is broke and will not run. The problem has been traced to a missing Windows Defender Service. The corresponding registry key is HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWinDefend. Comparing the contents of this key in NotePad to the same key from a computer where WD is working normally shows lots of missing data. I exported this key using regedit to a .reg file on the desktop. I then tried to import this .reg file into the bad registry key to replace it and enable the Windows Defender Service. If this is successful, it should fix Windows Defender. Windows 8 would not allow me to do this and I get the error message described in the first post in this thread. Am I doing something wrong? Any other suggestions? Thanks–

John

Reply | Quote

Try running this under an elevated command prompt.

DISM.exe /Online /Cleanup-image /Restorehealth

Rich

Reply | Quote

Registry Backup 1.6.0

Permissions are always going to get in the way for entire computer and or key backups with plain regedit.
The above program takes advantage of the volume shadow copy service to backup, and a restore requires a reboot.

Reply | Quote

No Bill I do not create a new Image if a single file is being changed. I have stated many times, and do state above I create a new Image at least once per month on Patch Tuesday after install of all patches. I also create a new Image if I am making a change such as installing a new app (especially a beta which I just did a couple of days ago). For data backups (This is the only file type I would be making multiple changes to), I use drag and drop to another PC and monthly File History runs on both PCs.

If I am having problems similar to the OP, then yes I would create additional Images until the problem is isolated and corrected.

John, I believe you will like AVG as a replacement AV app. I have been using AVG AV 2013 on both our PCs for several months. This AV app seems similar to WD in resource usage, has at least daily sig. updates (The paid version can be set to update as often as you like) and is highly rated for finding and deleting virus/malware, both in real time and manual scans.

Reply | Quote

@jarome

Note: double clicking a .reg file acutally does a MERGE not a replacement. It does NOT necessarily restore the registry to the condition at the time the .reg file was created. Deletions after .reg creation will be restored. Changes after .reg creation will be overwritten. BUT, if you have added anything to the registry after the .reg fiel was created those additions will still be there after the .reg file is imported.

Joe

--Joe

Reply | Quote

You might try running regedit from a System Level Command Prompt and importing the .reg file. This will get around all but “TrustedInstaller” owned keys.

If the key “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWinDefend” you’re trying to fix is owned by TrustedInstaller, use the System Level initiated Regedit to change ownership to System. That will alleviate any permissions issues regarding that key, and you can then proceed with the merge.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

This behavior is not new with Windows 8, it started with Windows 7. As the initial post stated, the Export function of Regedit works just fine and creates a .reg file. But when you try to import that .reg file, in some cases it fails with a message to the effect that the selected key is already in use. This happens in Normal Mode, Safe Mode, when Regedit is open, when it is closed, when running Regedit normally, or when running Regedit as Administrator.

But this error only occurs in certain conditions, which appear to be related to the size of the key that you are trying to import. In Windows 7 (and presumably Windows 8), any small key imports just fine. But HKLMSoftwareMicrosoftWindows NTCurrentVersion fails every time. I don’t actually know whether the cause of the problem is the size or just something about this particular key. But I can assure you, the problem has been around since Windows 7.

When I first encountered this problem, a Google search led me to a program that claims to get around the problem. I believe it was a paid program, but I could be mistaken. In any event, I decided the problem wasn’t severe enough to risk a client’s Registry on a program I had never heard of from a vendor I didn’t know anything about — even if the program was free.

If you see this as a serious enough problem to justify the risk and expense, you could probably find that program the same way I did — with a Google search. If you try it, please let us know your results.

Reply | Quote

The registry key that I am trying to repair by importing a good .reg file is HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWinDefend. I tried using the System account as suggested with the PSTools file but still no luck. I have tried several fixes located with Google but I don’t think I have come across the one you are referring to as they are all free. If you happen to remember the name let me know and I will try it. I am getting desperate. As I mentioned, I could just abandon Windows Defender and use AVG, but I will always wonder what broke WD and why the OS won’t let a .reg file be imported to fix it. This “permissions” thing has caused so many problems I wonder why MS doesn’t come up with a fix. It is my computer, I paid for it, no one else uses it and I am the owner/Administrator BUT MS won’t let me use it. There are way too many errors that should not occur.

Thanks to all–
John

Reply | Quote

I tried using the System account as suggested with the PSTools file but still no luck.

Did you open Regedit using the System Level Command Prompt? That particular key is owned by SYSTEM in my OS. Did you check Permissions on your key?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Bruce,

I’m curious as to how I tell which level of command prompt/privileges I have other than by the name I give the shortcut.
34136-Elevated-Command-promptsJPG
Inquiring minds want to know…and so do I. :cheers:

BTW: For those who are slightly technically challenged the actual command you need for the short cut to work is:
[noparse]”C:Windowssystem32cmd.exe” /k “d:your path to filepsexec” -i -s cmd.exe[/noparse]
Those quote marks can be a bear!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Bruce,

I’m curious as to how I tell which level of command prompt/privileges I have other than by the name I give the shortcut.

Inquiring minds want to know…and so do I. :cheers:

BTW: For those who are slightly technically challenged the actual command you need for the short cut to work is:
[noparse]”C:Windowssystem32cmd.exe” /k “d:your path to filepsexec” -i -s cmd.exe[/noparse]
Those quote marks can be a bear!

No quotes are necessary for the command line unless there is a space anywhere in the path name. PsExec is primarily for use on a remote system, but it works for this purpose by creating a local System Level Command Prompt. But as far as PsExec is concerned, it is on a remote system. The shortcut (when properly configured) invokes an Administrators level command prompt (which one does not see) which in turn calls PsExec to invoke a remote system level Command prompt.

The graphic depicts the hierarchy. Note that the PsExec Command Prompt has a UNC name. The System Level Command Prompt takes on the name of “Administrator: C:WindowsSystem32cmd.exe”, whereas a regular Administrators level Command Prompt has the name “Administrator: Command Prompt”. The commandline for the shortcut should be:

C:WindowsSystem32cmd.exe /k [Drive][Path]Psexec -i -s cmd.exe

If the path name has a space, then the correct commandline is:

C:WindowsSystem32cmd.exe /k “[Drive][Path]Psexec -i -s cmd.exe”

Hope that helps.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I generated the System level command prompt as instructed and then opened regedit.exe from this prompt and used import from the file menu to import a .reg file which I made sure I was the owner of. This resulted in the same old error message regarding insufficient privileges. I wonder if someone else would try this and see if it works for them. If it does, then I am doing something wrong and will try to solve it. If other people get the same error then we have a global problem and it will ease my mind. Don’t forget to backup the registry first, but not with regedit.

