Restore Windows 10 Registry from Backup using Command Prompt

Windows Registry is a massive jungle of various parameters and settings the operating system users to define its settings and ensure everything works as it should. It is a very sensitive are that should not be messed with. However, if something goes wrong doe to a file corruption, accidental deletion, malware infestation or else, Windows lets you restore the registry from backups it creates automatically.

In this guide, we will show how to restore Windows 10 Registry from a backup, or a system restore point (VSS snapshots). This article applies to Windows 10, 11, and earlier versions, such as now-unsupported Windows 8.

Note. You should schedule automatic system restore points creation to ensure you always have a backup of your working system. Alternatively, you can always create a restore point manually. You cannot restore Windows 10 Registry from a system restore point if you have never made one.

How to Restore Registry from Backup in Windows 10 using Regback?

Where Windows 11 and 10 store Registry Backups? That is a question users frequently Google when trying to restore Windows 10 Registry copy. Here is your answer: Windows stores Registry backups in %windir%\System32\config\RegBack.

windows 10 registry backup location

ADVERTISEMENT

Windows keeps each registry hive in a separate file, resulting in five files total in the RegBack folder. Here ther are with indicated registry hives in brackets:

  • DEFAULT (HKEY_USERS.DEFAULT)
  • SAM (HKEY_LOCAL_MACHINE\SAM)
  • SOFTWARE (HKEY_LOCAL_MACHINE\Software)
  • SECURITY (KEY_LOCAL_MACHINE\Security)
  • SYSTEM (HKEY_LOCAL_MACHINE\SYSTEM)

It is worth noting that Windows does not backup user’s registry hives automatically. These hives are stored inside each user’s profile folder on drive C. For example, C:\Users\Admin. They are hidden by default, so click View > Show > Hidden files. Then locate the NTUSER.DAT and USRCLASS.DAT. Copy these files to a safe directory to create a backup of the HKEY_CURRENT_USER hive.

If you want to restore Windows 10 Registry from a backup, copy the files stored inside the RegBack folder to the %windir%\System32\Config directory.

Windows creates Registry hives backups using a separate task RegIdleBack from the Automatic Maintenance subsystem every 10 days or when installing system updates, drivers, or programs. To find a task that is responsible for backing up the registry, open Windows Scheduler (press Win + R and type Taskschd.msc), then go to the section Task Scheduler Library > Microsoft > Windows > Registry.

As you can see, the RegIdleBack task is active (Ready), and the operation went smooth the last time Windows made a Registry backup (Last Run Result: The operation completed successfully – 0x0).

registry backup location

You can run this task manually by right-clicking the task name and selecting Run.

Cannot Copy Windows 10 Registry Backup Files

Another thing worth noting is that restoring Windows 10 Registry Backup is not as easy as copying a file from one folder to another. If your computer with Windows 10 is turned on (online), you can’t replace the original registry files in the %windir%\System32\Config since they are locked by the operating system.

However, you can use the registry recovery procedure when your Windows is not booting. In this case, you can replace the damaged registry files using WinPE in Command Prompt by booting your computer into the Windows 10 recovery environment or from Windows 10 installation media.

Restoring Registry Backup Task in Windows 10 1803 and Higher

Microsoft changed how the default Registry backup procedure works in Windows 10 1803 (and in all subsequent Windows 10 and 11 versions. The C:\Windows\System32\Config\RegBack directory is empty or contains hive files with the size of 0 bytes. What is interesting is that the task RegIdleBackup is active and performs as it should.

windows registry backup location

ADVERTISEMENT

According to Microsoft, the automatic backup task was disabled to save space. It also allows you to extract old versions of registry hives from system recovery points (if they are enabled).

You can enable automatic registry backups to the RegBack folder using Windows Registry. Here is how to do that:

  1. Press Win + R and type regedit.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager. Copy the path and paste it into the address bar inside the editor.
  3. Create a new DWORD parameter and rename it to EnablePeriodicBackup. Open the parameter and change it value data to 1;
  4. Close the registry editor and restart the computer. Windows will create registry backups the next time you start automatic system maintenance (if you have not disabled it).

