Have you ever experienced an “oops” moment while editing the registry, like, changing the wrong value? And when you restart your computer, Windows fails to start? Lucky for you, you can still edit or repair the registry by using an offline registry editor.
Not a reader? Watch this related video tutorial!Also, in situations like removing stubborn or locked registry entries due to possible malware infection, editing the registry offline may be your last resort. Continue reading this tutorial and learn how to edit the Windows registry offline.
Come on, and let’s see what else you can break! 😉
Prerequisites
To follow along with this tutorial, be sure you have the following.
- A computer running on Windows 10, Windows Server 2016, and above. This article will be using a Windows 10 version 1909.
- A copy of the Windows installation media. Either a DVD or USB installation media should work.
Offline Registries: Understanding and Editing
One popular way to edit the Windows registry is to use the Regedit utility. This utility is a graphical registry editor that typically allows you to edit the Windows registry while it’s in use. But, you can also use Regedit to edit an offline registry.
An offline registry is a Windows registry that’s stored in files (one for each registry hive) that Windows is not currently using. Each file is stored in specific locations, as shown in the table below.
Registry Hive | File Path |
HKEY_LOCAL_MACHINE\SAM | %WINDIR%\system32\config\SAM |
HKEY_LOCAL_MACHINE\SYSTEM | %WINDIR%\system32\config\SYSTEM |
HKEY_LOCAL_MACHINE\SOFTWARE | %WINDIR%\system32\config\SOFTWARE |
HKEY_USERS.DEFAULT | %WINDIR%\system32\config\DEFAULT |
HKEY_CURRENT_USER | %USERPROFILE%\NTUSER.DAT |
To edit an offline registry, you can use Regedit inside of a special Windows operating environment called the Windows Recovery Environment (WinRE).
While third-party offline registry editors exist, WinRE and Regedit are Microsoft’s officially supported tools. Additionally, WinRE has built-in support for UEFI firmware and Bitlocker, which is not available in most third-party tools.
Opening the Command Prompt in WinRE
To edit a Windows registry offline, you must first book into WinRE and open the command prompt from there. To do that, you have a couple of different ways depending on if you can get into Windows now and if you have Windows installation media or not.
From the Windows Power Menu
The easiest and typical method of booting into WinRE is from the Windows power menu. This method applies only if Windows is still bootable or if you can still at least reach the login screen where you’ll have access to the power menu.
Follow the steps below to boot to WinRE using the power menu.
Note: This WinRE boot method will only work if your Windows system drive (e.g., drive C:) is not encrypted with Bitlocker. If the system drive is encrypted, skip to booting into WinRE with installation media.
1. If you’re logged in to Windows, press WIN+L
on your keyboard to lock the screen.
2. On the lower-right corner of the login screen, click the power button. Next, hold down the SHIFT
key on your keyboard and click Restart.
3. At the warning prompt saying that you could lose unsaved work, click Restart anyway. The computer will restart and automatically boot into the WinRE.
Note: If the computer fails to boot to Windows 10 in two to three consecutive times, the next boot will enter WinRE automatically.
4. After the computer restarts, you’ll see the WinRE menu similar to the screenshot below. On this page, click Troubleshoot.
5. On the Troubleshoot page, click Advanced options.
Under the Advanced options page, click Command Prompt.
7. In the Command Prompt window, click your account name to log in.
8. Now, enter your account’s password and click Continue.
Using Windows Installation Media
In cases where Windows is not bootable, another option to access WinRE is booting with the Windows installation media. Whether you have a CD/DVD or USB installation media, WinRE also comes preloaded with it.
The step-by-step process below demonstrates booting into WinRE using the Windows 10 installation media. Depending on your Windows installation version, the screenshots or steps may differ from what you will see in this example.
1. Insert your Windows installation media (CD, DVD, or USB) and then turn off the computer.
2. Power on your computer and make sure that the computer boots into the installation media.
3. Once the computer boots into the Windows setup, click Next.
4. On the next screen, click Repair your computer.
5. Next, on the Choose an option menu, click Troubleshoot.
6. On the Advanced options menu, click Command prompt.
7. If one or more drives in your computer are Bitlocker-encrypted, you will see the prompt to enter the recovery key similar to the screenshot below. If the drive containing your offline registry files is encrypted, enter the recovery key and click Continue to unlock the drive.
