Microsoft

Use the Recovery Drive Command Prompt to edit the registry or recover data

Access the Command Prompt from Windows 8's Recovery Drive and use it to recover data. Greg Shultz shows you how it works.

In a recent series of blog posts, I showed you how to use the various tools on the Windows 8 Recovery Drive to revive an ailing Windows 8 installation. To refresh your memory here is a brief rundown on what I have covered so far:

However, there is one more feature on the Recovery Drive that you can use to help you access and repair Windows 8 - the Command Prompt. From the Command Prompt, you'll find that there are numerous command line tools are at your disposal. In addition, the Recovery Drive Command Prompt allows you to run two GUI based applications: the Registry Editor, which you can use to edit the registry, and Notepad, which you can use to recover data.

This blog post is also available as a TechRepublic Screenshot Gallery.

In this edition of the Windows Desktop Report, I'll show you how to access the Command Prompt from Windows 8's Recovery Drive. I'll then show you how to, use the Registry Editor and Notepad.

Accessing the Command Prompt

To boot up your system, just insert a USB Recovery Drive or an optical disc Recovery Drive and restart your system. After your system boots from the Recovery Drive and you are prompted to choose an option, select the Troubleshoot tile as shown in Figure A.

Figure A

When you are prompted to choose and option, select the Troubleshoot tile.
When you see the Troubleshoot screen, as shown in Figure B, select the Advanced options tile.

Figure B

From the Troubleshoot screen, select the Advanced options tile.
When you see the Advanced options screen, as shown in Figure C, select the Command Prompt tile.

Figure C

From the Advanced options screen, select the System Command Prompt tile.
Once you do, you will see the Command Prompt windows like the one shown in Figure D.

Figure D

You can use a host of command line tools from the Recovery Drive's Command Prompt.

Available command line tools

Once you have the Command Prompt up and running, you can of course access and use a host of standard command line tools to navigate, manage files, and perform certain types of repair and recovery tasks. A list of the most common command line tools is shown in Table A.

Table A: Command line tools available from the Recovery Drive's Command Prompt.

Command

Description

Attrib Changes the attributes of a file or directory
Bcdboot Bcd boot file creation and repair tool
Bcdedit Boot Configuration Data Store Editor
ChDir (Cd) Displays the name of the current directory or changes the current directory
Chkdsk Checks a disk and displays a status report
Cls Clears the screen
Copy Copies files or folders to another location
Delete (Del) Deletes one or more files
Dir Displays a list of files and subdirectories in a directory
Diskpart Manages partitions on your hard drives
Exit Exits the Command Prompt and returns you to the Recovery Drive menu
Expand Extracts a file from a compressed file
Format Formats a disk
Icacls Display or modify access control lists (ACLs) or change file and folder permissions
Manage-bde Configure BitLocker drive encryption on disk volumes.
Mkdir (Md) Creates a directory
More Displays a text file
Recover Recovers readable information from a bad or defective drive
Rename (Ren) Renames a single file
Rmdir (Rd) Deletes a directory
Robocopy Copies files or folders to another location
Sfc Scans and checks the integrity of your Windows files
Set Displays and sets environment variables
Type Displays a text file
Xcopy Copies files or folders to another location

Editing the registry

If your Windows 8 system is failing to boot properly after a registry tweak or you need to extricate some nasty malware that has infiltrated the registry, you can launch the Registry Editor from the Recovery Drive's Command Prompt. However, because you have booted your system from the Recovery Drive, the Registry Editor will by default load the registry from the Recovery Environment, not the registry from your Windows installation. Fortunately, once you know how, you can manually load the registry from your Windows installation.

As you will notice, the default drive letter for the Recovery Environment is X. However, your Windows installation drive is still available and assigned to another drive letter. Most likely the Windows installation drive is D, but you can find out for sure by typing the following command:

bcdedit | find "osdevice"

When you run this command, it will display

osdevice    partition=?:

Where the "?" is your Windows installation drive letter.

Now that you know the drive letter of your Windows installation, type the following command to launch the Registry Editor:

regedit
When the Registry Editor launches, select HKEY_LOCAL_MACHINE. Now, pull down the File menu and select the Load Hive command, as shown in Figure E.

Figure E

When the Registry Editor launches, it will display the registry from the Recovery Environment.
When you see the Load Hive dialog box, use the Look in drop down to select the drive letter of your Windows installation that you found earlier. Then navigate to the Windows\System32\config folder, as shown in Figure F. Then, choose the hive that you want to load. Table B shows the available registry keys and the location of the hive files.

Figure F

The config folder contains all of the registry hive files.

For example, if you suspect that the Run key in the registry is being used to launch malware, you would select the SOFTWARE hive.

Table B: The available registry keys and the location of the hive files.

