Hello World,
Today, I’ll post another quick and dirty trick on how to access the registry in offline mode. You might be wondering why would you do that. It’s not something that you will be doing on a regular basis. This tip might help you rolling back to a running system after you’ve made a registry change on the system and fails to boot correctly. In my case, I had to use this approach in order to remove some software on systems.
As long as the system was running, I was not able to remove some registry key from the system. The software was using these registry keys and there was no way to delete them. We tried to remove them by booting the system in Safe Mode but the result was exactly the same. The final option we had was to access the registry while the system was offline. This last approach did the trick.
How To Access in Offline Mode the registry of a system ?
Step 1 – Boot your system using WINPE
To access you system offline, you will need to boot from a bootable media containing WINPE files.
As you probably know, WINPE is a shrinked down version of Windows Operating system that run in memory of the system. Using WinPE, you will be able to access the file system and edit the registry settings. WINPE is freely available and is part of the WAIK (Windows Automation INstallation Kit). The WAIK is quite a big downloa (2 GB).
If you do not want to download this huge file, you can always use your Windows Vista/7 DVD. You boot from the media of your choice and you select the option “Repair Windows…”
Click to enlarge picture
Note : for this post, I’ll be using a custom WINPE media but the process should be quite similar.
To boot your system in WINPE mode, perform the following actions:
- insert the winpe media on the system you want to edit the registry
- WinPE File is loading into memory
Click to enlarge picture
- When you see the command prompt , you can type “regedit”
Click to enlarge picture
- The registry Editor is open
Click to enlarge picture
Step 2 – Load and Unload Registry Hives
At this stage, you can see the registry of the WINPE. This is not the registry that we want to modify ( !! this is the WINPE registry !!). To access the offline registry, we first need to load the hives containing the registry of the system.
We will first load the System Hive into the registry Editor tool. To do that, you perform the following actions :
- Select the HKey_Local_Machine node
- From the File Menu, select the option “Load Hive….”
Click to enlarge picture
- The Windows Explorer opens. You have to identify the partition holding the system that you need to work on. In my case, the partition where the registry hives are located on the D drive.
Click to enlarge picture
- The registry hives are stored in the following location : %systemroot%\system32\config
- You will see multiple files. Because we want to load the HKLM\SYSTEM node, we will select the SYSTEM File. However, before doing this, we will make a copy of the file we want to modify. This is for rollback scenario. When you click on the open button, you will be prompted to enter a name in for the hive you are loading…
Click to enlarge picture
- If you select and expand the Hive you’ve just loaded, you will notice that there is no CurrentControlSet Node. You will only see CurrentControlSet001 and . To know which one is active, you need to click on the “Select” key (under the loaded hive) and check the value stored in the Current DWORD entry.
- If the value is 1, you need to update CurrentControlSet001
- If the value is 2, you need to update CurrentControlSet002
Click to enlarge picture
- If you need to update the HKLM\Software node, you need to load another hive (located in %systemroot%\system32\config\Software)
- Simply perform the changes you need, close your registry editor when done and reboot. If everything went fine, you will get the modified values presented in your online system.
Final Words
As you can see, offline registry access is possible and not too complex. You will probably rarely (even never) use this tip. However, in case you need to perform such operation, you should now be able to perform the requested operation and debug or recover a system by using this approach
Till next time
See ya
Hi,
Can you please advice me on a problem I am facing while trying to edit a registry offline?
I am trying to change the IP address of an offline VM. But, once I have made changes in the registry – System\ControlSet001\Services\Tcpip\Parameters\Interfaces\GUID , I try to boot the system and I see that dual IP has been assigned to the VM in the Network settings advanced option, even when I have over-written the IPAddress. The newly assigned IP has has been showing as a secondary IP and the old IP is the primary IP. Is there a way to delete the traces of the old IP?
Please advice.
Hello Manish,
I do not understand what you are trying to do…Why do you need to edit registry offline to change the ip address ?
What’s the offline vm used for ? is this a vm template and you use this to deploy new virtual machine ?
would it be easier to create a script that would change the ip
hope this help and waiting for more info/feedback
till next time
See ya
Hi Griffon,
Thanks a lot for your reply. I am trying to do a fail-over to a replicated machine. In doing so I need to configure the network and the ip-address of the replicated machine. So I am mounting the vmdk locally using vddk api and then I am trying to change the ip-address of that machine. Once I change the IP-address and power on the VM, dual IP is assigned to the machine where in the old IP is set as the primary one and the new IP is set as the secondary one. So I need to delete the traces of old IP and set the newly assigned IP as the primary IP.
Hoping for a reply.
Hi Griffon
Just another update. All this time I was trying to do it programmatically and it was assigning dual ip address in the Network settings advanced option. So I tried it manually by attaching the vmdk file to another VM. I made the registry changes manually to the offline VM and when I power on the machine, I observe that the same thing has happened. So this occurs when I try to change the IP address of a offline VM.
Hope for a positive reply.
Hello There,
I think the registry approach is probably not the way to go.. I would personnally right a script that would change ip address when you boot or startup the replicated machine. In this way, you can either clear all ip addresses and set the specified one or assign 2 ip addresses are required
If you machine is Windows and you have powershell, this can be achieved quite easily. If you have a legacy windows (and thus no powershell cmdlet related to ip addresses operations) you can always use the netsh approach
Hope this help
Till next time
See ya
thank you for the information given, my insight has increased because of this. this information is very useful, if this method fails what other methods will be given?
thank you, because it greatly adds insight to me and has also overcome the problems that I have experienced so far
@Ridwan,
Thank for the vist and the positive comments. always happy to see that some posts are useful around the world
till next time
See ya
2997/5000
thank you writer. keep the passion in writing I like this article well to add knowledge that I did not know before. How else do you complete this process especially for beginners?