Registry cannot load the hive (file) \systemRoot\System32\Config\SAM..

Del Inspiron 5100 Series, Intel P4, 2.4GHz, 30GIG HD

This is my cousins lappy, she had started getting this message:

I had not known she was able to get to the safe mode selection options, but trying all listed provided the same error as described above.

She has install disks and I can get to Recovery console(after changing boot sequence to check CD bay), but as I've never really done a 'repair' on a system with data on it worth saving(she has some Masters degree stuff, most of it back up to external drive, but not all), just my test machines which had no data worth saving, I want to get some advice on how is best to proceed. From what I've read, the repair ought not kill any data, or at least not much chance of it, but I know that in practical scenarios, this is not always the case.

I had spoken to Blender about this a while back, and she suggested possible HD or mobo prob, but of course without 'seeing' the machine, hard to diagnose.

Now I have it for a while and would like to get more opinions.

 

Thanks Pete, I had come across that page, or something very similar last nite, but no way was I going to proceed until I got some more opinions and advice.

Lets see what others have to add and I'll need to call my cousin too, to see just how much data has not been copied to the back up drive.

Thanks again!

 

It important to get the data off there or make a drive image to separate media before doing anything else.

Then you can try running chkdsk /r from the Recovery Console.

System Restore back to a date prior to the problem from the RC command line. (Assumes it was enabled) I'll supply step by step for that if/when needed or else you can Google it likely.

Rename the SAM hive in Windows\System32\Config folder and replace it with the copy found in the Windows\Repair folder.

Replace all the hives with the copies found in the Windows\Repair folder.

Do a Repair Install.

Wipe the drive, run the manufacturers diagnostics, and reinstall XP clean.

I hope you can do those in the order given and stop well before the end item.

 

Just because it's the kind of crazy thing I'd try.........

Bootup to a BartPE disk, then access C:\System Volume Information\-restore{***-***-***}\RP???\snapshot and grab a 'REGISTRY MACHINE SAM' file, then put it in C:\Windows\system32\config (renaming to just SAM of course).

If that doesn't work, and given the disc is an Operating System disc rather than a Recovery disc, a repair or parallel installation.

 

Yep, that'll work too. In the absence of the BartPE CD you can do that in the RC, but it's not near as easy. Sure make a body appreciate drag/drop.

 

Right, mostly due to the _restore{***-***-***} folder(s) being hidden, and if you don't know the exact name, you can't unhide them. If you can't unhide them, you can't get the full name to use with the cd command ......... which is why I'd just go with BartPE

@sd ......... did you find those directories accessible with what we discussed?

 

Yes, but you'll appreciate this, through the wonder of default 8.3 file generation by XP (assuming you haven't disabled it), you can enter that directory without knowing the precise string. It just takes a cd _resto~1 command and voila, you're resident.

As to your @sd, yes, it worked very well, thank you.

 

But with there being multiple _restore folders, how to navigate from one to another using shortname?
Could you also, using the following, unhide all of them? attrib -h _restore*

 

No, I don't think that particular syntax will work for the attrib command.

Fortunately the subfolders in the _resto~1 folder do not have the "Hidden" attribute so perusing them is easy.

I just ran a test so here's how it's done:

C:\>cd system~1

C:\SYSTEM~1>cd _resto~1

C:\SYSTEM~1\_RESTO~1>cd rp1

C:\SYSTEM~1\_RESTO~1\RP1>cd snapshot

C:\SYSTEM~1\_RESTO~1\RP1\snapshot>dir
Volume in drive C is 10gig
Volume Serial Number is 4C27-81EC

Directory of C:\SYSTEM~1\_RESTO~1\RP1\snapshot

06/19/2007 09:14 PM <DIR> .
06/19/2007 09:14 PM <DIR> ..


