I've recently discovered that not all Registry Backup apps might be equal. Apparently some use Microsoft's Shadow Copy for the process while some don't, meaning that such backups don't include the sections of the Registry that are in use when the backup is created.
Can anyone confirm this? And perhaps suggest which apps are the Shadow Copy type?
Shadow copy seems the wrong tool here. Registry access doesn't have the same lock mechanism that files have, so the registry cannot be "in use" and prevented access like files can.
If a registry backup program claims that it uses shadow copy or that it cannot work because it's in use it means that what it really copies are the hive files that back the registry and aren't accessing the registry itself like the build-in "regedit" tool does. As such, the mere use of such a backup program may mean that the "backup" it does is in itself broken. I would just drop all such programs.
That could result in inconsistent copies of the files, as Windows is modifying them and can result in copying a broken file. Any tool that picks the registry files directly from the file system is, inherently, flawed in this way. Shadow copy could help, but up to some point as we don't know how the registry write process works exactly and Windows don't place any guarrantes on it.
The only way to get a consisten backup is to go though the registry API directly and read the whole thing from there. The result could even be a normal .reg file that you import back in case of problems, either in full or partially. Taking a backup this way also eliminates the problem of locks, since the registry API don't provide them, and in this case Windows itself ensures consistency of the data returned, which may or may not be flushed to disk.
Yes we know. It doesnt matter. For the purpose of backup and restore it works. It is what all well known programs use for imaging os. Millions of people do it every day.
We are not concerned here about the minute details of forensics..
Thanks for the tip SIW2.
Perhaps Alejandro would explain exactly how he would go about backing up, and restoring, the W7 Registry.
Last edited by teckneeculler; 06 Apr 2024 at 18:48.
The question is whether you want to automate it and whether you want to merge or replace when restoring.
If you just want to make a one-time backup with the intent to restore by merging (i.e. not backing up removal of registry keys that were present by default), the official Microsoft instructions work all the way back to Windows 9x. (Open Regedit, go File > Export Registry File > and make sure the "All" radio button is selected.)
I seem to remember the regedit command-line options not supporting dumping the root, which would be why, for scriping my Windows XP Pro retro-machine's on-shutdown backup, I used this .cmd script:
Code:@echo off setlocal for %%k in (hklm hkcu hkcr hku hkcc) do call :ExpReg %%k goto :eof :ExpReg reg.exe export %1 %1.reg > nul gzip -f1 %1.reg if "%errorlevel%"=="1" ( echo ^>^> Export --%1-- Failed. ) else ( echo ^>^> Export --%1-- Fine. ) goto :eof endlocal
For dumping the raw hive files, the problem is basically the same as trying to dump the raw contents of a filesystem (which makes sense, given what the registry is) while it's mounted (Linux/UNIX/POSIX term basically meaning "assigned a drive letter and available for programs to interact with")... there's nothing ensuring that something won't change mid-backup, resulting in a corrupted backup.
(To use a visual metaphor, dumping the registry hives while they're in use is like trying to take a screenshot using a capture card without using VSync. You're gonna get tearing. Taking a backup using regedit is like taking a screenshot from inside the system, where it knows what belongs to which frame.)
Quote