XP Backup Problem -- Using ERUNT program -- Cannot Backup "Default"

[Anonymous User]

Hi. Posted over a week ago but quickly got buried on this busy board.
Trying again ... thanks.

QUERY: Why would ERUNT (registry backup/restore freeware) have trouble
backing-up the "Default" file in the Registry?

Background: I have a Dell 4550 PIV 2.4 ghz Windows XP system with 512
MB RAM. About two months ago I had a STOP error and Windows could not
use one of the registry hive files ("System" if I'm not mistaken). I was
able to use the recovery console to restore to an earlier registry found
in the restore point folders. It was a harrowing experience and not at
all for the faint of heart ;-) Fortunately I had a laptop that allowed
me to find the MS Knowledge Base article #307545 "How to Recover from a
Corrupted Registry that Prevents Windows XP from Starting." Whew ...

Details: So ... after checking out this newsgroup, I've heard about
ERUNT (freeware registry backup and restore program which would automate
what I did through the Recover Console and make restore without Windows
starting much easier). FYI:

http://home.t-online.de/home/lars.hederer/erunt/index.htm

I not that Alex Nichols (MS MVP) recommended it in this newsgroup. As
far as I can tell, there are virtually no complaints or problems noted
in its use. I was game ... but I've found that when I attempt to use
it, it can backup EVERYTHING in the registry EXCEPT for the file called
"Default." It gives me an error saying it could not backup that file
and asks me if I want to continue. If I do, I get everything
(apparently) but that file which shows a "O KB" size in the default
directory for the backup/restore files for ERUNT. It happens EVERY time
I run it. XP's own System Restore hasn't ever complained about anything.

Questions: I would guess that this has to do with XP using the file
(like I couldn't just go and back it up myself by copying the file), but
why ONLY that file? Could using SAFE MODE possibly work to avoid
conflicts? I'm not so familiar with how things work to know whether or
not running a program like this from within Safe Mode for a backup of
the registry would be a problem or not (i.e., give me a decent, usable
backup).

Thank you in advance. BTW, I e-mail the creator of ERUNT weeks ago but
have not heard back ... understandably, he's got other worries but I did
go there first.

Werdhi

 

[Guest]

If you do not have Administrative rights, you cannot do that, ERUNT will not work.
It only works for the Administrator.

 

[Anonymous User]

If you do not have Administrative rights, you cannot do that, ERUNT will not work.
It only works for the Administrator.

Thanks for the reply. Good thought, however, my account is set up as
"computer administrator," so that's not it. ERUNT does work in that it
does everything it is supposed to do (as far as I can tell) *except*
copy that one file called "default."

 

[Wesley Vogel]

Werdhi;

Detailed information (English)
ERUNT - The Emergency Recovery Utility NT
http://home.t-online.de/home/lars.hederer/erunt/erunt.txt

(Technical information: ERUNT saves only registry files which are in
use by the system. It obtains information about these files from
registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Hivelist. Registry hives not listed there, for example those
of other users of the computer, cannot be saved by ERUNT.)

 

[Anonymous User]

Werdhi;

Detailed information (English)
ERUNT - The Emergency Recovery Utility NT
http://home.t-online.de/home/lars.hederer/erunt/erunt.txt

(Technical information: ERUNT saves only registry files which are in
use by the system. It obtains information about these files from
registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Hivelist. Registry hives not listed there, for example those
of other users of the computer, cannot be saved by ERUNT.)

Hello Wesley. Thank you for your reply. Yes, I have seen the detailed
text file (which also installs with the program). It also says the
following:

"- System registry: The current system registry, usually consisting of
the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM."

So, the current SYSTEM registry would *usually* consist of those listed
files -- including "DEFAULT." I guess the question is partly then,
under what *UNusual* conditions would DEFAULT file not be considered
part of the current system registry (perhaps that is so in my case ...?)

Also I see that the information (as you quote above) says that ERUNT
only saves registry files which are in USE by the system (presumably
anything in use would indicate that the were necessary system registry
files ...?). So is this to suggest that perhaps DEFAULT is not in use?