04/16/2002 08:24 AM 23,604 ComDb.Dat
06/19/2007 09:14 PM 26 domain.txt
06/19/2007 09:14 PM <DIR> Repository
06/19/2007 09:14 PM 20,480 _REGISTRY_MACHINE_SAM
06/19/2007 09:14 PM 57,344 _REGISTRY_MACHINE_SECURITY
06/19/2007 09:14 PM 17,883,136 _REGISTRY_MACHINE_SOFTWARE
06/19/2007 09:14 PM 11,710,464 _REGISTRY_MACHINE_SYSTEM
06/19/2007 09:14 PM 716,800 _REGISTRY_USER_.DEFAULT
06/19/2007 09:14 PM 716,800 _REGISTRY_USER_NTUSER_S-1-5-18
06/19/2007 09:14 PM 253,952 _REGISTRY_USER_NTUSER_S-1-5-19
06/19/2007 09:14 PM 258,048 _REGISTRY_USER_NTUSER_S-1-5-20
06/19/2007 09:14 PM 7,462,912 _REGISTRY_USER_NTUSER_S-1-5-21-2857422465-927890586-840360825
-1003
06/19/2007 09:14 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
06/19/2007 09:14 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
06/19/2007 09:14 PM 32,768 _REGISTRY_USER_USRCLASS_S-1-5-21-2857422465-927890586-8403608
25-1003
14 File(s) 39,152,718 bytes
3 Dir(s) 2,644,611,072 bytes free

That's for the oldest restore point on the system. Later restore points will be named RP2, RP3... as they occur. Of course the date will be the tip off for utilizing the proper one.

Although it appears that the five hives have strange names, it is only necessary to rename them to put them to use. They are not compressed or otherwise altered.

 

But still, as you say, it's much easier with a live Linux or BartPE CD than using the MS kluge. I have a second copy of XP on another drive so you could also use that method - or a parallel install as suggested.

Then of course, if you have the FAT32 file storage system, other choices abound from a boot CD or floppy.

 

sd,

Have a look at the perms on system~1 ..... not sure it's accessible even from RC, as it uses Admin

BTW, my rp??? folders are rp236 - rp246

 

I don't think the permissions will be a factor from the RC command line, they never were in any tests that I have run.

Your RP#'s would tend to indicate that you have had the System Restore utility enabled for quite a long time. Mine was enabled on 6/19/2007 for some reason and I hadn't booted that system on a new day until tonight. So I have RP1 and RP2 only. I suspect they would disappear and the number sequence start anew if I choose to disable SR. Just guessing about that however since I don't use the tool and wonder why I even had it enabled. Must have been some thread on 6/19/2007 about it.

 

Tom,

Bottom line is that the SAM hive consists of account credentials. Not prone to change much unless user accounts are added/removed, so if you can get one from a recent snapshot folder, you should be good to go.

Using the syntax sd2 posted, from RC;

C:\>cd system~1

C:\SYSTEM~1>cd _resto~1

C:\SYSTEM~1>dir

pick an RP??? folder with a high number, then

C:\SYSTEM~1\_RESTO~1>cd rp?

C:\SYSTEM~1\_RESTO~1\RP?>cd snapshot

C:\SYSTEM~1\_RESTO~1\RP1\snapshot>copy _REGISTRY_MACHINE_SAM c:\windows\system32\config

now cd to the config folder and

c:\windows\system32\config>dir

if there is a SAM

c:\windows\system32\config>ren sam sam.old
c:\windows\system32\config>ren _REGISTRY_MACHINE_SAM SAM

 

And if you run up against a permissions issue accessing the system~1 folder, which is still possible since my system may not be a fair standard for comparison with all others, then go for the SAM file in the Windows\Repair folder instead.

Now we have all the bases covered Dave.

I have a feeling replacing the SAM hive won't be the end of this. I'm worried about the HD integrity so run chkdsk /r asap (after backing up the data).

 

You guys are too much - just plain awesome. Thanks.

 

OK, just going in little steps here.

When I access RC, I get presented to select the Windows install I want to enter, when selected, I get:
C:\WINDOWS>

Can I run chkdsk from there?

All the syntax thus far has started with C:\

Or is the 'windows' part a given?

This is a great learning experience for me, seeing as none of my current machines has ever encountered any problems. The two Dell boxes I bought myself along with the Dell OptiPlex I bought from a daycare dads law firm have even hiccuped.

 

chkdsk.exe resides in the system32 folder, so to run it, I think you would need to change to that directory.

C:\Windows>cd system32

then

C:\Windows\system32>chkdsk /r


Edit
Just tried from the command prompt ........ you should be able to run chkdsk /r from the C:\Windows> prompt.

 

Ran chkdsk, said it fixed one or more items, but still same prob, blue screen.

Guess I'll work on the next option later tonite, when no ones around to nag me.