Jump to content











Photo
- - - - -

DumpReg

registry

  • Please log in to reply
64 replies to this topic

#26 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 03:43 PM

Version 0.4

- COMPONENTS is not visible in hivelist and is NOT saved by DumpReg, allthough visible in regedit as shown earlier ...

 

Hivelist showing DRIVERS hive

attachicon.gifHivelist-2015-11-22_162605.png

 

About hives not showing in hivelist, not sure how to manage that :(

if it is does not show in the registry as a hive, I cannot do a registry backup.

Ideas/suggestions welcome.

 

Just uploaded a new v0.4 which should work for you and DRIVERS (since it appears in your hive list).



#27 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 04:24 PM

DRIVERS hive is saved OK, but SOFTWARE hive is still too small (about 10% is saved).

 

COMPONENTS hive was not visible in hivelist and at first not saved.

Then I used the other program TweakingRegistryBackup.exe and COMPONENTS was saved as usual.

Then I looked at hivelist key and saw that COMPONENTS was mentioned in list.

Then I used DumpReg again and now all 9 hives were saved (but software still to small).

 

So the hivelist is not a good way to detect what hives are present and can be saved.

 

Did you try Portable Registry Backup and make a comparison ?

http://www.tweaking....try_backup.html



#28 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 04:32 PM

DRIVERS hive is saved OK, but SOFTWARE hive is still too small (about 10% is saved).

 

COMPONENTS hive was not visible in hivelist and at first not saved.

Then I used the other program TweakingRegistryBackup.exe and COMPONENTS was saved as usual.

Then I looked at hivelist key and saw that COMPONENTS was mentioned in list.

Then I used DumpReg again and now all 9 hives were saved (but software still to small).

 

So the hivelist is not a good way to detect what hives are present and can be saved.

 

Did you try Portable Registry Backup and make a comparison ?

http://www.tweaking....try_backup.html

 

I was able to apply the following trick and i believe this is what "Portable Registry Backup" does :

-if components file exists but is not listed in the registry then load it in the registry and back it up !

-this is why components appears in your hivelist after you launched "Portable Registry Backup"

-this is also why dumpreg can backup components after you did backup with "Portable Registry Backup".

 

I still did not find the cause of wrong software backup yet (but will find it...).

 

Going to download "Portable Registry Backup".


  • wimb likes this

#29 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 04:41 PM

I was able to apply the following trick and i believe this is what "Portable Registry Backup" does :

-if components file exists but is not listed in the registry then load it in the registry and back it up !

-this is why components appears in your hivelist after you launched "Portable Registry Backup"

-this is also why dumpreg can backup components after you did backup with "Portable Registry Backup".

 

I still did not find the cause of wrong software backup yet (but will find it...).

 

Going to download "Portable Registry Backup".

 

I think you are right that Portable Registry Backup loads the COMPONENTS hive in the registry !



#30 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 November 2015 - 04:43 PM

So the hivelist is not a good way to detect what hives are present and can be saved.

 

Hmmm :unsure:, seemingly the hivelist is EXACTLY a real-time list of what is PART of the Registry, you can load any hive manually and it will be immediately added to contents of hivelist, so maybe it does not represent what can be saved but represents rather what should be saved. :dubbio:

 

Conversely a non-mounted hive (let's say the "Components" one for the sake of this example) is offline and then can be saved/backed up by much simpler file copy.

 

:duff:

Wonko



#31 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 04:48 PM

Hmmm :unsure:, seemingly the hivelist is EXACTLY a real-time list of what is PART of the Registry, you can load any hive manually and it will be immediately added to contents of hivelist, so maybe it does not represent what can be saved but represents rather what should be saved. :dubbio:

 

Conversely a non-mounted hive (let's say the "Components" one for the sake of this example) is offline and then can be saved/backed up by much simpler file copy.

 

:duff:

Wonko

 

Yes, you are right. :thumbsup:

 

After reboot then COMPONENTS is not visible in registry and not in hivelist.

After running Registry Backup then COMPONENTS becomes visible in registry and is mentioned in hivelist.

 

:cheers:



#32 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 04:55 PM

Hmmm :unsure:, seemingly the hivelist is EXACTLY a real-time list of what is PART of the Registry, you can load any hive manually and it will be immediately added to contents of hivelist, so maybe it does not represent what can be saved but represents rather what should be saved. :dubbio:

 

Conversely a non-mounted hive (let's say the "Components" one for the sake of this example) is offline and then can be saved/backed up by much simpler file copy.

 

:duff:

Wonko

 

Despite components not being mounted/listed in the registry, it is still being kept busy by some process and therefore cannot be read (except with regedit).