John

Reply | Quote

I generated the System level command prompt as instructed and then opened regedit.exe from this prompt and used import from the file menu to import a .reg file which I made sure I was the owner of. This resulted in the same old error message regarding insufficient privileges. I wonder if someone else would try this and see if it works for them. If it does, then I am doing something wrong and will try to solve it. If other people get the same error then we have a global problem and it will ease my mind. Don’t forget to backup the registry first, but not with regedit.

John

In order to import/merge a registry key, one must have permissions for the existing key in the registry. Did you check the permissions of the corrupt key you were trying to merge to? It is the key which is denying permission for the merge.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I right-clicked on the WinDefend folder in the left pane of regedit, which is where the bad key is located, and then clicked on Permissions. All users listed have full control. Do I now have permission to import the .reg key?

John

Reply | Quote

I right-clicked on the WinDefend folder in the left pane of regedit, which is where the bad key is located, and then clicked on Permissions. All users listed have full control. Do I now have permission to import the .reg key?

John

Who is listed as Owner when you click on the Advanced button? If TrustedInstaller is listed as Owner, you must change ownership to SYSTEM.

If SYSTEM is listed as Owner, you should be able to import/merge the key.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Bruce,

Not my day today! :angry: Seems I managed to get a k vs /k in the first part of the command so I wasn’t getting the PsExec window with the UNC title. I think I’ll got to bed now…:lol: :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Bruce,

Well I decided to stay up and try something. I like the shortcuts but hated having to close all the windows separately. If you replace the /k’s with /c’s when you close the last window opened all the others will cascade closed. I like it better this way YMMV.

Next task is to create a Task Scheduler entry for each and point the short cut to that so I don’t have to answer the UAC prompt…let the computer do the work! HTH :cheers:

Update: Works like a charm….

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Update: Works like a charm….

I would expect nothing less from you. :cheers:

I think I’ll set mine up that way as well. I have Task Scheduler doing most everything else for me, anyway.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

SYSTEM is listed as Owner. I don’t see TrustedInstaller listed anywhere. Sill won’t let me import a .reg file. What now?

John

Reply | Quote

SYSTEM is listed as Owner. I don’t see TrustedInstaller listed anywhere. Sill won’t let me import a .reg file. What now?

That main key has three sub keys.

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefend]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefendSecurity]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefendTriggerInfo]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefendTriggerInfo]

You could try editing your good .reg file into four separate .reg files, and see if you can import them one at a time.

(The forum post is inserting a space in Services when it is posted, but it doesn’t appear in the editing frame)

— edit —I should have done this at the beginning!

I decided to see if I could replicate your effort (I keep current with my drive images so I can be rather fearless) and I did. I got an error message that look like this.

“Cannot import [path]WinDefend.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operation.”

Look familiar? While one can edit a ‘live’ key using regedit, one cannot replace it while it is ‘live’. As far as regedit is concerned, your Windows Defender is running and that key is open.

The only way you will be able to replace your existing key is to edit it manually, or when Windows is offline. I dual boot, and I can use regedit to import a hive from the Windows I am not currently running, edit that hive, then export it back to its source. In your case, this can be done by booting to your installation DVD, opening regedit from a Command Prompt, and importing the SYSTEM hive. But don’t try this unless you know how.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

What JoeP517 said on p2 of this topic is absolutely correct, not trivial, and needs to be taken on board if you want a stable system. Quoting him, “double clicking a .reg file actually does a MERGE not a replacement. It does NOT necessarily restore the registry to the condition at the time the .reg file was created.”

I’d go further than that and about bet every cent I own on the fact that, if anything approaching an entire exported registry more than about a day old is merged with a ‘live’ registry, it will cause a number of discrepancies amidst the some of the tens of thousands of keys and values in the registry. What this means to you is that the registry you’ve merged the huge .reg file with (it must have taken hours!) is now in an unpredictable state, and your system is hence likely to be unstable in ways which will give no indication they’re due to that dodgy merging, and might well plague you intermittently until the year 2023, if the system doesn’t fail completely first (as Mr Murphy might say,at the worst possible time).

Some self-appointed ‘experts’ actually have webpages up suggesting the export/merge method of registry ‘backup’. They are just plain wrong.

And Windows itself, from about Windows 7, contains so many files, system files and inbuilt checks and protections that there’s no guarantee that even restoring the complete registry at all will fix a serious problem.

Why risk years of potential trouble now that you’ve compromised your system? I’m guessing that since Windows 8 is pretty new, you don’t have a huge number of programs installed, so you could fix both your problems by properly backing up your system, then formatting the drive and reinstalling Windows 8.

Unless you have a uberfast broadband with a massive data allowance for online backups, partition backup to one (more if you have them) external hard disk drives (around $100 each). Use two different partition programs if you can in case one is buggy (it’s been known to happen). Record all software serial numbers (including Win8), gather all needed program installers (including Windows 8), back up the broken system (as described above), install Win8 (if it came preinstalled, the computer’s manufacturer has probably provided another source such as a hidden partition), then update the partition’s data by extracting files and folders from the ‘broken system’ backup, then reinstall any programs & patches you installed since the ‘working system’ backup.

For future use, if you must do registry-only backups, then good old trusty ERUNT (as recommended some time ago by Windows Secrets editors) still runs on Windows 7, so would probably run on Windows 8, and can be configured to do a registry backup at every system start. Carefully read everything about it at the website before using, including the FAQ. If you tell ERUNT to restore a registry it has backed-up, it does so by telling Windows to replace every registry file before Windows actually starts, thereby getting round the ‘in use’ problem. It is not a replacement for partition backups. Good luck!

Asus N53SM & N53SN 64-bit laptops (Win7 Pro & Win10 Pro 64-bit multiboots), venerable HP Pavilion t760 32-bit desktop (XP & Win7 Pro multiboot), Oracle VirtualBox VM's: XP & Win7 32-bit, XP Mode, aged Samsung Galaxy S4, Samsung Galaxy Tab A 2019s (8" & 10.1"), Blu-ray burners, digital cameras, ext. HDDs (latest 5TB!), AnyDVD, Easeus ToDo Backup Home, Waterfox, more. Me: Aussie card-carrying Windows geek.

Reply | Quote

FWIW, “merge” means merge into the registry. It was never meant to replace the entire registry.

That being said, if one exports a particular key, edits that key and saves it as a .reg file, then imports/merges that .reg file, it does indeed replace the existing key of the same name in the registry, as long as that key is not ‘live’. I’ve done this countless times.

