Manual restore registry files from a full registry backup created by Registry First Aid before registry scan

If it is not possible to boot in safe mode and "last known good configuration" is damaged then you can restore registry files from a full registry backup created by Registry First Aid before registry scan. By default, it prompts to create a full registry backup once per day before scan.

In this case you need either another copy of Windows installed or Recovery Console installed. Read install Recovery Console and how to use it topic.

There may be several variants to boot into another copy of Windows (at least Windows XP is required):
  • a second operating system installed on that machine;
  • or install a new OS into another folder (not C:\Windows originally) or another partition;
  • or connect hard drive to a machine with Windows installed;
  • or make a boot CD or flash drive with Windows or another OS with support of NTFS.
The better and easier choice is using a boot device. There are a lot of bootable images in the Internet especially designed for Windows recovery.

The instructions below will show you how you can replace registry files with backup copies.

Using graphical interface - file explorer.

1. Boot into your parallel system.

2. Open in explorer a drive where Registry First Aid saved full registry backups. By default it is C:\ProgramData\RFA_Backups.

3. Find there a folder with the most recent date - the creation date can be read from the folder name: year_month_day-hour_minutes_seconds

4. Backup folder contains machine registry files and several subfolders of kind "S-1-5-..." - they contain user registry files and does not affect the system configuration.

5. Copy the SYSTEM file to the \Windows\system32\config folder on your problem Windows drive. But before this you should create a copy of existent file, for example rename it to SYSTEM.bak - that will be a backup in case something will go wrong. You may also need to clear special attributes "hidden" and "read-only". Right mouse click on a file and select Properties to see and change file attributes.

6. Reboot in your problem Windows system and see if it starts and works OK. If no, you can try to copy other registry files from the same backup folder or repeat these steps with a next by time-back backup folder in RFA_Backups.

Using command line interface.

1. Boot into your parallel system.

2. Go to a drive where Registry First Aid saved full registry backups. By default it is C:\ProgramData\RFA_Backups. Type the following and press Enter after each line: 
C:
cd "C:\ProgramData\RFA_Backups"
3. Find there a folder with the most recent date - the creation date can be read from the folder name: year_month_day-hour_minutes_seconds. To list all files and directories type: 
dir *
Go into most recent folder: 
cd 2017_2_21-18_15_17
List files and folders inside: 
dir *

4. Backup folder contains machine registry files and several subfolders of kind "S-1-5-..." - they contain user registry files and does not affect the system configuration. They may be restored later if you have problems under only some user accounts.

5. Copy the SYSTEM file to the \Windows\system32\config folder on your problem Windows drive. But before this you should create a copy of existent file, for example rename it to SYSTEM.bak - that will be a backup in case something will go wrong. You may need to clear special attributes "hidden" and "read-only" using ATTRIB command. 

        ATTRIB -R -H -S "C:\Windows\system32\config\SYSTEM"
        RENAME "C:\Windows\system32\config\SYSTEM" "SYSTEM.bak"
        COPY SYSTEM "C:\Windows\system32\config\*"

6. Reboot in your problem Windows system and see if it starts and works OK. If no, you can copy other registry files from the same backup folder or repeat these steps with a next by time-back backup folder in RFA_Backups. NTUSER.DAT files under subfolders like "S-1-5-..." may be restored after successful Windows boot.

Registry files
SYSTEM file is the "HKEY_LOCAL_MACHINE\System" registry hive
DEFAULT is the "HKEY_LOCAL_MACHINE\.Default" hive
SAM is the "HKEY_LOCAL_MACHINE\SAM" hive
SECURITY is the "HKEY_LOCAL_MACHINE\SECURITY" hive
Both last mentioned files contain system security records. Don't modify these files if you don't know what you're doing exactly.
SOFTWARE is the "HKEY_LOCAL_MACHINE\Software" hive
It contains registry keys for installed software. If you replace this file with one old then you probably will have to re-install the most of your programs.