Registry Reanimator |
|
Version 1.03 |
||
1. Introduction
Registry Reanimator is hive files structure analyzer for Windows NT/2K/XP registry. Using Registry Reanimator it is possible to restore operation system loading in case of one or several hive files corrupt so that the operation system is not capable to boot.
Command line syntax:
ReHive <hive>|@<list> [/a] [/c] [/l|/ln|/l:<log>] [/m] [/o:<out>] [/p:<path>] [/s|/s:<drv>] [/t]
where:
<hive> - hive filename, for example: SYSTEM, SYSTEM.ALT, SOFTWARE, SAM, SECURITY, USERDIFF, or user profile filename: NTUSER.DAT; wildcards л*╗ and л?╗ are supported also; the filename should contain complete path, for example: лC:\WINDOWS\SYSTEM32\config\software╗; <list> - filename of list in which the registry files subject to processing by analyzer are enumerated;; /a - autorepair mode switch; /c - лcheckonly╗ mode switch; /l - log file mode switch with a name лrehive.rrl╗; /ln - log file mode switch with a name of input file and л.rrl╗ extension; /l:<log> - log file mode switch with specified name <log>; /m - disable mouse; /o:<out> - output file writing switch with specified name <out>; /p:<path> - output file writing switch with specified destination path <path>; /s - full fixed disks search; /s:<drv> - search mode on drives specified in list, for example: /s:c,d,e; /t - TTY output mode switch.
At start of Registry Reanimator without parameters the search mode is used.
System requirements for start and using Registry Reanimator:
- OS Windows NT/2K/XP, Windows 95/98/Me or DOS (with capability of OS boot from alternate disk partition or from another drive: CD-ROM, FDD, ZIP-drive or LS-120, USB Flash-disk etc.); - 2.5 Mb RAM and memory at a rate of the checked up hive file; - 80386-compatible CPU or higher; - VGA-compatible video system; - keyboard; - removable media drive (if writing to system hard drive is unable); - HIMEM.SYS extended memory manager or compatible (if DOS used).
For effective and fast operation of Registry Reanimator main, that really is required from a computer and a file system is an access to system hard disk partition with the right permission, and from the user - knowledge of layout of the damaged hive files on system partition. In a case when the file system of the hard disk gives the read-only permission (a typical case - NTFS partition and loading under DOS), Registry Reanimator allows to write the corrected hive file to removable storage, supporting splitting of an output file into parts according to a size of storage free space.
2. The brief review of the registry structure
The internal hive file format, really, reminds a beehive. The hive is divided into the frames filled by cells. All units of structure - both cells, frames, and a hive entirely, - have the specific headers. Assignment of cells can be various: sections of the registry (keys), lists of keys, blocks of values, blocks of value data and blocks of security. All cells are connected by the system of links which analysis allows to restore integrity of the damaged file and, probably, to rescue the available information.
3. Work with Registry Reanimator
The analyzer window contains information about stages and execution of hive file check, about a current position inside the file and about a text name of current checked key. Units of the analyzer screen interface are realized as buttons and messages. Moving between buttons is made by arrow keys on computer keyboard, and the selected screen button is pressed by лEnter╗ key. Each screen button has own hotkey with the character selected by white color. Usage of hotkeys accelerates access to the functions which are made active by pressing of screen buttons. Messages on the screen inform about process of check or appear in cases when operation is impossible without user confirmation: at choice of operations in case of error detection, at choice of storage for recording results, for confirmation of removable media installation. Messages also contain screen buttons which usage is described above.
At any moment execution of check can be paused by лPause╗ button and to restore by лResume╗ button. The immediate stop of operation is possible by лExit╗ button.
The error message will consist of error name, the text description of an error and three screen buttons: лFix╗, лFix All╗ and лStop╗. If the size of description is so great, that the text is not located in an appropriate field of the message form the user by лUp╗ and лDown╗ arrow keys can carry out vertical scrolling of the description text. лFix╗ button corrects an error retrieved in registry structure then check of the file proceeds. лFix All╗ button also corrects the retrieved error, however in the further all errors of the given type will be automatically corrected without additional request. лSkip╗ button skips the retieved error then check of the file proceeds. лSkip All╗ button also skips the retrieved error, however in the further all errors of the given type will be automatically skipped without additional request. лStop╗ button interrupts the check procedure, the retrieved error is not corrected and operation of the analyzer stops with final message about place and type of the last retrieved error. The same occurs in case of unrecoverable error detection or in the situations which have been not related to structure of registry (file and memory operations). The final message is not output in a case when analyzer checked some files using the list or wildcards in command line.