It can be copied but as it is in use the risk is to end up with a corrupted copy.

 

Actually, if I go the file copy way, i can copy anything/everything (reading at low level) but this is not the safest way.

 

I will stick to registry api's.



#33 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 04:55 PM

Yes, you are right. :thumbsup:

 

After reboot then COMPONENTS is not visible in registry and not in hivelist.

After running Registry Backup then COMPONENTS becomes visible in registry and is mentioned in hivelist.

 

:cheers:

 

Question is : why are some hives mounted on some systems and not on some others...



#34 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 05:37 PM

v 0.5 uploaded.

 

If drivers and/or components files are found in sysdir\config (and not in registry), then the hive(s) will be loaded and therefore one will be able to save/restore it.

 

I can now save my components and drivers hives on my win8.1 system.

 

Now need to correct the issue around the software hive...



#35 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 06:54 PM

v 0.6 uploaded :

-compatible with x32/x64 windows.

-software hive dump issue fixed.

 

Note that ERUNT also has the software hive dump issue (probably because wow64 registry direction is not supported).

More about registry affected by wow64 redirection here.

 

As a whole, file and registry redirection whether because of wow64 or windows virtual store is a real PITA :(



#36 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 November 2015 - 07:11 PM

Actually, if I go the file copy way, i can copy anything/everything (reading at low level) but this is not the safest way.

 

I will stick to registry api's.

 


If drivers and/or components files are found in sysdir\config (and not in registry), then the hive(s) will be loaded and therefore one will be able to save/restore it.

 

 

So, basically, in an attempt to SAVE or BACKUP an existing configuration Regdump (like the other mentioned tool) not only manages to MODIFY it :w00t: but also modifies it in such a way that a reboot is needed to return the system to the exact state it was before (or maybe that hive can be manually unloaded? :unsure:)

 

Mind you it is perfectly possible that loading "manually" the "Components" hive (and unloading it) is perfectly fine and causes not any issue of any kind in practice :), but in theory it is IMNSHO an awful approach :().

 

Personally I would bet that the "direct access" copy you can make will result "good" in 99.9999999% of cases, but till now we don't (at least I have not :blush: ) a clear idea of the functions and utility of that hive (when it comes to stability of the system or whatever) so it should be first seen if it actually makes sense at all to save/backup it.

I mean the fact that the other mentioned tools does it is not a particularly good reason to do it as well. :dubbio:

 

At the very least you should have a BIG WARNING dialog before loading the hive or an added Yes/No confirmation for this.

 

 

:duff:

Wonko



#37 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 22 November 2015 - 07:36 PM

Version 0.6 is saving SOFTWARE hive of the right size !

 

Comparison of Registry Backup - DumpReg and config folder - Win10 x64 system

 

DumpReg_6-2015-11-22_202746.png

 

There is a problem with the zip file in version 0.6 also encountered earlier, I belief in version 0.4 - error message as shown

 

DumpReg_zipError-2015-11-22_201601.png

 

 



#38 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 22 November 2015 - 07:48 PM

Thanks Wimb !

Your feedback today was extremely helpful !

 

I have reuploaded the zip file : I use windows compressed folder but it keeps corrupting my zip files...

Need to switch to 7-zip.


  • wimb likes this

#39 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 23 November 2015 - 08:26 AM

 

 

 

So, basically, in an attempt to SAVE or BACKUP an existing configuration Regdump (like the other mentioned tool) not only manages to MODIFY it :w00t: but also modifies it in such a way that a reboot is needed to return the system to the exact state it was before (or maybe that hive can be manually unloaded? :unsure:)

 

Mind you it is perfectly possible that loading "manually" the "Components" hive (and unloading it) is perfectly fine and causes not any issue of any kind in practice :), but in theory it is IMNSHO an awful approach :().

 

Personally I would bet that the "direct access" copy you can make will result "good" in 99.9999999% of cases, but till now we don't (at least I have not :blush: ) a clear idea of the functions and utility of that hive (when it comes to stability of the system or whatever) so it should be first seen if it actually makes sense at all to save/backup it.

I mean the fact that the other mentioned tools does it is not a particularly good reason to do it as well. :dubbio:

 

At the very least you should have a BIG WARNING dialog before loading the hive or an added Yes/No confirmation for this.

 

 

:duff:

Wonko

 

 

 

About the direct access copy, I would not go as high as 99.99% : indeed the registry is regurlarly read/written.

The risk of corrupted datas is real.

Actually MS advises to use the volume shadow copy if you go this way, which makes sense but is another project/approach then.