Tracking down the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist as noted in
the ERUNT information, I see that my file DEFAULT is *listed* in the
hivelist BUT it appears as \REGISTRY\USER\.DEFAULT

That is to say, it has a "." before the name. I've got no idea why it
is the only one with that or if that is out of the ordinary. Everything
appears to be working fine with my system since I had a Stop Error a few
months ago. But that MIGHT be it if ERUNT is looking for the file
without that "." before the name.

Any thoughts?

TIA

 

[Anonymous User]

OOPS ... I should note that the actual file located at
<C:\WINDOWS\SYSTEM32\CONFIG\default> does NOT have a "." before the file
name is appears just as I note here (just like the other hive files). I
just checked that. It is only the reference in the Registry itself
under "Name." The "Data Value" is the path showing the file without "."
before the file.

Hmm ...

 

[Wesley Vogel]

..DEFAULT is correct.
HKEY_USERS\.DEFAULT
Note the "." before DEFAULT
=============

I found these in my archives (fancy word, huh?)

HKEY_USERS - This branch contains individual preferences for each user of
the computer, a SID sub-key located under the main branch represents each
user.

HKEY_USERS. Information for all users. If you configured Windows XP for
multiple users, each has a subkey under this key. When the user logs on, the
user's subkey becomes HKEY_CURRENT_USER.

HKEY_USERS
Contains the root of all user profiles on the computer. HKEY_CURRENT_USER
is a subkey of HKEY_USERS.

HKEY_USERS
Holds all user specific settings for all users. If there's only one user,
there's mainly the ".default" key, mirrored at HKEY_CURRENT_USER. For
simplicity, ignore this hive key if not needed, and use HKCU.
==========

The HKEY_USERS\.DEFAULT branch of the Registry is used as a template for
newly added users.

HKEY_USERS\.DEFAULT
The settings in this key apply to all new users, their user profiles are
created from this profile. It includes all environment, screen, sound, and
other user-related functions.
===========

Also, I believe HKEY_USERS\.DEFAULT is used until someone logs on.
Then HKEY_CURRENT_USER takes over.
For me that would be:
HKEY_USERS\S-1-5-21-1708537768-1580436667-1202660629-1003
and
HKEY_USERS\S-1-5-21-1708537768-1580436667-1202660629-1003_Classes

I am the only user.
===========

HKEY_USERS\.DEFAULT would not be in use if you are logged on.
========

Here's what ERDNT copies for me:
I checked the Other open user registries
and [No registry files found to save for other users.]

C:\ERDNT 19 Mar 2004
Users
default
ERDNT.EXE
ERDNT.INF
ERDNTDOS.LOC
ERDNTDOS.OVL
ERDNTWIN.LOC
ERDNTWIN.OVL
SAM
SECURITY
software
system

C:\ERDNT 19 Mar 2004\Users
S-1-5-21-1708537768-1580436667-1202660629-1003
S-1-5-21-1708537768-1580436667-1202660629-1003_Classes

C:\ERDNT 19 Mar 2004\Users\S-1-5-21-1708537768-1580436667-1202660629-1003
NTUSER.DAT

C:\ERDNT 19 Mar
2004\Users\S-1-5-21-1708537768-1580436667-1202660629-1003_Classes
UsrClass.dat

 

[Wesley Vogel]

Werdhi;

I have XP Pro. It's the same for me.
Was the same when I had XP Home also.
So, fugetaboutit.

 

[Alex Nichol]

Details: So ... after checking out this newsgroup, I've heard about
ERUNT (freeware registry backup and restore program which would automate
what I did through the Recover Console and make restore without Windows
starting much easier). FYI:

http://home.t-online.de/home/lars.hederer/erunt/index.htm

I not that Alex Nichols (MS MVP) recommended it in this newsgroup. As
far as I can tell, there are virtually no complaints or problems noted
in its use. I was game ... but I've found that when I attempt to use
it, it can backup EVERYTHING in the registry EXCEPT for the file called
"Default."