Registry Key

Path to hive file

HKEY_LOCAL_MACHINE \SAM %windir%\system32\config\SAM
HKEY_LOCAL_MACHINE \SYSTEM %windir%\system32\config\SYSTEM
HKEY_LOCAL_MACHINE \SOFTWARE %windir%\system32\config\SOFTWARE
HKEY_USERS \.Default %windir%\system32\config\DEFAULT
HKEY_CURRENT_USER %userprofile%\ntuser.dat
When you select a hive, you will be prompted to give that hive a name. For the purposes of this registry editing session this name is just a temporary placeholder, so you can use any name that you want. For my example, I am going to just use the word Test, as shown in Figure G. To continue, click OK.

Figure G

When you select a hive, you will be prompted to give that hive a name.
At this point, the entire hive is loaded into the Registry Editor so that you can make any changes that you hope will allow your Windows 8 system to boot up normally. In my example, the entire HKEY_LOCAL_MACHINE \SOFTWARE hive has been loaded into the Registry Editor under the name Test, as shown in Figure H.

Figure H

In my example, the entire HKEY_LOCAL_MACHINE \SOFTWARE hive has been loaded into the Registry Editor under the name Test.
Continuing with my example, I would open the Test hive, remembering that it is the equivalent to HKEY_LOCAL_MACHINE \SOFTWARE and then navigate the rest of the way down to the Run Key (Microsoft\Windows\CurrentVersion\Run), as shown in Figure I.

Figure I

In this example, the Test hive is the equivalent to HKEY_LOCAL_MACHINE \SOFTWARE hive.
After you make changes, you will then need to navigate back up the tree and select the Test hive, just as shown in Figure H. Now, pull down the File menu and select the Unload Hive command, as shown in Figure J.

Figure J

Once you are finishes, select your hive and then use the Unload Hive command.

At this point, any changes that you made are now incorporated in the registry from your Windows installation. To continue, close the Registry Editor and then close the Command Prompt window. When you do, you'll return to the main Recovery Disk menu where you can select the Continue tile, which will reboot the system and start Windows 8 with the changes that you made registry.

Backing up data

If your Windows 8 system stopped booting up normally before you had a chance to make a current backup of your data, chances are that the first thing that you would want to do is backup your data files. Well, if you look back at the command line tools shown in Table A, you'll find several commands that you can use to back up your data: Copy, Robocopy, and Xcopy.

However, if you're like most users, you'd rather work from a GUI than a command prompt when it comes to copying hundreds of files. Fortunately, the Windows Recovery Environment allows you to run Notepad. How is Notepad going to help you copy files you may be thinking? Well, in the majority of Windows applications, the Open and Save as dialog boxes are essentially pared down versions of File Explorer. As such, you can use the Open dialog box just like File Explorer and will be able to easily copy all of your data files to a backup drive.

Once you have booted into the Recovery Environment connect a flash drive or external USB drive to your system. Now, access the Command Prompt window and type notepad.exe on the command line. Once you have Notepad up and running, just press [Ctrl]+O to access the Open dialog box. Leave the File name box blank, select All Files (*.*) in the Files of type list, and just leave the Encoding setting as it is.

Now, use the Computer icon to locate your Windows installation drive. (Refer to using the bcdedit | find "osdevice" command as described above.) To continue, navigate to your user profile folder, as shown in Figure K. Then, right click on the folder or folders containing the files that you want to backup and then select the Send to command. When you do, you can select your flash drive or external USB drive. When you do, your files will be safely copied.

Figure K

Use the Send To command from the Open dialog box to copy files to a flash drive or external USB drive.

Keep in mind that you should not close the Open dialog box or Notepad until all the files are copied

What's your take?

Do you think that being able to edit the registry and backup files from the Windows 8 Recovery Drive Command Prompt are valuable tricks? As always, if you have comments or information to share about this topic, please take a moment to drop by the TechRepublic Community Forums and let us hear from you.

Also read:

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

4 comments
JCitizen
JCitizen

TR seems to be having trouble recognizing me now days! X-( This causes irritating repeated posts.

JCitizen
JCitizen

Simply recover from backup image - seems like a lot of geeky trouble to do it this way - but then it might have its advantages too. I know my clients have setup this in preparation for disaster, but hopefully they will never have to actually do a recovery this way.

PurpleSkys
PurpleSkys

I have days when all I do is continuously log in....ran into that this morning while trying to delete 18-19 spam posts on the Q&A page; I would delete a couple and then have to log in to do a few more... a couple of times...sigh :(

JCitizen
JCitizen

I shouldn't feel this way, but I'm glad I'm not the only one - I was beginning to feel like malware may be the source of my problems. Thanks for posting! C=

Editor's Picks