 

About dumpreg (and other similar tools/script) loading/mounting hives on the fly, you are right : this is a change to the system.

I will add an unload feature when dumpreg exits so that the system is left unchanged.

Fair point.

 

About the use of components/drivers hives, I must say I dont know what they are good for so far.

Actually, on my system, I can see another hive named schema which no one seems to mention for now.

I have a pretty good idea about the 6 "classic" hives : security, sam, software, system, default, current user as I have been using these (some or all) in several occacions to restore my system with success.

 

Note that dumpreg was more or less created to complete my other tools such as clonedisk, offlinereg, quickpe ... and the latest beta ProductPolicy Viewer.



#40 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 23 November 2015 - 10:48 AM

About dumpreg (and other similar tools/script) loading/mounting hives on the fly, you are right : this is a change to the system.

I will add an unload feature when dumpreg exits so that the system is left unchanged.

Fair point.

 

About the use of components/drivers hives, I must say I dont know what they are good for so far.

 

 

May be better not to unload COMPONENTS and DRIVERS, since that will give a change (see filedate).

Simply switch off may be does not change these hives ....

 

May be COMPONENTS and DRIVERS are only needed and are loaded

and will change in case of a change in configuration in packages and in hardware. :unsure:



#41 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 24 November 2015 - 01:04 PM

I have used several methods to Restore the registry of my fresh installed Win10 x64 test system.

 

- DumpReg can be used in Win10 x64 OS to restore the registry and is working OK. :)

- After booting with Win8.1 PE then Manual copy was used OK to restore the Win10 x64 registry using 3 different backups (DumpReg, Registry Backup and Manual backup) :)

- Registry Backup program can be used in Win10 x64 OS, but the restored registry is having a problem (Start button does NOT display Start tiles menu). :ph34r:

 

It turns out that the Restore function of Registry Backup program http://www.tweaking....try_backup.html

corrupts the Win10 x64 system in a way that cannot be recovered by DumpReg using Restore.

Also after booting with 8.1 PE and using Manual Restore of the registry did NOT solve the problem.

Also Windows System Restore did not solve the problem.

The problem encountered is that after booting Win10 x64 then the Windows Start button can NOT display the Start menu.

 

AOMEI Backupper used in Win8.1 PE is doing OK to Restore the complete system (used several times during the experiments).

 

About DumpReg:

The DumpReg Restore function only restores 1 hive at a time, since the ALL checkbox is not present in Restore.  :(

Also it seems that UsrClass.dat is not used.

All other hives are renamed when restored by adding a date string to the hive filename in the Source backup folder.

That means that reusing the restore function on the same hive will fail (since filename has changed). :ph34r:

It would be nice if DumpReg can use Backup folder located on any drive e.g. USB-stick.

It would be nice if Backup folder has computer name and datetime string and folder structure as used by Registry Backup

The config hives are then located in CompName\DateTime\DriveLetter\Windows\system32\config

This has the advantage that in PE a simple copy of the folder structure can be used to restore the complete registry.



#42 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 24 November 2015 - 04:17 PM

About dumpreg, next version wll support a ALL feature for restore.

I will also fix the usrclass.dat not being used today.

 

Actually, I am not satisfied about "my" restore process : 

-it prepares the system to use a new (selected) hive at next reboot and the system will delete this selected hive at next reboot

-it backups the hive to a xxx.date before overwritting it

This his how regreplacekey works : i will drop it and go for regrestorekey which is simpler.

 

Seems my "select directory" form does not list all medias : need to review it.

In the meantime you can type in the path manually.

 

I can review the backup names and folders for sure but there is fondamental difference between "Portable registry backup" : it uses file Volume shadow copy i.e manipulate files (copy) when i manipulate registry hives (open, save/restore, close).

 

Portable registry backup corrupting backups is worrying as it purposedly uses VSC to avoid this.



#43 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 24 November 2015 - 05:38 PM

Thanks for your reply and future improvements.

 

In fact default setting for Portable Registry Backup is the Fallback Backup method (see Advanced Settings),

whereas in the past (before Win10) it was the Volume Shadow Copy method.

 

After I observed the Restore problem of Registry Backup, then I decided to test both methods, but both settings give the same failure for Restore,

whereas for both backup methods when I use Manual Restore in PE environment then everything works OK.

I am not so sure that they use VSC for Restore since Restore starts immediately, whereas Backup is waiting long in case of VSC method .....

 

Until now your DumpReg Restore seems to work online OK.

I am very interested in your future development for restore of registry.

 

:cheers:



#44 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 24 November 2015 - 08:29 PM

I have updated dumpreg (v0.7)

The restore ALL option has been implemented (GUI and CMD).

