- Backing up and Restoring Windows NT/2000/XP/ Server 2003 Registries Manually
If the boot partition of Windows NT/2000/XP/Server 2003 is formatted using the FAT
file system, you can easily back up the system registry manually by booting the computer
under an alternative operating system (for example, MS DOS or Windows 9x/ME) or
even using the boot diskette. When this is done, you will be able to copy registry-hive
files to the backup media using any method of copying (for example, you may use both
Windows Explorer and the command line).
If the Windows NT/2000/XP or Windows Server 2003 boot partition uses NTFS, you
may have some difficulties using this method of backing up the registry (however,
contrary to information provided in some sources, this isn't always the case). You may
sometimes need to format the Windows NT/2000/XP/Server 2003 boot partition using
NTFS (this may be required by the security rules adopted by your company or by certain
software products, which need to be installed on NTFS partitions). However, you may
wish to continue using a manual method of backing up the registry. The simplest method
of avoiding any possible problems is a parallel installation of the operating system.
Microsoft officially recommends this method of improving system reliability. This tip
can be found in both the Resource Kit documentation and in Microsoft Knowledge Base
articles. If you follow this recommendation, though, you'll need to consider the
compatibility aspects of NTFS 4 and NTFS 5. You can also use shareware or freeware
NTFS drivers, which can be downloaded from the Internet).
To back up Windows NT/2000/XP/Server 2003 registry manually, copy the files
contained in the %SystemRoot%\System32\Config folder to the backup media. Note that
you need to use backup media of sufficient capacity, since the contents of this folder
almost certainly won't fit on a 1.44 MB diskette.
Selection of removable storage media for transporting your files (for system
administrators and technical-support personnel these, most probably, will include
recovery tools, drivers, system updates, diagnostic utilities and, certainly, backup files,
such as registry backups) is very important. Till recently, ZIP disks and CD-Rs were used
for this purpose. Over the past few years, however, newer and better media have become
more and more popular. If you need a portable toolkit for emergency situations, such
things as external USB card readers, Flash Memory cards, and, above all, USB Flash
drives, will be invaluable. Such devices can hold up to 1 GB of data, are very portable,
extremely light weight, and compatible with any PC equipped with a USB port. Just stick
the flash drive into the USB port of your PC running Windows 2000/XP or Windows
Server 2003 and Windows Plug and Play will immediately see it as an additional drive
(more information on this topic will be provided in Chapter 5). Then copy the files you
need to take with you, unplug the device from the PC, and you're ready to go. Flash
- drives hold more data than a floppy disk, are more portable than ZIP drives and other
remote-storage devices, and are more convenient (and less fragile) than CD-RW disks. In
short, USB Flash Drives may just be the perfect removable storage medium.
Note Unfortunately, the small size and large storage capacity of such devices, apart from
the advantages that they bring, can also make them dangerous. In order to install
such a device in Windows 2000/XP or Windows Server 2003, it isn't necessary for
the user to belong to the Administrators group. For example, during the installation
of portable USB drives the user can bypass entirely administrative safeguards
against worms and viruses, unauthorized software such as shareware programs,
software pranks, MP3 files, video clips, spyware or keystroke loggers that can
enable users to capture passwords or other sensitive information. Another threat
created by such devices is that of theft or loss of software and confidential data.
Unless you disable all of the USB ports in your environment, they are impossible to
defend against. Protective measures that you can take to safeguard your corporate
network against these threats will be considered in Chapter 9.
The files that need to be copied from the %SystemRoot%\System32\Config folder are
Appevent.evt Secevent.evt Sysevent.evt
Default Security System
Default.log Security.log System.alt[*]
Default.sav Software System.log
Sam Software.log System.sav
Sam.log Software.sav Userdiff
This file was eliminated in Windows XP and Windows Server 2003. It is only present
in earlier versions of Windows NT/2000.
Note When backing up the registry manually, don't forget to create
backup copies of user profiles, which are stored under
%Systemdrive%\Documents and Settings\ folders.
To create backup copies of user profiles for each user quickly,
log in as the Administrator and copy the Ntuser.dat files for
each existing user profile (more detailed information on user
profiles will be provided in Chapter 10.
Restoring the registry from a backup copy that was created using this method requires
booting the computer under an alternate operating system. After rebooting, you simply
need to copy the registry files from the backup media back to the