If the structure of the hive file has been changed, the confirmation of results saving will be requested after check completion. The saving file can be carried out two ways, access to which is possible by pressing appropriate buttons in the лFile Save╗ message: лOwerwrite╗ and лDisk╗. The screen button лCancel╗ is used for refusal to save results. Pressing of лOwerwrite╗ button will result in attempt of a backup of original file (with assignment .BAK extensions to it) and to overwriting of the new file under the initial name including made changes. At impossibility to create a backup copy or to write new file (in particular, in case of absence of the right permission) the appropriate message appears on the screen and the process passes to лDisk╗ branch. After pressing лDisk╗ button a message appears on the screen with the list of attached devices and possibility to select one of them for saving the data. The лCancel╗ screen button is used for refusal from saving. With the лSelect Drive╗ button there is active a marker in the list of devices. The marker moves by лUp╗ and лDown╗ arrow keys on computer keyboard. Choice of the device is carried out by pressing the лEnter╗ key then in root directory of the selected device the corrected file under initial name will be written. If access on the selected device is impossible or the device has no sufficient space for a file allocation, or in any other case when it was not possible to save the file, the appropriate message appears on the screen then it will be offered to user to select the attached device again. If the user has selected the removable device and size of the current storage does not allow to place the written file entirely the saved data will be divided into portions according to free space on the removable storage for every portion. To the first file л.000╗ extension will be assigned, to the second - л.001╗, and so on. On the last removable storage the batch file REHIVEC.BAT, containing the command of target file assembly on the saved portions also will be generated. Everything, that is required from the user, is to copy all chunk of datas from all removable storages in one directory and to start an applied batch file.
Along with pseudo-window mode the analyzer also has text console mode (TTY) in which there are no interface controls and sequential message stream is output on the screen. If necessary the stream interrupts waiting for pressing shortcut key. All texts of messages and characters of shortcut keys are similar to the mode with user pseudo-window interface. The text mode can be set by command line switch л/t╗.
Autorepair mode can be set by command line switch л/a╗. Thus all retrieved errors are corrected automatically, then attempt of source file overwriting is executed with usage of лOverwrite╗ mode as described above. лCheck only╗ mode can be set by command line switch л/c╗. Thus dummy automatic correction of all detected errors is executed, then operation interrupts, not passing to saving result. Using the command line switch л/o:<out>╗, it is possible to redefine a name under which the corrected file will be saved (instead of <out> it is necessary to specify a filename). Operation of the given switch concerns only to лOverwrite╗ mode. Using the command line switch л/p:<path>╗, it is possible to define a folder name in which the corrected file will be placed (instead of <path> it is necessary to specify a folder name). If the folder name set by <path> parameter is not equal to a folder name of source file the confirmation window for file saving will not be displayed. Using the command line switch л/l╗ and its variants, it is possible to record text protocol of operation on the disk. The л/l╗ switch writes protocol in file лrehive.rrl╗ located in the current directory. The л/ln╗ switch also will write in the current directory a log file with a name, same as input filename, but with л.rrl╗ extension. The л/l: Search mode operation: at start of analyzer without command line parameters the search of folders with Windows registry files is executed on the hard disk of computer. The list of retrieved folders is displayed on the screen. Folder selection is possible by лSelect╗ screen button. Manual input of folder full name or registry file name is possible by лManual╗ screen button. Screen button лHelp╗ will help to learn about command line parameters of Registry Reanimator.
At start of analyzer with л/s╗ command line parameter the search of Windows registry files is executed on the all partitions of hard disks. A search is executed by start signature.
At start of analyzer with л/s:<drv>╗ parameter the search is executed on all of drives from Batch mode operation: for a possibility of batch operation, return codes are realized in the program, to handle which is allowed with usage of batch command лif errorlevel ...╗. The following codes are supported:
0: Processing is completed without error detection;
1: Processing is completed with error detection;
2: Command line syntax error;
3: Initialization error.