If you want to run Windows Registry backup manually, execute the following command:

schtasks /run /i /tn "Microsoft\Windows\Registry\RegIdleBackup"

Tip. You can also make changes to the registry using the command:

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager" /v EnablePeriodicBackup /t REG_DWORD /d 1

You can also use your own scheduler task (with schtasks) to backup Windows Registry to a separate location (you can also place backup on a separate disk) using the commands:

md C:\PS\RegBack
schtasks /create /ru system /sc weekly /st 12:00:00 /tn "MyRegIdleBackup" /tr "cmd /c del /f /q C:\PS\RegBack & cd /d C:\PS\RegBack & reg save HKLM\SAM SAM & reg save HKLM\SECURITY SECURITY & reg save HKLM\SOFTWARE SOFTWARE & reg save HKLM\SYSTEM SYSTEM & reg save HKU.DEFAULT DEFAULT"

You can manually back up important registry hives or make a full registry backup. Select the required registry hive (or select the registry root) and click Export from the context menu. Specify the name of the reg file in which you want to save your registry.

Restore Windows 10 Registry from Command Prompt

As mentioned earlier, you cannot restore Windows 10 Registry on the go while the system is online. Begin with booting your computer into recovery and launching Command Prompt. To do so, you need to interrupt the boot procedure three times in a row using the Power button. Then select Troubleshoot > Advanced Options > Command prompt. Alternatively, if your computer operates as it should, hold the Shift button and click Restart from the power menu.

Alternatively, you can use a Windows Install Media. Boot from a Windows 10 or 11 install DVD or USB, then press Shift + F10 on the welcome screen. Note that some keyboards and laptops use the F1-F12 rows as media keys by default, so you have to press Shift + Fn + F10 if the standard shortcut does not work.

ADVERTISEMENT

Your system drive’s letter assigned in the WinPE recovery environment may be different from C:\. To find out what drive letter is assigned to your system partition, enter one by one the following commands:

  • diskpart
  • list volume
  • exit restore registry windows 10 command prompt

You can easily detect your system partition by the large disk size. In our case, it’s the drive with the letter D:\ (volume 2).

Now use Command prompt to restore the registry from backup:

Xcopy d:\Windows\System32\config\regback d:\Windows\System32\config

Confirm the replacement of files using key A.

After the command execution finishes, all the registry files will be replaced with their backups. You can close Command prompt and reboot the computer to check if restoring Windows 10 Registry from a backup fixed issues or bugs.

If the registry files in the backup are corrupt, try restoring the older version of the registry files from a System Restore point manually.

Boot into WinPE environment as described earlier and go to the windows\system32 directory:

d:\

cd d:\windows\system32

Display the list of all available restore points with the following command:

ADVERTISEMENT
vssadmin.exe list shadows

where are registry backups usually stored

In this example, Windows made the last shadow copy on 10/20/2016 4:02:40 AM. It has a Shadow Copy Volume path ?GLOBALROOT\Device\HarddiskVolumeShadowCopy6.

Mount the restore point (snapshot) in the Read-only mode to the folder d:\ShadowCopy using the mklink tool:

mklink /D d:\ShadowCopy ?GLOBALROOT\Device\HarddiskVolumeShadowCopy6

restore windows registry command prompt

Now you can access files stored in the shadow volume. Simply copy and replace registry files using the following commands:

xcopy d:\shadowCopy Windows\System32\config\DEFAULT d:\Windows\System32\config

xcopy d:\shadowCopy Windows\System32\config\SAM d:\Windows\System32\config

xcopy d:\shadowCopy Windows\System32\config\SOFTWARE d:\Windows\System32\config

xcopy d:\shadowCopy Windows\System32\config\SECURITY d:\Windows\System32\config

xcopy d:\shadowCopy Windows\System32\config\SYSTEM d:\Windows\System32\config

Reboot your computer.

