Microsoft Windows Registry Guide, Second Edition

Diagnosing Registry Corruption

If, after you try the other techniques that this chapter describes, your computer does not start, the registry hive files might be corrupt. The error messages might vary. They can include any of the following:

There are many reasons why a registry hive might be corrupt. Most likely, the corruption is introduced when the computer is shut down, and you cannot track the cause because the computer is unloading processes and drivers during shutdown. Sometimes, it is difficult to find the cause of registry corruption. The following sections describe three possible causes for the problem. To troubleshoot registry corruption, follow these steps:

  1. Back up the registry.

    One tool that you can use to back up registry hives is the Windows Recovery Console. For additional information about how to back up, edit, and restore the registry, see Chapter 3, “Backing Up the Registry.”

  2. Check the hardware, the disk, the firmware drivers, and the basic input/output system (BIOS). To do this, follow these steps. These steps might require downtime for the computer.

    1. Make sure that the CPU is not being over-clocked.

    2. Make sure that system event logs do not contain event ID 9, event ID 11, or event ID 15 (or any combination of these events). These events might indicate hardware problems that must be addressed.

    3. On the disk that contains the registry hive files, run the Chkdsk command-line command with the /r switch. This command helps to verify that the area of the disk that contains the registry hive files is not involved with the problem.

    4. Apply the latest firmware revisions to disk controllers, and use the matching driver versions. Make sure that the drivers are signed drivers and that you have the appropriate firmware revisions installed.

    5. Make sure that you apply the latest BIOS updates to the computer.

  3. After you complete step 2, you might not see any change in behavior. To stop the corruption from occurring, try to close all running processes before you shut down the computer. You might be able to narrow the scope to a single process that is involved. Even if you identify the process, you might not be able to prevent a component from being unloaded before the registry hive is written to. However, if you make sure that you stop the process before shutdown, you might be able to prevent registry hive corruption.

  4. After you complete step 3, if you do not see any change in behavior, compare the registry hives. Capture a non-corrupted registry hive and a corrupted registry hive, and then use comparison tools such as WinDiff to compare the two. For more information about using WinDiff, see Chapter 10, “Finding Registry Settings.”

  5. Determine which registry hive section is growing. If it appears that the problem is a registry hive that is growing too large, you might be able to determine which section is growing and to trace this back to a process that is writing to the hive.

Power Failure

A power failure or some other unexpected shutdown event might cause a corrupted registry hive. To determine whether this is the cause of the issue, look for event ID 6008 entries. Event ID 6008 entries indicate that there was an unexpected shutdown. In this case, some process might have been in the process of modifying part of the registry hive, and the computer lost power before that change could be completed. This leaves the registry hive in an inconsistent state. On restart, when the operating system tries to load the registry hive, it might find data in that registry hive that it cannot interpret, and you might receive one of the earlier error messages.

File Corruption and Faulty Hardware

You must determine whether only the registry hives are corrupted or whether other files (system and data) are also corrupted. If corruption is not limited to registry hives, the corruption might result from faulty hardware. This hardware might include anything that is involved in writing to a disk, such as the following components:

If you suspect faulty hardware, the hardware vendor must thoroughly investigate the condition of all computer components.

The Registry Is Written To at Shutdown

If one or two registry hives consistently become corrupted for what seems like no reason, the problem probably occurs at shutdown and is not discovered until you try to load the registry hive at the next restart. In this scenario, the registry hive is written to disk when you shut down the computer, and this process might stop the computer or a component in the computer before the writing is completed.

Категории