The batch mode with the purpose of testing is recommended with use of command line switch л/c╗ and the analysis of return code. Correction of registry files in a batch mode is recommended with use of command line switches л/a╗ and л/t╗.
Examples of command line switches:
rehive.exe c:\winnt\system32\config\software
(processing of registry file лsoftware╗ in interactive mode)
rehive.exe @e:\work\testlist /a /l /t
(processing of files under the list in a text automatic mode with writing log л.\rehive.rrl╗)
for %v in (c:\winnt\system32\config\*.) do rehive %v /o:e:\%~nv.new
/l:e:\%~nv.log /t
(processing in a text mode of registry files not containing extension from Windows registry folder, with use of лfor╗ batch command, with writing the corrected files on disk лE:\╗ under initial names and л.new╗ extension, with writing the separate log for each file under initial name and л.log╗ expansion)
4. Messages about damages of file structure At detection of the incorrect, damaged or absent unit of hive file structure the analyzer generates error screen message accompanied with the text description. In case that the user has made solution on лrepairing╗, the analyzer corrects a suspicious unit of structure by the most simple way, failing choice between restoring variants. Some data inside the hive file thus, probably, will stay unused, but also not destroyed. Algorithms of an intelligent data retrieval inside the damaged file, probably, will be realized in the following versions of the analyzer. Sense of current version of the analyzer - to make the correct hive file instead of damaged, having offered, probably, some part of the data. To make sure that the hive file is corrected it is possible with the repeated check of already corrected file during which damages of structure will not be detected. - <Size of hive file not aligned> Damage description: лThe hive file is assembled of fixed-size frames and its size should be divisible by 1000h (4096)╗. - <Invalid hive file signature> Damage description: лThe true hive file has a special signature in first four bytes. Make sure that file You check is the hive file really╗. - <Invalid hive header CRC> Damage description: лInitial part of hive file header is protected by cyclical redundancy check code but in this case either header data or CRC-code or both are damaged╗. - <Invalid start offset> Damage description: лDamaged offset to first data cell in the header of hive file╗. - <Invalid size info> Damage description: лDamaged hive size value in the header of hive file╗. - <Invalid file version> Damage description: лDamaged version value in the header of hive file╗. - <Broken hive header> Damage description: лDamaged data in the header of hive file╗. - <Invalid frame signature> Damage description: лEach frame inside the hive file has a special signature in first four bytes but in this case the frame header is damaged╗. - <Invalid frame offset> Damage description: лEach frame inside the hive file has special record - offset from beginning of data but in this case the frame header is damaged or the frame is shifted╗. - <Invalid frame length> Damage description: лEach frame inside the hive file has special record - length of frame data but in this case the frame header is damaged╗. - <Invalid cell size> Damage description: лEach cell inside frame has a small header with length of cell data but in this case this value is damaged╗. - <Cell size is too large> Damage description: лEach cell inside frame has a small header with length of cell data but in this case this value is suspicious╗. - <Incorrect root parent offset> Damage description: лRoot cell cannot has any parent offset except for FFFFFFFFh╗. - <Invalid descendent-key data: parent offset does not match> Damage description: лEach key has a pointer to its parent key but in this case these values are not equal╗. - <Invalid descendent-key list structure: null offset> Damage description: лUsually each key has a list of pointers to child keys but in this case one of these pointers is undefined╗. - <Descendent-key list cell has impossible signature> Damage description: лUsually each key has a list of pointers to child keys but in this case this list cell has impossible signature╗. - <Data block is not a key cell> Damage description: лUsually each key has a list of pointers to child keys but in this case one of a key cells has impossible signature╗. - <Descendent-key counter not match real descendent keys> Damage description: лEach key has special record - counter of all child keys but in this case this counter and real quantity of child keys are not equal╗. - <Suspicious descendent-key pointer list: zero capacity> Damage description: лList of pointers to child keys has zero internal counter╗. - <Erased value list: null offset> Damage description: лThe key has non-zero value counter but undefined value-list pointer╗. - <Orphan value list: zero counter> Damage description: лThe key has valid value-list offset but zero value counter╗. - <Invalid value list structure: null offset> Damage description: лUsually each key has a list of pointers to value cells but in this case one of a pointers is undefined╗. - <Invalid value signature> Damage description: лUsually each key has a