That is it. Now you know how to restore Windows 10 and 11 Registry backup using Command Prompt and system restore points. If nothing helped, you can try fixing your Windows installation by resetting it to the default state. You can do that by keeping your local files or purging everything, including apps. Alternatively, reinstall Windows, which is an easy process even an unexperienced users can pull off.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

14 comments

  1. Thank you, Thank you, Thank you, Thank you!!!

    Saved me hours of reinstalling after trying hours of other stuff!

  2. How about restoring registry from user made backup using regedit.
    Above example is only to restore default registry backup created by windows OS not user.

  3. You have mistake in mklink command. Two backslashes needed
    mklink /D d:\ShadowCopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\

  4. A million thanks to you, and another million more, heck, a trillion thanks. You saved me hours and hours of re-installation and customization and tuning work.

  5. Is the following a cause for concern?

    The mklink returns with no error, and all seems good, but most of the simple commands I try to browse the files there return a rather laconic and not-very precise error:

    d:\Windows\System32>cd d:\shadowcopy
    The parameter is incorrect.

    Further: after trying some 5-10 commands and reeiving the same error message in response to all of them, I tried as a parting shot the first of your xcopy commands above… and it worked!! In fact **all** those xcopy comand worked, but everything else gave me “The Parameter is incorrect.”

    Also: when I am done with the image, is there a “correct” way to unmount the image? Or do i just delete d:\shadowcopy?

    Thanks again, so very much.

  6. Like one of the other commenters, I tried to browse the c:\shadowcopy folder and was blocked, but the copy commands worked anyway. Actually xcopy didn’t work but copy worked. Also also my system drive was mounted as C: so had to adjust the commands as appropriate. Aaaand also also also, the correct command to mount is missing a backslash, as noted by a previous commenter. mklink /D c:\ShadowCopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 in my case. Thanks!

  7. Hello,

    The spaces in the final five xcopy commands result in “invalid parameters” error. Please remove spaces after d:|shadowcopy\. Other than that, thanks for the useful info!

    Example:

    xcopy d:\shadowCopy\ Windows\System32\config\DEFAULT d:\Windows\System32\config

    Should be:

    xcopy d:\shadowCopy\Windows\System32\config\DEFAULT d:\Windows\System32\config

  8. Hello, great resource here. After running the commands I get File not found – Default and 0 files copied. They seem to be missing. I have a backup image of my entire system from 4 months ago..perhaps I can use the Registry files from that image backup and copy them over to my current system?

    Can anyone help me with a way to do that? Thanks a million!

  9. you are a LIFE SAVER – this information is priceless and I can’t thank you enough!

    As pointed out above, I also had to include the leading back-slashes on the mklink command and also add a trailing back-slash.

    BTW, if anyone has this issue: I have a custom Win 7 system with add-in cards and an M.2 SATA drive – the Windows 7 boot CD needs the drivers installed to even see my C drive. Long story short: could NOT get the Windows 7 rescue environment to see anything, however, I used a Windows 10 bootable USB and I was able to see ALL my drives including the M.2.

    (to address the elephant in the room : I am stuck with Windows 7 on this particular PC due to the need to preserve legacy devices)

  10. Hi,
    My laptop did not boot correctly even in safe mode and stuck in BSOD loop with error code “driver verifier detected violation”, I had tried different kinds of ways, until I tested your recommendation above. It was perfect. I copied RegBack folder to c:\windows\system32\config and restarted windows 10 and all of things are in its position without losing data.
    Thanks a GIGA

  11. Well written and clearly explained for the most part, but I am confused about using the D drive with the restore point data and uncorruped Registry. Is the D drive supposed to be empty (mine is) and its only purpose is to place the restore point data on it, copy the uncorrupted Registry entries to it, and then boot from it? If so, do you have to mess with the BIOS to point to D as where to boot from?
    If not, can someone please clarify the purpose of the D drive?

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.