Malware

Question

Locked

What causes XP Registry Hive to get corrupted every few months

By nnenos ·
I have a Windows XP SP2 professional system running just fine for a few years. I have an anti-virus software and a software firewall. I back up my system regularly so recovering from a crash is not a total loss but instead a nuisance.

I try to keep my system as clean as possible by conducting regular maintenance routines (defrags, disk cleanups and check disks).

About a year ago, my system started to fail at boot. Usually the cause is a corrupted registry hive. The issue is that the registry appears to get corrupted every few months and I have to perform a complete backup recovery.

I wonder whats causing the hive to get corrupted. I have not added any new programs or hardware recently. How can I trouble shoot the system to find out what is causing this issue? How do you trouble shoot hardware devises, when everything appears to be working fine and the failure manifests as a registry issue every few months?

Any suggestions would be most appreciated. Thanks,

Sandro.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

This sort of explains a couple of reasons

by Jacky Howe In reply to What causes XP Registry H ...

and if you are inclined to use it you could check out windiff.exe. Registry troubleshooting steps for advanced users
<br><br>
http://support.microsoft.com/kb/822705
<br><br>
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<br><br>
<font size="1"><i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.</i></font>

Collapse -

Great starting point

by nnenos In reply to This sort of explains a c ...

Thanks for bringing this up to my attention. It definitively give some good troubleshooting test ideas.

I had a hard drive failure almost a year ago and did most all the hardware tests then and everything checked OK. (Oh yes, the hard drive was also replaced with a new one).

I will perform the tests outlined again and also try windiff to check for differences in the registry. perhaps this will help find where the registry is changing or growing.

Thanks for your input.

Collapse -

A couple of tools that can be used

by Jacky Howe In reply to Great starting point

PageFile Fragmentation
<br><br>
http://technet.microsoft.com/en-au/sysinternals/bb897426.aspx
<br><br>
<br><br>
There is a Pagefile Defragmenter here:
<br><br>
http://technet.microsoft.com/en-au/sysinternals/bb897426.aspx
<br><br>
Run pagedfrg.exe and see how fragmented it is. Let it run on next boot to defragment the Pagefile.
<br><br>
<br><br>
Process Monitor v1.26
<br><br>
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
<br><br>
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
<br><br>
Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista.
<br><br>
<br><br>
NTREGOPT
<br><br>
http://www.snapfiles.com/get/ntregopt.html
<br><br>
The program works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys.
<br><br>
Note that the program does NOT change the contents of the registry in any way, nor does it physically defrag the registry files on the drive (as the PageDefrag program from SysInternals does). The optimization done by NTREGOPT is simply compacting the registry hives to the minimum size possible.
<br><br>

Collapse -

Tested with Tools and results

by nnenos In reply to A couple of tools that ca ...

Hello Jacky,

Thanks for the links to the tools. While performing a root-cause analysis of this issue, I started by first restoring my system to just (hours) before it crashed. This restore was done using a disk image backup.

As with any troubleshooting method I am making sure that only one variable is changed at the time.

First I conducted a preliminary inspection using some of the tools you suggested.

Pagedefrag: I used pagedefrag to check if my registry was fragmented, and to my surprise it was not. It is all in one piece. I thought that that since the system has been in use for many years it would be fragmented. Another point to note is that the registry just hours before the crash was not fragmented.

NTREGOPT: I also run NTREGOPT to optimize its size and the tool was able to reduce it by 3%. I don't know if a 3% reduction in size will yield significant results or not. Since my understanding is that NTREGOPT does not change the registry, it simply compacts its size, I would suspect that it would not have any effect in performance.

On the other hand, the registry itself is approximately, 48MBytes ( a large file in my opinion).

RegEdit: I also did a quick inspection using regedit to see if there are any keys that should not be there. I was not changing anything but just checking to see if something jumped at me. I did not found anything suspicious or out of the ordinary (a very superficial inspection). All the software keys are for software that I currently use in my system.

The challenge is how to reproduce the problem and how to capture the cause. Since the issue does not manifest itself for 3 to 4 months of normal operation, it would be hard to track what caused it.

My problems usually manifests after many weeks of normal operation at startup. I have never seen a system crash during normal operation. That is it never freezes or crushes in mid operation. This leads me to believe that the issue is being caused during shutdown while windows is writing (saving) the settings to the registry.

Now, since I run a couple of programs pagedefrag and ntregopt and introduced two new variables to investigate the condition of the registry, I went back and restored the system back to the last known good state from my disk image. So far we know that the registry is not fragmented and it can only be reduced in size by 3%. I don't want to introduce too many variables into the mix at this time.