list of pointers to value cells but in this case one of these cells has impossible signature╗. - <Default value already exist> Damage description: лEach key has only one default value without symbolic name╗. - <Invalid default value attribute: symbolic name present> Damage description: лEach value has a special tug - name presence flag but in case of default value this flag is impossible╗. - <Invalid value structure: zero data field length> Damage description: лEach value cell has special record - value data length which cannot be zero╗. - <Invalid value structure: data field length too large> Damage description: лSome of value cells has internal data area (very short) but in this case special record - value data length - has impossible entry╗. - <Invalid value structure: null data offset> Damage description: лEach value cell has a pointer to data area cell and this pointer cannot be undefined╗. - <Orphan segmented-value list: zero counter> Damage description: лSegmented-value header has valid segment-list offset but the zero segments counter╗. - <Erased segmented-value list: null offset> Damage description: лSegmented-value header has non-zero segments counter but undefined segment-list pointer╗. - <Invalid segmented-value list structure: null offset> Damage description: лThe list of segmented-value segments has undefined pointer╗. - <Incorrect segmented-value size> Damage description: лSegmented-value length record does not match real data size╗. - <Null offset to security block> Damage description: лEach key has a pointer to security cell and this pointer cannot be undefined╗. - <Invalid security block signature> Damage description: лEach key has a pointer to security cell but in this case this cell has an impossible signature╗. - <Invalid security block structure: null offset to previous or next> Damage description: лEach security cell has two pointers to security cells chain but in this case one of these pointers or both are undefined╗. - <Invalid offset> Damage description: лPointer to another data cell cannot be considered a correct by following reasons: odd offset value; non-aligned offset value; offset value referred to missing or unused cell╗. - <Binary data overlapped> Damage description: лThe size of cell is less than length of the data inside it╗. - <Cross linked data> Damage description: лAny cell except security block cannot has multiple references to itself╗. 5. Examples of Registry Reanimator usage Initial symptoms: a stop of the OS loading process with the message on лblue screen╗ either лblack screen╗ about damage or absence of hive file or his log (other messages are possible also). Fault definition: damage of the information inside one or several hive files, probably together with damage or absence of appropriate logs, or complete absence of one or several hive files. Fault reasons definition: machine failure in operation with the hard disk or the hard disk controller, unstable operation of the driver, premature deenergization of computer. Possible operations: restoring of system registry from backup copy, reinstallation of operating system with reinstalling all software, Registry Reanimator usage. The usage order: a) Loading the alternate operating system from alternate storage. b) Providing of access to hard disk partition with the damaged registry (for example, usage of NTFSDOS driver for access to NTFS partition under DOS). c) Start Registry Reanimator with complete name of the damaged file as parameter of command line string (the complete name of the damaged hive file can be found in message on лblue screen╗ or лblack screen╗, thus record SystemRoot means a name of Windows root directory, for example, C:\WINNT or C:\WINDOWS). d) Writing of corrected file to its regular place. If this step is carried out by Registry Reanimator, operation is finished. e) Writing of the corrected file to other storage and its moving on regular place with usage of different ways of record to system hard disk partition. Note: if used alternate operating system does not support writing to the system hard disk partition, containing the damaged registry, or at all does not support a file system of system partition, Registry Reanimator will not help to solve this problem. User profile restoring order: a) Registration in the system with usage of another account or providing of access to system hard disk partition on a local network. b) Search of NTUSER.DAT file in file structure of user profile. c) Start Registry Reanimator with complete name of the damaged file as parameter of command line string. 6. Difficulties with Registry Reanimator Access to damaged file can be one of barrier in operation with the analyzer. Now development and delivery of loader and drivers for universal access to hard disks (in view of various file systems) within the Registry Reanimator project is not planned. In case if usage of alternate operating system is problem for You, You should solve it independently. Besides as it was mentioned in section 4, part of data in restored file can be eliminated from usage, however, not irrevocably. In following versions of the program finishing of information restoring algorithms is planned in greatest possible size. |
(c) K&A Lab. |
2005 |