Restore lost Registry files without reinstalling NT

When you install Windows NT on a server or workstation, you can create an Emergency Repair Disk. It contains a backup of Registry files so that you can restore damaged NT system files and reboot a failed system. Knowing how to create an up-to-date Emergency Repair Disk and use it to recover from a system failure is an important part of NT disaster recovery.

An Emergency Repair Disk has several uses. It lets you recover from a system crash caused by corrupted files or boot a system with an NT startup program problem, without having to reinstall NT. And you can access a system when you don't know the password--for example, when the systems administrator forgets the password or leaves the company. The Emergency Repair Disk lets you restore the original user accounts database (which contains the system's original password).

What's on the Emergency Repair Disk?
The Emergency Repair Disk contains copies of the files in an NT 3.51 or 4.0 system's winnt\repair directory. Some of these files are compressed versions of files in the winnt\system32\config directory, where NT stores the Registry files. Table 1 shows a sample listing of the winnt\repair files under versions 3.51 and 4.0. Note that in NT 4.0, some of the information comes from the profiles subdirectory. User Profiles include information about software the user installs, desktop settings, and personal preferences; NT stores these settings in the ntuser.dat file.

When you install NT, the system builds the setup.log file, which contains information about the files installed on the system. When you use the Emergency Repair Disk to restore corrupted files, NT Setup (which performs the repair process) uses the information in setup.log to compare the files on the system's hard disk with the files on the NT installation CD-ROM and replace damaged files with the corresponding files from the CD-ROM. NT automatically updates the system's setup.log file when you add drivers such as those for a SCSI adapter or a tape drive. The other files on the Emergency Repair Disk include the software configuration, the systems settings (primarily for the hardware), the Security Accounts Manager (SAM) and security files, and the default user profile settings. NT uses the autoexec.nt and config.nt as default files to start a virtual DOS session.

Creating an Emergency Repair Disk
According to Microsoft's NT documentation, "for best results," you want to use a repair disk for only the computer you created it on. However, creating one Emergency Repair Disk per system is not practical if you have thousands of workstations (and you can often reinstall a workstation as fast as you can recover its files with the repair disk). Create and store one Emergency Repair Disk for each server and Primary Domain Controller (PDC) in your network.

Even if you create and store Emergency Repair Disks in a safe place, they can quickly become outdated as system information changes--for example, as you add users, build volume and stripe sets, and add hardware to an NT system. Some programs, such as Disk Administrator, prompt you to update your Emergency Repair Disk. To do so, you must use the rdisk.exe utility. Creating the disk takes fewer than five minutes.

You can run rdisk from the Run command in NT 3.51's Program Manager; from the Start, Run option in NT 4.0; or by clicking the executable file in File Manager or Explorer. Of course, if you like command lines, you can simply enter RDISK at the command prompt. By default, NT installation does not have a program icon to rebuild the Emergency Repair Disk, but you can create one. The command line for the icon is rdisk.exe. You can include the full path to rdisk.exe when creating the icon; however, rdisk.exe is in the default path because it's in the winnt\system32 subdirectory.

When you start rdisk, the Repair Disk Utility window in Screen 1 displays with four options. The first, Update Repair Info, updates the repair information--but on the hard disk in the winnt\repair directory, not on the Emergency Repair Disk (the backup disk to which you'll copy the updated winnt\repair files). After rdisk finishes updating the hard disk, it asks whether you want to create a floppy with this new information, as Screen 2 shows. If you answer yes, rdisk creates the disk.

The second option in Screen 1, Create Repair Disk, formats the backup disk that will be your Emergency Repair Disk and copies the winnt\repair files to it. Note that this option doesn't check whether the winnt\repair information is current--it simply copies the contents of the repair subdirectory to the backup disk. So to ensure your Emergency Repair Disk is up-to-date, use Update Repair Info, not Create Repair Disk. Before you create an Emergency Repair Disk with either option, make sure you have a backup of the old repair disk that you can use if something goes wrong when you create the new repair disk. The other two options in the Repair Disk Utility window are Exit and Help. (Help displays a short description of the utility.)

rdisk automatically updates all winnt\repair files except the user accounts files, Security and SAM. The procedure doesn't update those files for two reasons. First, backing up a large domain's accounts database to floppies is an impractical and risky way to store critical system information: On a PDC or Backup Domain Controller (BDC) this database can include information on thousands of users and occupy several megabytes. An Emergency Repair Disk's main purpose is to use the original user account information (i.e., the original SAM and Security files) to let you boot an NT system. After you reboot the system, you can restore the current accounts database from a backup tape.