It is also a simple matter to create an entirely new registry key, save it as a .reg file, and import/merge that new key into the registry. I’ve done this, as well.

“Import” from within regedit and “Merge” from outside regedit do exactly the same thing to the registry. Double-clicking a .reg file or right-clicking and selecting Merge invokes a popup dialog box with the title “Registry Editor” and the following warning:

“Adding information can unintentionally change or delete values and cause components to stop working correctly. If you do not trust the source of this information in [pathfilename.reg] do not add it to the registry.

Are you sure you want to continue?”

(I’d like to have a nickel for every time I’ve seen that one)

Also, I never backup the registry, preferring drive images to preserve everything.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

…if one exports a particular key, edits that key and saves it as a .reg file, then imports/merges that .reg file, it does indeed replace the existing key of the same name in the registry, as long as that key is not ‘live’.

bbearren, it doesn’t replace the original key, unless all old subkeys are included in the regmerge file, and all old Values are specifically addressed too. Putting it another way: Original subkeys under the original key which aren’t specifically mentioned in the replacement regmergefile (the .reg file) are not replaced, nor are they removed. Ditto for Values.

You can verify this for yourself using the reg merge files in the attached zipfile. Merge or import (as you said, they have the same result) TestReg1.reg. Have a look at the key names and values in Regedit or your favorite registry editor, just under HKEY_CURRENT_USER. Now merge or import TestReg2.reg, and checkout the result (I did this just now in Windows 7). So what I said above stands.

CleanupTheTest.reg will clean up the test keys created with the above merge files. Its contents suggest a way that regmergefiles can be used to fully replace a registry key. e.g.

[INDENT]REGEDIT4

[-HKEY_CURRENT_USER!TEST MAINKEY]
[HKEY_CURRENT_USER!TEST MAINKEY]
(stuff under MAINKEY)[/INDENT]

One must be very careful in doing the edit to create the above sort of regmergefile, as if the wrong key appears after the ‘-‘, maybe even if a space is accidentally added, enough of the registry at worst could be wiped out by the regmerge to make the system inoperable.

John (jarome): I suggested ERUNT if you wants to do registry-only backups in future. I see that it doesn’t work under Windows 8 without some tweaks, see here and here.

Asus N53SM & N53SN 64-bit laptops (Win7 Pro & Win10 Pro 64-bit multiboots), venerable HP Pavilion t760 32-bit desktop (XP & Win7 Pro multiboot), Oracle VirtualBox VM's: XP & Win7 32-bit, XP Mode, aged Samsung Galaxy S4, Samsung Galaxy Tab A 2019s (8" & 10.1"), Blu-ray burners, digital cameras, ext. HDDs (latest 5TB!), AnyDVD, Easeus ToDo Backup Home, Waterfox, more. Me: Aussie card-carrying Windows geek.

Reply | Quote

bbearren, it doesn’t replace the original key, unless all old subkeys are included in the regmerge file, and all old Values are specifically addressed too. Putting it another way: Original subkeys under the original key which aren’t specifically mentioned in the replacement regmergefile (the .reg file) are not replaced, nor are they removed. Ditto for Values.

You appear to be missing the point. As I stated,[/SIZE]

That being said, if one exports a particular key, edits that key and saves it as a .reg file, then imports/merges that .reg file, it does indeed replace the existing key of the same name in the registry, as long as that key is not ‘live’. I’ve done this countless times.[/SIZE]

By “edit”, I mean

“1. to supervise or direct the preparation of (a newspaper, magazine, book, etc.); serve as editor of; direct the editorial policies of.

2. to collect, prepare, and arrange (materials) for publication.

3. to revise or correct, as a manuscript.

4. to expunge; eliminate (often followed by out): The author has edited out all references to his own family.

5. to add (usually followed by in).” (– from Dictionary.com).

The registry is a database consisting of binary files. Regedit aggregates and translates those binary files into a text file to make editing simpler and easier; Reg – istry Edit – or. If I export a particular registry key, make changes to the content of that key and/or any or all of its subkeys, and then import/merge that key back into the registry, the entire key is replaced by my edited key. Whether or not I have left some or many parts of my edited key untouched and in their original state is irrelevant to the simple fact that my edited key replaces entirely the key of the same name in the registry.

Overwriting a value/string with an identical value/string does not negate the fact that it has been overwritten, and that is what happens with import/merge. In effect, it is not any different from making a copy of a Word file from Documents, editing that copy of the Word file, and then choosing “Save as” and saving the file with it’s original name back into Documents. One will be warned that a file of the same name already exists. Proceeding with the “Save as” replaces the original file in its entirety, whether or not parts of the replacing file are identical is of no consequence to the fact that the entire original file has been replaced. The fact that registry files can be edited using Notepad should in itself be some indication of what is actually taking place. An exported .reg file is nothing more than a plain text file with the extension changed from .txt to .reg.[/SIZE]

You can verify this for yourself

Over the years I have edited literally tens of thousands of registry keys, mostly in part, some in every way but name, and I can assure you that I have already verified that what I’m telling you is in fact what is going on in the registry with import/merge.

— edit — Lest this be misconstrued, if I wish to delete a particular registry key, I simply delete it from within regedit. There is no need to go through export/import just to delete a key. — /edit —

And I personally see little if anything to be gained by backing up the entire registry (Windows does this routinely on every shutdown/boot). A system drive image will not only preserve the registry but also everything to which the registry relates; a far more prudent and valuable use of one’s time. The registry is not static; if one wishes to freeze a moment in time, best to freeze all relevant parts as well.

For the last several years I’ve been doing my registry editing manually within regedit, and simply relying on my most recent drive image if I should by chance pooch the registry. I am by no means recommending this to anyone, but I am quite comfortable with this procedure.[/SIZE]

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Thanks to all who have contributed valuable information. I am now a bit overwhelmed and think it best I leave the registry alone at this point while it seems to be working fine except for the missing WD Service. I might do more harm than good due to not having the vast experience demonstrated by all you experts/gurus. What started all this was trying to fix Windows Defender (Windows 8) which is broke due to missing Windows Defender Service. I think the easiest solution is to leave WD disabled and use another AV program such as the free AVG which has a good reputation. I tried ERUNT as a registry backup but as noted, it does not work in Windows 8. I am now using Tweaking.com-Registry Backup 1.6.0, which someone suggested, to backup the registry on first daily boot, which uses the Windows ShadowCopy method. But this may not even be necessary if Windows does it own registry backup on shutdown/reboot. I do regular image backups which have saved my rear end in the past and is probably all that is needed.