Here is another observation; my system "Virtual Memory" configuration settings has paging file size set to "Custom Size" 2046 to 4092. I wonder what are the implications/benefits of changing these settings and if these setting are in any way related to how windows handles the registry. Or, how does it affect the system if the "Custom Size" is increased or if is set to "System managed size" or "No paging file".

I would appreciate very much any comments.

Thanks and best regards,

Sandro.

Collapse -

A couple of things to try

by Jacky Howe In reply to Tested with Tools and res ...

How to configure paging files for optimization and recovery in Windows X
<br><br>
The paging file (Pagefile.sys) is a hidden file on your computer's hard disk that Windows XP uses as if it were random access memory (RAM). The paging file and physical memory make up virtual memory. By default, Windows stores the paging file on the boot partition (the partition that contains the operating system and its support files). The default paging file size is equal to 1.5 times the total RAM. However, this default configuration may not be optimal in all cases. This article discusses how to configure the paging file for system optimization and recovery.
<br><br>
To enhance performance, it is good practice to put the paging file on a different partition and on a different physical hard disk drive. That way, Windows can handle multiple I/O requests more quickly. When the paging file is on the boot partition, Windows must perform disk reading and writing requests on both the system folder and the paging file. When the paging file is moved to a different partition, there is less competition between reading and writing requests.
<br><br>
However, if you remove the paging file from the boot partition, Windows cannot create a dump file (Memory.dmp) in which to write debugging information in the event that a kernel mode Stop Error message occurs. This could lead to extended downtime if you must debug to troubleshoot the Stop error message.
<br><br>
The optimal solution is to create one paging file that is stored on the boot partition, and then create one paging file on another partition that is less frequently accessed on a different physical hard disk if a different physical hard disk is available. Additionally, it is optimal to create the second paging file so that it exists on its own partition, with no data or operating-system-specific files. By design, Windows uses the paging file on the less frequently accessed partition over the paging file on the more heavily accessed boot partition. An internal algorithm is used to determine which paging file to use for virtual memory management.
<br><br>
When you put a paging file on its own partition, the paging file does not become fragmented, and this counts as another definite advantage. If a paging file resides on a partition that contains other data, it may experience fragmentation as it expands to satisfy the extra virtual memory that is required. An unfragmented paging file leads to faster virtual memory access and to a greater chance of a dump-file capture that is free of significant errors.
<br><br>
If you follow these recommendations, you meet the following paging file configuration goals for optimization and recovery:
<br><br>
? The system is correctly configured to capture a Memory.dmp file if the computer experiences a kernel mode Stop Error.
<br><br>
http://support.microsoft.com/kb/314482/en-us
<br><br>
Advanced troubleshooting for shutdown problems in Windows XP
<br><br>
http://support.microsoft.com/kb/308029
<br><br>
<br><br>
When I am Imaging a PC I normaly turn off the PageFile on Shutdown. This will produce a smaller Image to work with and it won't effect the PC. It can easily be turned back on when the PC has been reimaged. If it is left off it will take the PC a bit longer to shutdown.
<br><br>
Right click the My Computer icon on the desktop and select properties, select the Advanced tab. Under Startup and Recovery , click the Settings button. Under System failure , remove the checkmark next to Automatically restart. Click Ok and then click Ok again.
<br><br>
Doing this will allow the PC to create a Minidump file (Memory.dmp) that can be analyzed with WinDebug. Have you checked for Minidump files. Minidump Files can be found here. C:\WINDOWS\Minidump
<br><br>
How to read the small memory dump files that Windows creates for debugging: http://support.microsoft.com/kb/315263
<br><br>
To download and install the Windows debugging tools, visit the following Microsoft Web site: http://www.microsoft.com/whdc/devtools/debugging/default.mspx
<br><br>
Instructions on using Windbg.
<br><br>
Open Windbg and select file, Symbol file path and brows to the Symbol folder that you have downloaded and installed Symbols to, select OK. Close the workpage and save the Workspace information. This should lock in the Symbol path. Open Windbg and select file and select Open Crash Dump then navigate to the minidump, highlight it and select Open. There are two ways to use !analyze -v the easiest is to click on !analyze -v under Bugcheck Analysis. When you have ran the initial dump if you look to the bottom of the screen you will see kd> to the right of that type in !analyze -v and press the Enter key. Ctrl + a will let you copy the information and paste it into notepad. Look to the bottom of the page for information on the fault.
<br><br>
Check the Event Logs for any Error Messages.
<br><br>
<br><br>
Then you have your PC's annual maintenance and here are a few things that you can do.
<br><br>
Faulty Fans, Dust and Grime build up on the Heatsink restricting air flow. I would give the inside of the case a blowout with compressed air. When blowing air through the fans make sure that you physically stop them from spinning, as they may generate power and **** something up. Remembering to ground yourself by placing the back of your hand on the Power Supply Unit and not moving your feet. By not taking this precaution it is possible that you could inadvertantly cause damage to the PC from an electrostatic discharge. Then remove the Heatsink, giving it a thorough clean and reseat the CPU applying new CPU grease. If the Fans spin freely when you give them a spin they are probably OK. If there is resistance replace them.
<br><br>
Clean the golden edge of each memory stick with a soft rubber/eraser, remembering not to touch the golden edge of the memory stick. Check with one stick at a time, remembering to disconnect the power from the PC.
<br><br>
<br><br>
Test the memory.
<br><br>
You can test the memory by running Windows Memory Diagnostic that can be downloaded from http://oca.microsoft.com/en/windiag.asp. If problems are found check the steps below.
<br><br>
Also check Capacitors around the CPU for swelling or bulging.
<br><br>
<br><br>
Test the Power Supply Unit and the CPU.
<br><br>
Download Prime95.
<br><br>
http://www.mersenne.org/freesoft.htm
<br><br>
Prime95 is used to put your system at full load. Prime95 - When run for the first time, it is necessary to click on Advanced, then click on Round off checking so that errors caused by instabilities will be flagged as they occur. Also go to Options and run the Torture Test. Run the Inplace FFTs (Max Power, Heat and some Ram). Prime95 will automatically thread all Cores, and will expose insufficient CPU cooling and computer case cooling, or excessive Vcore and overclock. At no other time will a CPU be as heavily loaded, or display higher temperatures, even when OC'd during worst-case loads such as gaming or video editing. Prime95 can be used with SpeedFan to observe CPU temps, while stress testing for system stability. During single threaded gaming and applications, Core 0 typically carries heavier loads and higher temps than other Cores.
<br><br>
You want your system at full load when checking your voltages to ensure your PSU is up to spec.
<br><br>
If your PC restarts during this test you have a faulty Power Supply (PSU) and it will need replacing.
<br><br>
Download SpeedFan and check the Voltages and Temps while Prime95 is running.
<br><br>
http://www.almico.com/sfdownload.php
<br><br>
You will want your 12-volt rail to be within 11.52 to 12.48 during load. This means when you are running your cpu at 100% you do not want to drop below 11.52 or you may experience stability problems including but not limited to system restarts and Windows crashes. For the 5-volt rail, you want it to be within 4.8 to 5.2 to be within the 4% range. As for the 3.3 volt rail, you want it to be within 3.17 to 3.43
<br><br>
Video Memory Stress Test 1.4
<br><br>
http://www.majorgeeks.com/Video_Memory_Stress_Test__d5896.html
<br><br>
Note: A damaged or insufficiently charged internal battery can corrupt CMOS or BIOS settings.
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<br><br>
<font size="1"><i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome. </i></font>