I have not seen that happen. The only thought I have is that you were
not doing it from a logon with Admnistrator status

 

[Alex Nichol]

OOPS ... I should note that the actual file located at
<C:\WINDOWS\SYSTEM32\CONFIG\default> does NOT have a "." before the file
name is appears just as I note here (just like the other hive files). I
just checked that. It is only the reference in the Registry itself
under "Name." The "Data Value" is the path showing the file without "."
before the file.

It has not quite the same status as a regular User file for a user not
currently logged in - the equivalent there would be at C:\Docs and
Settigs\Default User\ntuser.dat. That is the same size on my machine.
It it *were* not in use I would expect ERUNT not even to try to save it.
So I rather suspect some structural corruption of it. It has a backup
- I would try to get that into use. Go to a boot via the menu to
Safe Mode - Command Prompt only.

There
CD \Windows\system32\config
ATTRIB -H -R -S DEFAULT.*
COPY DEFAULT DEFAULT,qry
(that is so you could put it back)
COPY DEFAULT.bak DEFAULT
ATTRIB +S DEFAULT

and see how things go.

 

[Anonymous User]

Anonymous User wrote:




It has not quite the same status as a regular User file for a user not
currently logged in - the equivalent there would be at C:\Docs and
Settigs\Default User\ntuser.dat. That is the same size on my machine.
It it *were* not in use I would expect ERUNT not even to try to save it.
So I rather suspect some structural corruption of it. It has a backup
- I would try to get that into use. Go to a boot via the menu to
Safe Mode - Command Prompt only.

There
CD \Windows\system32\config
ATTRIB -H -R -S DEFAULT.*
COPY DEFAULT DEFAULT,qry
(that is so you could put it back)
COPY DEFAULT.bak DEFAULT
ATTRIB +S DEFAULT

and see how things go.

Hi. Thank you for your reply Alex. I appreciate your time. To
clarify, I am logged into XP as administrator. That's not the problem.
I agree with you assessment in the above message that the problem lies
with the structural integrity of the file "default." Evidence for this:

1. ERUNT cannot back up the file
2. NTREGOPT (which I ran for the first time today) cannot
optimize/compress the file and gives essentially the same message as
ERUNT when it runs into this file. Otherwise it works.

Before running NTREGOPT, I ran system restore and created a restore
point. I also had a look around inside C:/windows/system32/config
folder. There are the files I would expect to find there: sam,
security, software, system, default ... all with the same date. I did
not see any *.bak files, however. I also saw a number of *.sav files,
specifically, default, software, and system. All were dated 11/15/2001
.... a year before a purchased my system new.

I also checked out my c:/windows/repair folder (there's a copy of things
there from 03/09/04). I also looked in C:/System Volume Information and
confirmed a couple of months of restore points.

After I ran NTREGOPT, I checked the /config folder again and found *.bak
files for sam, security, software, and system but *NOT* default (it
couldn't optimize it) and the time stamps were all nearly the same
instant and the same as there counterparts (i.e., the non-bak versions
in use by the system).

QUESTIONS/POINTS:

1. Default does seem to be the odd file out. System seems to run
without issue but it is distressing to know that danger may lurk in this
file.
2. What exactly IS this file? Does it change over time? I note that
it has been 312 KB for as long as I have restore points (back nearly
three months).
3. I understand the procedure you outline above to undertake at the
command prompt under Safe Mode. I'm not sure I understand what I would
be DOING however.

Specifically, if I'm getting a backup into use, as you say, where

would this reside? What would have created it? In other words, what
would I be going back to? Why would this copy be any different than the
current one? I'm trying to understand why I could expect to find a copy
that would be uncorrupted and how the procedure you outline could
accomplish that.

4. Why is system restore able to backup the file ... and presumably
restore it? I've restored from the restore point at least once or twice
in the past few months. One most notably back on 01/08/04 when I
recovered from a Stop Error.

Thank you for your kind attention.