Without unlocking the encrypted drive, you will not have access to the offline registry files.
Finding the Windows Operating System Drive Letter
Now that you’ve booted your computer to the WinRE and have the command prompt open, you can now start using Regedit as an offline registry editor.
On a typical Windows installation, you can find the operating system on drive C. But inside WinRE, drive C is assigned to the System Reserved Partition (SRP). The SRP is a hidden partition that you can find immediately before the partition that houses Windows.
First, you have to determine in which drive the Windows installation resides. You can do so by listing the computer’s Boot Configuration Database (BCD). The BCD contains system and operating system startup configuration, including the partition that houses the operating system itself.
To list the boot configuration data, run the command below in the command prompt.
Under the Windows Boot Loader section, look for the osdevice property value. This value indicates which drive letter has the Windows OS installation. In the example below, the Windows OS is on drive D.
Loading, Editing, and Unloading the Offline Registry
In the previous section, you’ve determined that Windows resides on the drive D in WinRE. Now you can fire up the offline registry editor and load the offline registry hives for editing. To load the offline registry hives, follow the steps below.
1. Open the built-in Windows registry editor by running the command below in the command prompt.
regedit
Now you should see the familiar Registry Editor window like the screenshot below. Since you’re in WinRE, the registry hives you’re seeing are the WinRE registry and not your Windows registry. You have to manually load the hives you want to edit, which you will do in the next step.
2. Next, load the registry hive you want to edit. Loading a hive means opening the offline registry file from the Windows OS drive, which will then become visible in the offline registry editor.
To do so, first, click to select the key where you will load the registry hive. You can only load hives under the HKEY_LOCAL_MACHINE and HKEY_USERS keys. The example below selects the HKEY_LOCAL_MACHINE key.
3. After selecting the key, click File —> Load hive on the menu bar.
4. On the Load Hive window, navigate to D:\Windows\System32\config.
Remember that the Windows installation is in drive D in this example, as the
bcdedit
command shown previously.
Next, select the registry hive file that you want to load. Once you’ve selected the file, click Open. The example below will open the SOFTWARE file, which loads the HKEY_LOCAL_MACHINE\SOFTWARE registry hive.
5. At the next prompt, enter the Key Name you want to assign to the offline registry file and click OK. For clarity, you are not creating a new key. Instead, you’re only setting a label or name to the offline registry hive.
Feel free to use any name that you think would make sense. The example below uses the name OFFLINE_SOFTWARE.
Back on the Registry Editor window, you can now see the offline registry that you’ve loaded into your offline registry editor.
At this point, you can repeat the same steps to load other offline registry files if needed.
After you’ve loaded the offline registry hive, you can now edit the registry in the same manner that you would edit the registry while logged in to Windows.
6. Next, create a new key with the name ATA_WinRE_Regedit. To do so, right-click on the offline registry you want to edit —> click New —> Key. Lastly, type in the name of the new key and press Enter.
7. Once you’ve completed editing the registry, unload the offline registry hive. To do so, (1) click to select the offline registry key, click (2) File —> (3) Unload hive. Lastly, on the confirmation prompt, click (4) Yes.
8. Now, close the offline registry editor and command prompt windows.
9. Now, turn off your computer or boot to Windows.
Verifying your Offline Registry Changes
Once you’ve restarted your computer and successfully logged in to Windows, the next step is confirming that the changes you made in the offline registry persist. Follow the steps below.
First, open the registry editor. To do so, press WIN+R
on your keyboard to open the Run dialog. Next, type in regedit
in the Open box and press Enter or click OK.
Once you’re in the Registry Editor window, navigate to the hive you edited previously and confirm that it exists. In this example, the item to verify is the ATA_Offline_Regedit key under HKEY_LOCAL_MACHINE\SOFTWARE hive.
Remember that when you loaded the offline registry hive into a new key while in WinRE, you assigned a label named OFFLINE_SOFTWARE. That key was only temporary while in WinRE and does not carry into the active registry in Windows.
Conclusion
Knowing how to edit the registry offline can save your bacon, especially if you’ve made a mistake and corrupted the registry. Whether the computer still boots up or not, or if the drive is encrypted, you can still use Regedit to edit the Windows registry offline.
Apart from editing the registry offline using Regedit, do you think you can backup and import the registry offline too? What other actions do you think are possible to do with the offline registry?