Collapse -

Fragmented page file

by Tearat In reply to Tested with Tools and res ...

Some imaging software will defrag as it backs up and restores
So your files may not go back to the same place on the partition
This will happen if your image file is smaller than your partition size

Hope that puts some light on why your paging file is not fragmented after an image restore

Collapse -

In addition to the above

by OH Smeg Moderator In reply to What causes XP Registry H ...

You can also get a build up of Dust and other junk inside the case which causes Electrical Degradation to occur. This can come in several forms including random BSOD's failure to boot properly and corrupt files like the Registry occurring.

You need to clean out the Insides of the unit and in the case of a Desktop remove any plug in Cards clean the connectors with a soft rubber/eraser and reassemble after the insides are cleaned out. As this is a Static Sensitive Area you never use any Static Dust Attractors like some of the Dusters that are currently available. You also need to prevent any fans from spinning as these generate power and can damage the Electronic Components inside the case.

Canned Air is the best to use to blow out the insides of the case or very low pressure compressed air can be used Do Not use Vacuum Cleaners on either Suck or Blow as the plastic ends can generate large Static Charges and the Motor can send a Static Charge to the air it is pumping.

You should check the reliability of the hardware occasionally and run some diagnostics like a CPU and RAM check as well as test the HDD's present in the system. You can use the Ultimate Boot CD for this and it is available for download here

http://www.ultimatebootcd.com/download.html

Col

Collapse -

Good point about dust.

by nnenos In reply to In addition to the above

Last I opened my system I cleaned it up for dust with compressed air, but I did not cleaned the card contacts.

Thanks for the warning about ESD. Luckily, I used to be an electrical engineer and I am well versed in ESD handling precautions.

Are there any tools you can use to test the various cards installed in the system, such as Modems, Network Cards, FireWire Cards, Display Driver Cards, etc.

I am not sure the ultimate cd has these tools. None the less I will download it and burn it to a cd and keep in my toolbox for future use.

Thanks for the tip.

Sandro

Related Discussions

Related Forums