The GUI now uses regrestorekey as default instead of regreplacekey.
The GUI also offers the option to use one API or the other (options menu).
Note that a reboot is required in both scenarios.

The GUI will also create a folder named after the computername in the destination folder to store the saved hives.

It seems that to restore the system hive, you have to use regreplacekey.

In a previous post I had reported that regreplacekey deletes the source hive : actually not.
It moves the source hive to %system32%\config folder (replacing the existing/original one).
The original hive (i.e before being replacing) is backuped to hive_name.date.



#45 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 25 November 2015 - 07:43 AM

Restore with RegRestoreKey

- System and Drivers failed

- After Software restore then Start Menu, Shutdown and Explorer cannot be used anymore. (Error - Key is marked for removal)

So I needed to use the power button to switch off the computer

After reboot then the system seems to work OK

 

DumpReg7_SysResFail-2015-11-25_073410.png -- DumpReg_SoftRes_2015-11-25_073646.png

 

Restore with RegReplaceKey

- UsrClass failed

After normal Shutdown and Reboot then system seems to work OK

 

DumpReg7_RRK_2015-11-25_075318.png -- DumpReg7_RRK2_2015-11-25_075537.png

 

Conclusions:

RegRestoreKey​ interferes with the running system, leading to complications ....

 

It seems that in practice RegReplaceKey has less complications (hive is replaced at next reboot, does not interfere with running system)

Only restore of UsrClass failed, which is may be easy to fix.



#46 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 25 November 2015 - 07:18 PM

@Wimb : Excellent feedback, thanks ! :)

 

regreplacekey sounds safer to me indeed where regrestorekey seems to merge datas and possibly leaves the system in an unstable state.

Only downside is that the api moves the hive file to system32\config.

 

version 0.7.1 out 

-regreplacekey is the default option

-restore will propose to reboot once completed

-usrclass.dat should be restored ok now

-special credits to Wimb in the help->about menu

-changed app tile to "Online RegDump" to avoid confusion : regdump is pointless for now under winpe


  • wimb likes this

#47 Biatu

Biatu

    Member

  • Members
  • 58 posts
  •  
    United Kingdom

Posted 25 November 2015 - 11:11 PM

Nice job, useful.



#48 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 26 November 2015 - 08:28 AM

Version 0.7.1 is doing Backup OK and Restore seems to be OK, since there no failed massages anymore.

More testing is required to see if Restore of registry is working properly and can actually restore an earlier status ... :unsure:

 

regreplacekey sounds safer to me indeed where regrestorekey seems to merge datas and possibly leaves the system in an unstable state.

Only downside is that the api move the hive file to system32\config.

 

The downside is that the Backup is lost on apply of Restore.

This can be overcome easily by:

- Let the program create folder RegReplace on the OS drive e.g. C:\RegReplace

- Before apply of Restore then the program can Copy the Backup hives from the Source folder to the RegReplace folder and use that internally as Source folder for Restore

The advantage is that your original Backup is not lost.

Also the Backup hives used for Restore are in that case always located on the same drive as the OS,

which is a requirement for RegReplaceKey (this is a hive exchange file move operation applied at Reboot).

 

Also it will be nice if several Backups can live next to eachother so that you can keep them for future use.

This can be accomplished when the program makes a Backup folder structure as C:\RegDump\CompName\Date_Time and use that path for Backup of hives.

In the program you can propose then as Backup folder C:\RegDump so that the user does NOT need to make folder RegDump as now being necessary.

 

:cheers:



#49 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 November 2015 - 08:51 AM

Also it will be nice if several Backups can live next to eachother so that you can keep them for future use.

This can be accomplished when the program makes a Backup folder structure as C:\RegDump\CompName\Date_Time and use that path for Backup of hives.

 

 

 

Yep :) this is the approach good ol' ERUNT uses (the folder named after the date),  and it seems to me like the most senceful/easy, since that tool is intended to make a "local" backup of the Registry it does not use the "Computer Name", adding it seems a smart way to know which is which in the case of (say) a USB stick holding the backup of several machines. :thumbup:

 

:duff:

Wonko



#50 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1986 posts
  • Location:Nantes - France
  •  
    France

Posted 28 November 2015 - 11:21 AM

version 0.8 uploaded (GUI changes only)

 

-c:\regdump is default folder and will be created if needed

-username-computername folder will be created

-date-time folder will be created within username-computername folder

-the source hive will be preserved when using regreplacekey api so that the backup folder stays intact







Also tagged with one or more of these keywords: registry

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users