I appreciate all the suggestions. They are always welcome

jerome/John

Reply | Quote

this may not even be necessary if Windows does it own registry backup on shutdown/reboot.

It might be wise to verify with bbearren that Win 8 (as distinct from previous versions of Windows) indeed does this on ‘shutdown’ (edit: by which I mean the normal shutdown-then-reboot sequence), since by default ‘shutdown’ in Win 8 doesn’t do what shutdown did in previous Windows versions.

Reply | Quote

[bbearren]

It might be wise to verify with bbearren that Win 8 (as distinct from previous versions of Windows) indeed does this on ‘shutdown’ (edit: by which I mean the normal shutdown-then-reboot sequence), since by default ‘shutdown’ in Win 8 doesn’t do what shutdown did in previous Windows versions.

From Wikipedia: “Windows versions since Windows NT (i.e. all current versions of Windows) use transaction logs to protect against corruption during updates. Current versions of Windows use two levels of log files to ensure integrity even in the case of power failure or similar catastrophic events during database updates.^[43] Even in the case of a non-recoverable error, Windows can repair or re-initialize damaged registry entries during system boot.”

The citation ^[43] references “Ionescu, Mark Russinovich, David A. Solomon, Alex. “Registry Internals”. Windows internals (6th ed.) Redmond, Wash.:Microsoft Press. ISBN 978-0-7356-4873-9.

And a reminder, the registry hives (and the two levels of log files) are constantly being updated while Windows is running. A simple way to verify this is to reboot, then launch File Explorer and navigate to WindowsSystem32config. For the hive files, in the “Date modified” column today’s date will be displayed and the time will be the time that Windows was shutdown. That is when the updates are finalized for that last session and written to disk.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

• This reply was modified 4 years, 11 months ago by bbearren.

Reply | Quote

What you originally stated (and I questioned in the specific case of Win 8) was that

I personally see little if anything to be gained by backing up the entire registry (Windows does this routinely on every shutdown/boot)

Observing that disk writes to the Registry are transactionally protected is not at all the same thing as stating that a backup of the Registry is being performed at certain times, and would not have helped the OP’s problem (which clearly occurred DESPITE the existence of such low-level transactional update protection: he wanted the ability to revert to an undamaged backup copy of the Registry).

Reply | Quote

Quite often when I shut down the computer (but not always), I get the following message “Operations are in progress. Please wait. Do mot turn off your computer”. After a few seconds it shuts down normally. I have often wondered what these “operations” are. Is this by chance the registry backup on shutdown that we are discussing?

John

Reply | Quote

Windows by default does disk write caching, which is to say that disk writes are cached in memory until some slack time in disk use is available. This is done to avoid awkward pauses when the computer might seem hesitant or unresponsive momentarily, and usually goes completely unnoticed. When the slack time doesn’t become available, and there are some disk writes still cached at shutdown, Windows will take care of those disk writes before shutting down; hence the warning not to turn off your computer.

It could be any kind of disk writes, and transactional logs for the registry hives could very well be part of it.

This is not a “backup” as such that a user can invoke, but it is a way for Windows to reconstruct the registry in the event of something significant going wrong at an inopportune time. On startup, Windows only loads parts of the registry at first, mainly having to do with hardware and getting Windows loaded. As more of Windows loads, more of the registry is also loaded into memory. If at some point Windows finds errors in the registry, it looks to the transactional logs for guidance on how to repair the errors.

If on occasion you have what seems to be a long boot up, the possibility exists that Windows might be doing some housecleaning in the registry. The registry and Windows use of it is quite robust, naysayers notwithstanding.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

What you originally stated (and I questioned in the specific case of Win 8) was that

Observing that disk writes to the Registry are transactionally protected is not at all the same thing as stating that a backup of the Registry is being performed at certain times

From post #39:

And I personally see little if anything to be gained by backing up the entire registry (Windows does this routinely on every shutdown/boot).[/SIZE][/QUOTE]

Windows can reconstruct the registry on boot up if need be, utilizing what is known good of the registry together with the transactional logs to reconstruct the last transactions done in the registry. I did not explain myself as succinctly as I should have, but I still see little if anything to be gained by backing up the entire registry when Windows itself uses multiple layers of protection for the registry. It’s being taken care of. The vast majority of registry problems are caused not by Windows, but by the use of so-called “Registry Cleaners”.

and would not have helped the OP’s problem (which clearly occurred DESPITE the existence of such low-level transactional update protection: he wanted the ability to revert to an undamaged backup copy of the Registry).

I did address the OP’s problem.

From post #15:

What is the problem with Windows Defender?

From post #20:

Windows Defender is broke and will not run. The problem has been traced to a missing Windows Defender Service.

From post #36:

— edit —I should have done this at the beginning!

I decided to see if I could replicate your effort (I keep current with my drive images so I can be rather fearless) and I did. I got an error message that look like this.

“Cannot import [path]WinDefend.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes, or you have insufficient privileges to perform this operation.”

Look familiar? While one can edit a ‘live’ key using regedit, one cannot replace it while it is ‘live’. As far as regedit is concerned, your Windows Defender is running and that key is open.

The only way you will be able to replace your existing key is to edit it manually, or when Windows is offline. I dual boot, and I can use regedit to import a hive from the Windows I am not currently running, edit that hive, then export it back to its source. In your case, this can be done by booting to your installation DVD, opening regedit from a Command Prompt, and importing the SYSTEM hive. But don’t try this unless you know how.

“The problem has been traced to a missing Windows Defender Service.” Replacing the registry key may not have been the panacea. Other factors could have been involved as well. But I did in fact address the method required for what he wanted to do.[/FONT][/SIZE]

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I don’t think you understood the post to which you responded. That post did not claim that you had failed to address the OP’s problem, simply that you had stated (rather unequivocally) that Windows backed up the Registry during a shutdown/reboot sequence (which the OP then gave as a reason he might not need to worry about backing it up himself) and that your subsequent observations about transactional protection and startup repair operations had absolutely nothing to do with any backup operation and hence were not relevant to the post you were responding to nor to the OP’s interpretation of your post which claimed that a Registry backup operation occurred at that time.

So, in fewer words:

Do you still maintain that Windows creates a backup of the Registry during a shutdown/reboot sequence (and in particular during the funny hibernation interpretation of shutdown/reboot that Win 8 performs by default)? Are you still laboring under the apparent misconception that transactional updates and repair operations somehow qualify as backups? I only ask because if there’s something in this area that *I’m* not understanding correctly I’d like to understand it better.

