How to: Modify a computer's offline registry from WinPE

    Issue

    Sometimes it becomes necessary to make changes to the Windows registry in a machine that cannot be booted into.

     

    This can be especially important when troubleshooting things like a machine rebooting after doing an image deploy, because this can often be caused by bluescreens with the registry set to reboot rather than freeze.

     

    Resolution

    This example will explain how to mount the offline Windows registry from Windows PE.    There are many uses for adding information to the Windows registry while still in the Windows PE pre-boot environment.

     

    The following is an example of modifying the Windows registry in offline mode in order to modify the following:

     

    • Change the parameters for saving blue screen information to save a Kernel Memory dump instead of a less informative memory dump, or no memory dump at all.
    • Set the default memory dump mode to not automatically reboot the computer when a reboot occurs.  This will provide the opportunity to review the blue screen information further.

     

      1. Boot the device into WinPE.
      2. Open a new command prompt and run regedit.exe to open the Windows registry.
      3. In the registry editor highlight the HKEY_LOCAL_MACHINE hive and go to File -> Load Hive
      4. Browse to the location of the registry files.  These will be located on the OS volume (whatever the drive letter is).  The path from the root of the volume to the files should be Windows\System32\config.

        The following registry hives can be loaded.

        SOFTWARE - HKLM\Software
        SECURITY - HKLM\Security
        SYSTEM - HKLM\System
               Note that the files do not have an extension.    Also note, that these are the only hives that can be loaded, because in Windows PE with no user logged in, the user-specific hives are not available.

      5. Select the hive to load and assign it a name.  For example, select SYSTEM and name it OfflineSystem.
      6. Expand the OfflineSystem hive (that should now appear in the list).  This hive represents the HKLM\System hive for the Windows install that is on the hard disk, instead of the registry belonging to the Windows PE registry. 
        (Modifications to the Windows PE are unrelated to the final Windows registry after booting into the full operating system).  If changes are desired for the Windows PE registry, these changes will need to be made and saved into the corresponding boot.wim, boot_x64.wim, and/or bootmedia.wim file.
      7. Browse to the desired key or value.  For example, browse to OfflineSystem\currentcontrolset\control\crashcontrol and change the data in Autoreboot to 0, instead of 1.

               The above change will make the device not automatically reboot when a bluescreen occurs.  This is very useful for debugging HII problems when it is suspected that an incorrect driver is being used, or if the driver is not being correctly installed.

      8. Collapse the registry to the point where you have the newly added hive highlighted (ie, OfflineSystem).
      9. Go to File -> Unload Hive.  This will unload the hive and all changes made will be saved.


    The following article give detailed information about modifying memory dump parameters through the registry or through WMIC commands from the command prompt:

     

    CrashDumpEnabled

    AutoReboot

     

    Conclusion

     

    Modifying the offline registry of a computer can help recover from many problems, or at least change settings to allow for better information to be gathered.