However, if you have a small domain with only a few user accounts, storing that information on the Emergency Repair Disk makes sense. NT provides a little-known way to update the user accounts information via rdisk. You enter

rdisk /s or rdisk -s

to copy the Security and SAM files to the winnt\repair directory. After you enter rdisk/s, instead of the Repair Disk Utility window, you see a screen with a status bar showing the percentage of information updated, as in Screen 3. (This screen will look familiar: It's the same one you see at the end of the NT installation, when you save the configuration to disk the first time.) At the end of the process, the utility asks whether to create a new Emergency Repair Disk. Choose yes and create the Emergency Repair Disk as explained earlier. (For more information about using rdisk to back up user accounts information, see Christa Anderson, "Care and Feeding of the Registry," December 1996.)

Using the Emergency Repair Disk
The Emergency Repair Disk is not a bootable disk; you have to use it with the three floppies included with NT 3.51 or 4.0 and the CD-ROM containing the source code for NT. You start the repair process by booting the system from the NT boot disk, which is the first of the three floppy disks. After booting the system, insert the second NT disk as prompted, and the blue NT screen appears. At this point, the Setup process is running. The Setup program lets you specify whether to use the Emergency Repair Disk or continue with a full installation. After you specify Emergency Repair Disk, you can choose any combination of the following repair options.

Inspect Registry files. Choosing this option displays a screen that lists the Registry hives, areas in the system32\config subdirectory that contain Registry files (for more information about hives, see "Care and Feeding of the Registry"). You choose the hives you want to load from the list shown in Figure 1. (Later in the repair process, the repair software will try to load each selected hive.) Under Inspect Registry Files, you have the option to restore user accounts.

Restore user accounts. The Setup program transfers the default Security and SAM files (or updated versions, if you used rdisk/s) from the Emergency Repair Disk to the Registry. At this point, the files become Registry hives (you must confirm this step before it's performed).

Inspect startup environment. This option checks the NT system's boot files, such as ntldr and ntdetect.com. If it finds a problem with a boot file, it replaces the file with one from the NT Setup disk.

Verify Windows NT system files. This option uses a checksum algorithm to verify each file in the installation. If a file is damaged or missing, NT replaces it with a file from the installation disks or CD-ROM.

Inspect boot sector.This option reinstalls the Boot Loader and other startup files, such as ntldr and boot.ini.

Once you choose the repair options you want NT to perform, the Setup process continues, loading drivers for the NT system's SCSI adapters, CD-ROMs, and other devices. Next, the Setup program asks whether you have the Emergency Repair Disk. If so, remove the second NT install disk and insert the repair disk. If you don't have a repair disk, Setup looks for the NT installation on the hard disk and uses the repair files stored there. Once the necessary files are available, Setup either loads the hives you specified earlier, or if necessary, replaces hives from the repair disk with your approval. Once Setup loads the hives, you can reboot the system and start NT.

If you replaced the user accounts database with an earlier version, you can now restore the current version from tape. Just remember to reset the administrator password before you log out.

Practice
Creating an Emergency Repair Disk and navigating the repair process aren't difficult tasks, but you must set aside time to do them. If you don't have an Emergency Repair Disk for each critical computer, put down this magazine and make one! This relatively small time investment can pay off by letting you restore critical systems quickly.

You'll be wise to practice using an Emergency Repair Disk on a noncritical computer so you can perform a repair smoothly when a real disaster strikes. And don't forget that an Emergency Repair Disk is only part of a complete disaster recovery plan. Back up all critical files on your NT systems regularly.

TABLE 1: winnt\repair
FilesWindows NT 3.51

SETUP.LOG
SYSTEM._
SOFTWARE._
SECURITY
SAM._
DEFAULT._
AUTOEXEC.NT
CONFIG.NT
Windows NT 4.0

SETUP.LOG
DEFAULT._
SECURITY._
SAM._
AUTOEXEC.NT
CONFIG.NT
SYSTEM._
SOFTWARE._
NTUSER.DA_

FIGURE 1:
Registry Hives Windows NT 3.51

\[ \] SYSTEM (System Configuration)
\[ \] SOFTWARE (Software Information)
\[ \] DEFAULT (Default User Profile)
\[ \] SECURITY (Security Policy) and SAM (User Accounts Database)
Windows NT 4.0

\[ \] SYSTEM (System Configuration)
\[ \] SOFTWARE (Software Information)
\[ \] DEFAULT (Default User Profile)
\[ \] NTUSER.DAT (New User Profile)
\[ \] SECURITY (Security Policy) and SAM (User Accounts Database)
From this list, you choose the hives that NT's repair software will load from the Emergency Repair Disk.