Reply | Quote

Do you still maintain that Windows creates a backup of the Registry during a shutdown/reboot sequence (and in particular during the funny hibernation interpretation of shutdown/reboot that Win 8 performs by default)?

Indeed. I further clarified this for the OP, as well. From post #45:

This is not a “backup” as such that a user can invoke, but it is a way for Windows to reconstruct the registry in the event of something significant going wrong at an inopportune time. On startup, Windows only loads parts of the registry at first, mainly having to do with hardware and getting Windows loaded. As more of Windows loads, more of the registry is also loaded into memory. If at some point Windows finds errors in the registry, it looks to the transactional logs for guidance on how to repair the errors.[/FONT][/QUOTE][/FONT][/SIZE]

Are you still laboring under the apparent misconception that transactional updates and repair operations somehow qualify as backups?

No labor involved. As for whether or not such is a misconception, I defer to the much more extensive knowledge and far greater experience of Russinovich et al.

From Wikipedia: “Windows versions since Windows NT (i.e. all current versions of Windows) use transaction logs to protect against corruption during updates. Current versions of Windows use two levels of log files to ensure integrity even in the case of power failure or similar catastrophic events during database updates.^[43] Even in the case of a non-recoverable error, Windows can repair or re-initialize damaged registry entries during system boot.”

The citation ^[43] references “Ionescu, Mark Russinovich, David A. Solomon, Alex. “Registry Internals”. Windows internals (6th ed.) Redmond, Wash.:Microsoft Press. ISBN 978-0-7356-4873-9.

I only ask because if there’s something in this area that *I’m* not understanding correctly I’d like to understand it better.

Might I suggest buying the cited book and giving it a good read.

I would also like to point out that the OP’s problem was not resolved, as he opted for a different AV solution in lieu of pursuing to conclusion the issue of a broken Windows Defender, and we do not have any clarification as to the extent of the actual problem nor what its solution would have involved.

On the other hand, if it is your preference to make daily full backups of the registry, by all means, do so. I will continue to defer to Windows built-in defenses against registry corruption and follow my drive imaging regimen.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I opted for the AV solution because I thought we were more or less at the end of the road on the registry repair solution and I didn’t want to screw things up further. I am willing to continue efforts to find a solution if that is all possible. If someone could take a look at a good registry key for the Windows Defender Service and then edit the broken key to match the good one, I am all for it. Editing the registry is a little beyond my capability and I am sure I would mess it up. I looked at the good and bad keys in notepad and was at a loss on how to proceed. I have certainly learned a lot from these posts. The knowledge gained is invaluable. Thanks…

John

Reply | Quote

Indeed.[/quote]

‘Indeed’ you DO maintain that Windows creates a backup of the Registry during a shutdown/reboot sequence? See below…

I further clarified this for the OP, as well.

That ‘clarification’ said nothing about any kind of backup: it related solely to the transactional logging mechanisms used to ensure low-level Registry update integrity against things like sudden power losses plus some checks and possible repair activity on restart (again, I’ll ask whether you’re sure that these latter also occur when Win 8 is awakened from its default hibernation pseudo-shutdown as distinct from a real boot-up) .

As for whether or not such is a misconception, I defer to the much more extensive knowledge and far greater experience of Russinovich et al.

The material you quoted also says nothing relating to ‘backup’. It increasingly appears that you don’t understand that such mechanisms have NOTHING to do with any kind of ‘backup’, user-invokable or otherwise: a ‘backup’ is a point-in-time copy of some complete data structure which can be subsequently used if necessary to replace (not ‘repair’) a corrupted copy of that data structure, whereas transactional logging typically logs individual disk updates (or in the case of the second level of logging that Russinovich refers to brief related sequences of them – e.g., tying data updates in the Registry to any modifications they caused to its indexed accessing structure) BEFORE they are applied to the database in question such that if something (like a power failure) prevents that individual operation from completing its database updates they can be re-applied on restart to keep the database internally consistent and up to date.

Might I suggest buying the cited book and giving it a good read.

I might do that if you actually manage to present a quote from it that supports your apparent position in a way that suggests that my own understanding could use improvement. As it is, having designed and written transactional log managers myself for file/object storage systems I’m relatively confident in my ability to comment upon their operation competently.

I will continue to defer to Windows built-in defenses against registry corruption and follow my drive imaging regimen.

That’s certainly a reasonable approach to take if you’re not frequently engaged in repetitive activities where simple Registry backups would provide adequate but far lighter-weight protection. What a real backup does that the Registry corruption defenses you’ve described do NOT do is provide a recourse against Registry corruption at a higher level – e.g., by bugs in the Registry’s own management mechanisms or in those of the applications which explicitly modify it – short of reverting your entire system to an earlier state. Given that the defense mechanisms you described apparently did not suffice to protect jarome’s Registry against corruption, a real backup would have not only given him the ability to try a simple Registry restore but also would have provided the actual Windows Defender keys from that particular system (in case keys imported from another system might have system-specific differences).

Reply | Quote

bbearren…

Trying to follow your steps step by step: “Expand TEST, and you will see ControlSet001 and ControlSet002” ControlSet002 is not there, only ControlSet001.
“Expand ControlSet001, highlight WinDefend, click File, then Import.” WinDefend is not listed.

Should I just skip these 2 steps. Will way to hear from you before next step.

J.

Reply | Quote

bbearren…

Trying to follow your steps step by step: “Expand TEST, and you will see ControlSet001 and ControlSet002” ControlSet002 is not there, only ControlSet001.
“Expand ControlSet001, highlight WinDefend, click File, then Import.” WinDefend is not listed.

Should I just skip these 2 steps. Will way to hear from you before next step.

J.

I’m assuming that you were able to navigate to your Windows 8 drive and to WindowsSystem32config and loaded SYSTEM. If WinDefend is not at HKEY_LOCAL_MACHINESYSTEMControlSet001Services, you can create an empty Key to replace with your known good WinDefend Key.

In the expanded TESTControlSet001, right-click on the Key “Services”. Select “New”, then “Key”. At the bottom of the expanded Services tree will appear, highlighted and ready to rename, “New Key #1”. Rename it WinDefend, and hit Enter.

Next, right-click your new WinDefend Key and select Permissions. Highlight SYSTEM in the “Group or user names” listing, and put a check in the box for Full Control, and click OK.

Now, with your new WinDefend Key highlighted, click File, then Import. Navigate to the location of your known good WinDefend key. Select it, and click Open. You will get an info dialog box saying the file has been successfully merged.

