HowTo: Fix Corrupted Windows Registry from Ubuntu partition

[GlobalTrucker]

Here is a slightly strange but related question. My apologise that I start off talking about Windows but nobody is perfect!!

Background:

"OS: Windows 7 Home Premium OA

Start up and installation worked first round. I then made the following partitions:

C:Windows (original system partition)
D: Data (here I put all my working files)
F: Executables (here are all the binary executables that I use)

I moved some files from C:\Programs to F:\Programs.

Everything worked fine.

Then I got clever and decided to change F:Executables to E:Executables (E for Executables) to do this I had to move EVD (original system default) to a new letter. I chose OVD (O for 'Optical') and moved F: to E:.

Then I re-booted.

Now the system boots all the way to the login screen except that there are no user choices. Windows itself has obviously started because other functions such as the 'Shutdown' and 'Restart' buttons work. But no User icons or boxes appear to select a user and enter a password."

At this point I thought "DAMN and double BLAST!"

After a bit of cursing and thinking (these often work well together) I had the idea to see what my (up until this point unused UBUNTU boot disk could do. In it went to the optical drive and started up a dream. In fact I had access to all the WIndows partitions as well. However, I can't seem to get windows applications to run under UBUNTU yet (mostly because I haven't tried very hard).

I suspect that the problem with my Windows installation is that I need to fix some drive pointers in the windows registery file. Unfortunately the 'regedit' utility doesn't want to work directly under UBUNTO. When I double click on it in the file manager it complains that it must be some kind of corrupted *.zip file. Most unsatisfactory.

After this very long post the basic question is:

Can I open up and edit the windows registry file directly from UBUNTU?

or

Any other ideas?

[Mickser_52]

Many thanks for your post. My daughters laptop contracted a windows logon logoff virus after opening an email attachment (yes, despite all those warnings). Every time she tried to start up, as soon as she entered her password the system logged off.

I was able to boot up from an ubuntu disk and download and run an antivirus program (bitdefender) which cleared the original virus but the windows would still not stay logged on.

I found your post and followed your instructions to replace the files as suggested. The problem was solved

[suniyo]

Great!! Simply worked out of the box and now I've my partition recovered without needing to install either windows or ubuntu again. Very old and yet very useful information. I think there are lot many such problems that we need to address and properly document for other users also. Anyone interested working with me to document ?

[singh9211]

thanks for the gr8 tutorial, it really helped

[suniyo]

Instructions are very old but still today they work like charm. Solved my problem this way and now windows is working well too. I think we need a proper guide for this kind of problems @ ubuntuforums.

Many thanks for providing this superb solution, it saved my butt, literally..

[Detonate]

I wish I had seen this thread earlier. It would have saved me a lot of work. I have copied the entire thread to my computer for future reference.

Thank you very much.

[toast_kid]

Hi

I just wanted to say thanks for posting this... you saved me a rebuild!

Cheers

[the_flying_os]

i'm having trouble understanding sudo ntfsfix /dev/<device-name>

what do i put in for 'device name'? I put in the name of my hdd and i get:

ubuntu@ubuntu:~$ sudo ntfsfix /media/SQ003938
Mounting volume... Error opening partition device: Is a directory.
Failed to startup volume: Is a directory.
FAILED

[Cato2]

i'm having trouble understanding sudo ntfsfix /dev/<device-name>

what do i put in for 'device name'? I put in the name of my hdd and i get:

ubuntu@ubuntu:~$ sudo ntfsfix /media/SQ003938
Mounting volume... Error opening partition device: Is a directory.
Failed to startup volume: Is a directory.
FAILED

The /media/SQ003938 is not your device name, it's a "mount point" (like a drive letter in Windows, sort of) - you could mount the same disk partition in several places on the Linux filesystem hierarchy (e.g. /tmp/fred, /media/usb_drive, /media/mydrive, etc). See https://help.ubuntu.com/community/Mount for more explanation of the concepts. Device names in Linux always start with /dev, e.g. /dev/sda1.

Since your disk partition was already 'mounted' by Ubuntu, you can just type this into the command line shell:

Code:

df -h

(shows disk free space) or

Code:

mount

- find the line corresponding to your /media/SQ003938 and read out the device name.

For example, here the /backup line is the mount point for /dev/sda5:

Code:

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2             9.3G  3.2G  5.7G  37% /
varrun                247M  420K  246M   1% /var/run
varlock               247M     0  247M   0% /var/lock
udev                  247M   44K  247M   1% /dev
devshm                247M     0  247M   0% /dev/shm
/dev/sda1             228M  104M  113M  48% /boot
/dev/sda5             683G  518G  138G  80% /backup

Good luck with the recovery.

Incidentally the link by 'Emilyroggers' above is for commercial software that runs on Windows, and not much use if your PC is unbootable.

I had a bad block in the Windows registry on a laptop recently, which stopped me booting the PC. I would have used Ubuntu and GNU ddrescue to recover the whole disk if only my IT department didn't mandate the disk is encrypted - this technique of using an Ubuntu live CD only works with unencrypted disks (unless you use TrueCrypt perhaps). See https://help.ubuntu.com/community/DataRecovery for help with recovering hard disks on Ubuntu, including use of GNU ddrescue (package is 'gddrescue' on Ubuntu, not 'ddrescue' which is a different and less complete program).

[melnichuk]

Nice tutorial, thank you. But what should a user do on a Windows machine if System restore points creation is turned off? In such a case your System Volume Information/_restore{xxx} folder will be empty.
In connection with the Windows viruses and impossibility to start regedit or Windows in whole, sometimes Windows users need to edit the registry from outside. I've found, so far, the only utility in Linux chntpw, which was originally designed to reset passwords, and then acquired the registry editing ability.

Editing the registry:

1. Boot from a LiveCD or install a second system Ubuntu.

2. Install chntpw utility:

Code:

sudo aptitude install chntpw

3. Mount Windows partition:

Find the Windows partition:

Code:

$ sudo fdisk -l

Assume it is on /dev/sda2. Next step is mounting of the partiotion:

Code:

$ sudo mkdir /media/windows 
$ sudo mount /dev/sda2 /media/windows

4. Registry editing

Code:

$ chntpw -l /media/windows/Windows/system32/config/software

Move to registry branch you need, for example:

Code:

$ cd Microsoft\Windows NT\CurrentVersion\Winlogon

and edit a key, for example:

Code:

$ ed Shell

Password resetting:

1. See 1-3 of the previous section

4. Find the user whose password will be changed

$ chntpw -l /media/windows/Windows/system32/config/SAM

5. Password resetting

Code:

$ chntpw /media/windows/Windows/system32/config/SAM -u Administrator

Just cite the places in the registry where they can hide a record of running viruses:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The default values in Regedit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe"
"Userinit" = "C:\WINDOWS\system32\userinit.exe"

Check the Explorer.exe file to the presence of double ... the right place for the file is Windows\ but not Windows\System32\ ...