Best,

Werdhi

 

[Anonymous User]

Responding to Wesley Vogel's Post:

From: Wesley Vogel ([email protected])
Newsgroups: microsoft.public.windowsxp.general
Date: 2004-03-19 15:16:11 PST

For some reason Thunderbird isn't showing your post ... but I found it
by chance searching for relevant keywords in my ongoing research in
Google>Groups ... I'm quoting it from there. See my comments below:

.DEFAULT is correct.
HKEY_USERS\.DEFAULT
Note the "." before DEFAULT
=============

I found these in my archives (fancy word, huh?)

HKEY_USERS - This branch contains individual preferences for each user of
the computer, a SID sub-key located under the main branch represents each
user.

HKEY_USERS. Information for all users. If you configured Windows XP for
multiple users, each has a subkey under this key. When the user logs on, the
user's subkey becomes HKEY_CURRENT_USER.

HKEY_USERS
Contains the root of all user profiles on the computer. HKEY_CURRENT_USER
is a subkey of HKEY_USERS.

HKEY_USERS
Holds all user specific settings for all users. If there's only one user,
there's mainly the ".default" key, mirrored at HKEY_CURRENT_USER. For
simplicity, ignore this hive key if not needed, and use HKCU.
==========

The HKEY_USERS\.DEFAULT branch of the Registry is used as a template for
newly added users.

HKEY_USERS\.DEFAULT
The settings in this key apply to all new users, their user profiles are
created from this profile. It includes all environment, screen, sound, and
other user-related functions.

So, if that is the case ... it may be (as I wondered in my recent reply
to Alex Nichol) that the file "default" may be unchanging? Or at least
not changing frequently. If it is in fact, a "default" for XP, it would
make sense that it is what the system uses when it's not using a
specific user profile (ntuser.dat). So, although clearly required, it
might be something I could get an uncorrupted version of if the one I'm
attempting to backup is corrupted (as Alex Nichol believes it might).

===========

Also, I believe HKEY_USERS\.DEFAULT is used until someone logs on.
Then HKEY_CURRENT_USER takes over.
For me that would be:
HKEY_USERS\S-1-5-21-1708537768-1580436667-1202660629-1003
and
HKEY_USERS\S-1-5-21-1708537768-1580436667-1202660629-1003_Classes

I am the only user.
===========

HKEY_USERS\.DEFAULT would not be in use if you are logged on.

Makes sense ... but then as you note in your list files backed up by
ERUNT, ERUNT does back it up and the author claims that ERUNT *only*
backs up files that are *in use*

In my case, I have EXACTLY the same list as you, only my "default" file
will show 0 KB (presumably because it couldn't back it up).

Here's what ERDNT copies for me:
I checked the Other open user registries
and [No registry files found to save for other users.]

C:\ERDNT 19 Mar 2004
Users
default
ERDNT.EXE
ERDNT.INF
ERDNTDOS.LOC
ERDNTDOS.OVL
ERDNTWIN.LOC
ERDNTWIN.OVL
SAM
SECURITY
software
system

C:\ERDNT 19 Mar 2004\Users
S-1-5-21-1708537768-1580436667-1202660629-1003
S-1-5-21-1708537768-1580436667-1202660629-1003_Classes

C:\ERDNT 19 Mar 2004\Users\S-1-5-21-1708537768-1580436667-1202660629-1003
NTUSER.DAT

C:\ERDNT 19 Mar
2004\Users\S-1-5-21-1708537768-1580436667-1202660629-1003_Classes
UsrClass.dat

Thank you for your continuing assistance. I think it is clear that
ERUNT is not having a problem but that it is this file alone that is an
issue. If I better understood what Alex Nichol suggests I do in his
post regarding using a backup of the "default" file, I'd be further
along but I'm reluctant to proceed without having more knowledge of what
it is that I'd be doing.

Best,

Werdhi

 

[Alex Nichol]

1. Default does seem to be the odd file out. System seems to run
without issue but it is distressing to know that danger may lurk in this
file.
2. What exactly IS this file? Does it change over time? I note that
it has been 312 KB for as long as I have restore points (back nearly
three months).
3. I understand the procedure you outline above to undertake at the
command prompt under Safe Mode. I'm not sure I understand what I would
be DOING however.

would this reside? What would have created it? In other words, what
would I be going back to? Why would this copy be any different than the
current one? I'm trying to understand why I could expect to find a copy
that would be uncorrupted and how the procedure you outline could
accomplish that.