After you have imported the known good key, collapse the tree back to TEST, and make sure TEST is highlighted. Click File, then Unload Hive. You’ll be asked if you are sure you want to unload the current key and all of its subkeys. Click Yes.

The TEST Key will disappear from the expanded HKEY_LOCAL_MACHINE. That means that the changes you have made have been successfully written into the hive. Close regedit and reboot, and check regedit from within Windows. Your known good WinDefend key should now be in its proper place.

And again, bear in mind that this might not be all that is necessary to repair Windows Defender.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I’m assuming that you were able to navigate to your Windows 8 drive and to WindowsSystem32config and loaded SYSTEM. If WinDefend is not at HKEY_LOCAL_MACHINESYSTEMControlSet001Services, you can create an empty Key to replace with your known good WinDefend Key.

In the expanded TESTControlSet001, right-click on the Key “Services”. Select “New”, then “Key”. At the bottom of the expanded Services tree will appear, highlighted and ready to rename, “New Key #1”. Rename it WinDefend, and hit Enter.

Next, right-click your new WinDefend Key and select Permissions. Highlight SYSTEM in the “Group or user names” listing, and put a check in the box for Full Control, and click OK.

Now, with your new WinDefend Key highlighted, click File, then Import. Navigate to the location of your known good WinDefend key. Select it, and click Open. You will get an info dialog box saying the file has been successfully merged.

After you have imported the known good key, collapse the tree back to TEST, and make sure TEST is highlighted. Click File, then Unload Hive. You’ll be asked if you are sure you want to unload the current key and all of its subkeys. Click Yes.

The TEST Key will disappear from the expanded HKEY_LOCAL_MACHINE. That means that the changes you have made have been successfully written into the hive. Close regedit and reboot, and check regedit from within Windows. Your known good WinDefend key should now be in its proper place.

And again, bear in mind that this might not be all that is necessary to repair Windows Defender.

Everything went OK until I rebooted into Windows, then it went back to the original bad key and WD was still broke, as if the edited registry was NOT being saved. If I boot into the Recovery Environment, under ControlSet/Services “Wd” and “Wdf1000” are there but NOT “WinDefend” which should be there after the edit. Never saw “ControlSet002”, only “ControlSet001”.

I think we are getting there but still not quite there yet. “Perseverance is a virtue”

J.

Reply | Quote

Everything went OK until I rebooted into Windows, then it went back to the original bad key and WD was still broke, as if the edited registry was NOT being saved.

How about downloading the free version of Malwarebytes and running a full scan. I ran this procedure with a test key on my desktop before my last post to you and it worked fine. Perhaps there’s something else going on with your machine.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

How about downloading the free version of Malwarebytes and running a full scan. I ran this procedure with a test key on my desktop before my last post to you and it worked fine. Perhaps there’s something else going on with your machine.

Ran FULL Malwarebytes scan. Nothing found. After editing the registry from the Rescue Environment per your instructions, everything looks good and the changes are there. Then after rebooting back into the Rescue Environment, all the changes are gone and the registry looks the same as it did before the editing. I made sure the hive was unloaded which should have saved the editing but apparently the changes are not being saved. Your instructions seemed to work except WinDefend key was missing and had to be created and ControlSet002 was not there so the replacement key could not be imported there, but was imported OK to ControlSet001. Don’t know if that was important or not. If we could just make regedit save the changes to the registry, I think we would have it made. Thanks for your continued support.

J.

Reply | Quote

Hi John,

In a previous post, you said:

Windows Defender is broke and will not run. The problem has been traced to a missing Windows Defender Service.

Have you looked in Services to see if it is actually missing? Also, is your Windows 8 an upgrade, or did you acquire it with the purchase of a new PC?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Yes, it is not there, missing altogether. I also checked another machine that is working normally and the Windows Defender Service is there. I upgraded to Windows 8 from Windows 7. Downloaded Win 8 from the Microsoft upgrade site when they had Win 8 on sale right after its release last October. I have no idea when WD got broken. My oldest image is about 2 months old. I loaded it and WD was broken so it happened sometime prior to that. I have considered a REFRESH or reinstall of Win 8 but discounted it as I would lose all my apps and I am not sure if I can find them. Also that would be quite an undertaking. I had rather try to fix WD or find another solution such as not using WD at all.

Reply | Quote

As far as Refresh, “The apps that came with your PC or you installed from Windows Store will be reinstalled, but any apps you installed from other websites and DVDs will be removed. Windows puts a list of the removed apps on your desktop after refreshing your PC.”

Have you checked the Program Files folder to see if all the requisite parts are in the Windows Defender folder? The executable for the Windows Defender Service is Program FilesWindows DefenderMsMpEng.exe.

There is no standalone package to install the version of Windows Defender that is part of Windows 8. There is a standalone package for Microsoft Security Essentials, but it would most likely balk at installing in Windows 8.

Also, it is possible to import a known good WinDefend registry key, but you would have to do it offline.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Well, I thought I was making some headway with this stubborn problem but not quite there yet. I WAS able to import a known good WinDefend registry key by going offline as you suggested. I booted from the Win 8 Rescue Disk and used the cmd prompt to run regedit and import the key successfully. I closed and reopened regedit and all was fine. The new key looked good and matched a known good key perfectly. I then rebooted and to my dismay, the old key was back as it was before. Seems like when you use regedit to edit the registry in the Recovery Environment it does not save the edited registry and goes back to the old registry on reboot back into Windows. So, how do I save the edited registry?

Reply | Quote

The way it works offline is a bit different. You must load a hive, edit the hive, then unload the hive. That saves the editing.

********** CAUTION **********

##### this procedure is for the OP only, specifically for the OP’s circumstance. It is not intended for general use. #####

Print these instructions so you can have them for reference. Take your time. Follow the steps as I have them written, and this will work fine.

From the Recovery Environment, open regedit. Highlight HKEY_LOCAL_MACHINE, then click File, and select Load Hive. Next you will need to navigate to and select the hive (database file) that you need to edit, which in your case is WindowsSystem32configSYSTEM (there is no filename extension, just SYSTEM). The drive letter where Windows is located may not necessarily be C:, as the Recovery Environment assigns drive letters differently. You will need to navigate to the correct drive letter.

Once you select the correct hive, SYSTEM and click Open, a textbox will popup asking for a Key Name. Use a name such as TEST, and click OK.

Next, in Regedit, expand HKEY_LOCAL_MACHINE and you will see your new Key named TEST (if that’s the name you used) at the bottom of the tree. Expand TEST, and you will see ControlSet001 and ControlSet002. You will want to import your known good WinDefend key into both of these, one at a time.

Expand ControlSet001, highlight WinDefend, click File, then Import. Navigate to the location of your known good WinDefend key. Select it, and click Open. You will get an info dialog box saying the file has been successfully merged.

Repeat that procedure with ControlSet002.

After you have imported the known good key into both ControSet001 and ControlSet002, collapse the tree back to TEST, and make sure TEST is highlighted. Click File, then Unload Hive. You’ll be asked if you are sure you want to unload the current key and all of its subkeys. Click Yes.

The TEST Key will disappear from the expanded HKEY_LOCAL_MACHINE. That means that the changes you have made have been successfully written into the hive. Close regedit and reboot, and check regedit from within Windows. Your known good WinDefend key should now be in its proper place.

Bear in mind that this might not be all that is necessary to repair Windows Defender.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

’Indeed’ you DO maintain that Windows creates a backup of the Registry during a shutdown/reboot sequence?

That ‘clarification’ said nothing about any kind of backup:

But it did.

This is not a “backup” as such that a user can invoke, but it is a way for Windows to reconstruct the registry in the event of something significant going wrong at an inopportune time.[/QUOTE]I would think “This is not a “backup” as such” should be clear.

Allow me to clarify the clarification. I much prefer definitions from the dictionary. From Dictionary.com: “backup

5. Computers.
a. a copy or duplicate version, especially of a file, program, or entire computer system, retained for use in the event that the original is in some way rendered unusable.

b. a procedure to follow in such an event.”

“A procedure to follow” can be encoded in and initiated by software, as it is in Windows’ use and care of the registry.

Whether or not you choose to read the book is entirely up to you.

Also bear in mind that at this juncture, we do not know the cause for the OP’s corrupted WinDefend Key, but I am trying to help him with it, with the caveat that restoring the key with his copy from a working PC may not be all that is necessary to repair Windows Defender.[/FONT][/SIZE]

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

But it did.
I would think “This is not a “backup” as such” should be clear.[/quote]

It might have been clear (and would have been true) had you said “This is not a “backup”” without further qualification. “This is not a “backup” as such” is decidedly more squirrely, suggesting that it might still reasonably be CONSIDERED a kind backup (which would be incorrect). And the full statement you made (“This is not a “backup” as such that a user can invoke”) muddies things even further, leaving wide-open the interpretation that it MIGHT be ‘a backup as such’, just not the kind that a user could invoke.

Allow me to clarify the clarification. I much prefer definitions from the dictionary.

When it comes to technical definitions I prefer something considerably more technically credible than the average dictionary is. But of course even good technical definitions can leave room for misinterpretation, as your dictionary’s seems to have.

From Dictionary.com: “backup

5. Computers.
a. a copy or duplicate version, especially of a file, program, or entire computer system, retained for use in the event that the original is in some way rendered unusable.

b. a procedure to follow in such an event.”

“A procedure to follow” can be encoded in and initiated by software, as it is in Windows’ use and care of the registry.

You seem to suggest that this definition states that ANY procedure followed when some original becomes unusable qualifies as a ‘backup’. Does that mean, for example, that you consider simply deleting such an unusable original to constitute a ‘backup’ (since that is indeed a procedure to follow in such an event, e.g., to keep the corrupted structure from subsequently being used inappropriately)?

If your answer is ‘no’, you need to justify your apparent suggestion that something else that still does not include using the copy described earlier in the definition in might qualify as a ‘backup’. If your answer is ‘yes’, then you’re just being silly.

The Registry protection measures which you’ve described do not, in any way, constitute ‘backups’ – period. This is not a matter of opinion, it’s a matter of standard definitions. If you’re not acquainted with such standard definitions, you should probably become so before discussing them further.

Also bear in mind that at this juncture, we do not know the cause for the OP’s corrupted WinDefend Key

But we DO know that the protective measures you described for the Registry failed to prevent its corruption. An actual backup created prior to that corruption, by contrast, would have provided an uncorrupted copy to use: possibly an out-of-date copy that would have been unusable as it stood for other reasons, but not a corrupted copy.

Reply | Quote

When it comes to technical definitions I prefer something considerably more technically credible than the average dictionary is.

Might I suggest buying the cited book and giving it a good read.

Have a nice day, -bill.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Have a nice day, -bill.

It’s getting off to a decent start, anyway. As for the book you keep suggesting might be educational for me, I’m still waiting for you to present something from it that in any way seems to support your apparent position and/or that I’m not already very familiar with from having designed and implemented the kind of software that the references you have made to it describe.

Reply | Quote

When you boot into the Rescue Environment, are you having to log in to an administrators group account?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

When you boot into the Rescue Environment, are you having to log in to an administrators group account?

It does not ask me for a log in.

Reply | Quote

You said in an earlier post that you were booting the Windows 8 Rescue Disc. Do you have a Windows 8 Pro installation DVD or USB stick?

When I’m doing this, I’m booting the DVD (actually I have the contents of the DVD on a small bootable partition) and I’ve run two tests and they both worked as they should. My TEST1 key and my TEST2 key were in the registry when I booted into Windows and opened regedit.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

You said in an earlier post that you were booting the Windows 8 Rescue Disc. Do you have a Windows 8 Pro installation DVD or USB stick?

When I’m doing this, I’m booting the DVD (actually I have the contents of the DVD on a small bootable partition) and I’ve run two tests and they both worked as they should. My TEST1 key and my TEST2 key were in the registry when I booted into Windows and opened regedit.

Yes, I was booting with the Windows 8 Rescue Disc. I tried booting with the Windows 8 Pro installation DVD but get the same results: The new WinDefend key is imported fine but after a reboot either into the Rescue Environment or Windows 8, the changes to the registry are lost and we are right back to the beginning again.

Reply | Quote

Perhaps we can try this from a different angle. While logged into Windows, open a System Level Command Prompt, then regedit from within that. Navigate to the WinDefend key, right-cllck on the key and select delete, then OK the warning dialog box. If you are allowed to delete the key, proceed with the following.

Highlight the Services key, click File, then Import. Navigate to your known good WinDefend key, select it and OK the warning dialog box. If that works, close regedit, and exit the System Level Command Prompt. Reboot, and see what you have.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Perhaps we can try this from a different angle. While logged into Windows, open a System Level Command Prompt, then regedit from within that. Navigate to the WinDefend key, right-cllck on the key and select delete, then OK the warning dialog box. If you are allowed to delete the key, proceed with the following.

Highlight the Services key, click File, then Import. Navigate to your known good WinDefend key, select it and OK the warning dialog box. If that works, close regedit, and exit the System Level Command Prompt. Reboot, and see what you have.