The DEFAULT appears to be a copy of the ntuser.dat file held in Docs
and settings for username 'Default User' - IOW the template used when
you create a new account. I presume it is also held in System\config as
an active component of registry, to be instantly available (on my system
it is only 1.47 MB)

In system\config there are also a DEFAULT.sav - this will be the one
created at initial setup in the same way as other registry files,
available as an 'ultimate' backup. (see the method at
http://support.microsoft.com/?scid=kb;en-us;307545 for example of where
those could be used). There is also a DEFAULT.bak - at least here -
which appears to have been made last time any update/change modified the
contents. The modification date on mine seems to correspond to last
October's consolidated security update. That is the one I suggest
bringing back - if it does not exist, bring back the .sav version
instead

 

[Anonymous User]

Hi Alex and all ... please see my message below.

Anonymous User wrote:




The DEFAULT appears to be a copy of the ntuser.dat file held in Docs
and settings for username 'Default User' - IOW the template used when
you create a new account. I presume it is also held in System\config as
an active component of registry, to be instantly available (on my system
it is only 1.47 MB)

Yes. That does appear to be the case. If so, then I would suspect
that, in fact, the file isn't critical to daily operations and the
system could be restored without it. I have created all the user
accounts I ever plan to. Yet, I do want to make sure I've got a usable
copy.

I suppose my lingering QUESTION is then:

*IF* I revert to default.sav (curiously time/date stamped exactly one
year prior to when the OS was installed by DELL prior to shipping as the
other *.sav files in system32/config), what impact would that have on
me, if any? For example, if I reverted to software.sav, that would take
me back to a point where I would need to then restore to a MUCH more
recent snapshot in one of the restore point folders.

In system\config there are also a DEFAULT.sav - this will be the one
created at initial setup in the same way as other registry files,
available as an 'ultimate' backup. (see the method at
http://support.microsoft.com/?scid=kb;en-us;307545 for example of where
those could be used). There is also a DEFAULT.bak - at least here -
which appears to have been made last time any update/change modified the
contents. The modification date on mine seems to correspond to last
October's consolidated security update. That is the one I suggest
bringing back - if it does not exist, bring back the .sav version
instead

So, if I "bring it back" would I then follow your directions for restore
to default.bak in your message of 20 Mar 2004? I would only need to
change the reference to "Default.bak" in the second to last command line
to Default.sav, correct?


Thank you for your help. I think I'm on the road for sure now. Any
other advice from other folks appreciated. I realize, however, that
this may be going above and beyond for Alex. If you have more to offer,
I'm certainly very thankful.

********************************************

FYI: Additional data for consideration(by whomever) ...

Also, if it matters, I noticed that I was getting errors like the
following from eventviewer:

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 3/9/2004
Time: 8:49:06 PM
User: NT AUTHORITY\SYSTEM
Computer: B
Description:
Windows saved user B\Brian registry while an application or service was
still using the registry during log off. The memory used by the user's
registry has not been freed. The registry will be unloaded when it is no
longer in use.
This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.

I installed UPHClean (User Profile Hive Cleanup Service) to help deal
with these recurrent messages in Event Viewer and haven't had a error
like that since ... wondering if this may be related to my problem???

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1201
Date: 3/20/2004
Time: 4:17:10 PM
User: B\Brian
Computer: B
Description:
The following handles in user profile hive B\Brian
(S-1-5-21-4283021946-163748893-403816093-1006) have been closed because
they were preventing the profile from unloading successfully:

SPOOLSV.EXE (956)
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\26\Shell (0x3a8)
_______________________

UPHCLean INformation:

http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

 

[Alex Nichol]

So, if I "bring it back" would I then follow your directions for restore
to default.bak in your message of 20 Mar 2004? I would only need to
change the reference to "Default.bak" in the second to last command line
to Default.sav, correct?

That would certainly work. My feeling is just that if there is a more
recent .bak version it is the one to use in preference to the .sav. But
it doesn't really matter much