Won’t let me delete WinDefend. Gives me the error: “Cannot delete WinDefend: Error while deleting key”. I hope using Command Prompt (Admin) is the same as using a System Level Command Prompt. If not, how do I open a System Level Command Prompt?

Reply | Quote

From post #21 in this thread:

You might try running regedit from a System Level Command Prompt and importing the .reg file.[/QUOTE]

The link will provide instructions for opening a System Level Command Prompt.[/SIZE][/FONT]

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

There’s another AV scan you can try. Windows Defender Offline. You can use CD, DVD or USB. If your PC is connected through Ethernet to a broadband internet connection (WDO doesn’t have drivers for wireless), when you boot to Windows Defender Offline, it will first connect directly to Microsoft to download the latest AV definitions, then run a scan of your choosing. I would suggest a full scan. Be prepared for it to be a bit slow getting started.

The Offline part of the name refers to your Windows installation being offline; you’re booted into a different environment. WDO will go online for the AV definitions (if you are connected via Ethernet). I’m connected via Ethernet, and I use a CD.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

There’s another AV scan you can try. Windows Defender Offline. You can use CD, DVD or USB. If your PC is connected through Ethernet to a broadband internet connection (WDO doesn’t have drivers for wireless), when you boot to Windows Defender Offline, it will first connect directly to Microsoft to download the latest AV definitions, then run a scan of your choosing. I would suggest a full scan. Be prepared for it to be a bit slow getting started.

The Offline part of the name refers to your Windows installation being offline; you’re booted into a different environment. WDO will go online for the AV definitions (if you are connected via Ethernet). I’m connected via Ethernet, and I use a CD.

I did a FULL scan with the Windows Defender Offline disk and found nothing. I then created a System Level Command Prompt form PSTools per your instructions and when I open regedit and try to delete the WinDefend key, it won’t let me delete it. Get the same error: “Error while deleting key”.

Reply | Quote

Windows Defender has a command line utility. Open a “Run as administrator” Command Prompt, navigate to Program FilesWindows Defender and type

MpCmdRun.exe -Scan -1

Note the spaces. That’s a quick scan. See if that runs. The console window will show “Scan starting…” if it is running.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Windows Defender has a command line utility. Open a “Run as administrator” Command Prompt, navigate to Program FilesWindows Defender and type

MpCmdRun.exe -Scan -1

Note the spaces. That’s a quick scan. See if that runs. The console window will show “Scan starting…” if it is running.

It failed to run. The error was “Failed with hr=0x800106BA.” The closest we have come so far is using regedit from the Recovery Environment. After the changes are made in regedit, everything looks good. Closing regedit then reopening it – all changes are retained, but closing it then rebooting into Windows 8 causes everything to be lost. The BIG question is: why aren’t the changes saved when rebooting into Windows???

Reply | Quote

The System Level Command Prompt can be invoked from within the Recovery Environment. You could try that, then regedit from within that. Load the SYSTEM hive as before, navigate to the WinDefend key, right-cllck on the key and select delete, then OK the warning dialog box. You shouldn’t have any trouble deleting the key from the loaded hive.

Highlight the Services key, click File, then Import. Navigate to your known good WinDefend key, select it and OK the warning dialog box. Highlight your TEST key, then File > Unload hive, close regedit, and exit the System Level Command Prompt. Reboot, and see what you have.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I’m not as technically minded as you guys (bbearren and jarome), but aren’t the edited registry keys being overwritten by the last Quick Start “hyberfile” when booting. If I’m wrong, please let me know.

John

Reply | Quote

I’m not as technically minded as you guys (bbearren and jarome), but aren’t the edited registry keys being overwritten by the last Quick Start “hyberfile” when booting. If I’m wrong, please let me know.

John

Thanks for jumping in with your suggestion. I am not sure about the Quick Start function. Maybe bbearren has the answer. If that is true maybe that is the reason the registry edits are overwritten on boot into Windows.

Reply | Quote

In its default behavior, fast startup only occurs after a shutdown, and is not invoked when the system is restarted (as in a restart for Windows Updates, etc.) so that all open files are truly closed.

However, it surely can’t hurt to rule out fast startup as an interferring factor. If you have disabled hibernation, this option won’t be available, because disabling hibernation also disables fast startup.

To disable fast start, from an administrators group account go to Control Panel > Power Options. On the left side of that screen, click on “Choose what the power buttons do”. On the next screen, click on “Change settings that are currently unavailable”.

Next, near the bottom of the screen un-check “Turn on fast startup”, then click the “Save changes” button near the bottom right, and close Control Panel.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

In its default behavior, fast startup only occurs after a shutdown, and is not invoked when the system is restarted (as in a restart for Windows Updates, etc.) so that all open files are truly closed.

However, it surely can’t hurt to rule out fast startup as an interferring factor. If you have disabled hibernation, this option won’t be available, because disabling hibernation also disables fast startup.

To disable fast start, from an administrators group account go to Control Panel > Power Options. On the left side of that screen, click on “Choose what the power buttons do”. On the next screen, click on “Change settings that are currently unavailable”.

Next, near the bottom of the screen un-check “Turn on fast startup”, then click the “Save changes” button near the bottom right, and close Control Panel.

I disabled Fast Startup but it made no difference, as anticipated. Also tried invoking the System Level Command Prompt from within the Recovery Environment but that also made no difference. Something is still preventing the registry changes from being saved on reboot. When we find that, we will have the problem licked. When in the RE I can create a new key under Services with nothing in the key, just leaving it blank. When I reboot, that key disappears. It is almost like regedit needs a SAVE command to use when finished editing but there is none that I can find.

Reply | Quote

When you’re booted into the Recovery Environment and open regedit, what is the path you’re using to load the SYSTEM hive?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

When you’re booted into the Recovery Environment and open regedit, what is the path you’re using to load the SYSTEM hive?

The path I use to get to the database file (hive) is: C:WindowsSystem32configSYSTEM. I find 2 System files (no extension). One is a text file so I assume the other one is the database file I want.

Reply | Quote

There’s this.

That main key has three sub keys.
[noparse]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefend]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefendSecurity]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefendTriggerInfo]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinDefendTriggerInfo]
[/noparse]
You could try editing your good .reg file into four separate .reg files, and see if you can import them one at a time.[/SIZE][/QUOTE][/SIZE][/FONT]

Or instead of editing, you could export the keys one at a time from the PC with known good Windows Defender, and try the import.

(for some reason the forum post puts a space in “Services” that doesn’t appear in the post editor)

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote