Managing the System Registry Hive on Windows Server 2003 and Windows Server 2008 Integrity Systems
Once the target System hive registry is loaded, the method for recovery is different, depending
on the operating system:
• For Windows Server 2003, see the section: “Recovery Specifics: Windows Server 2003”
(page 14).
• For Windows Server 2008, see the section: “ Recovery Specifics: Windows Server 2008”
(page 15).
Recovery Specifics: Windows Server 2003
Recovery in Windows Server 2003 is slightly different from Windows Server 2008, given there
is no hotfix to assist. Some of the required registry deletions that are automated by the Windows
Server 2008 hotfix must be handled manually in Windows Server 2003.
For recovery, the approach taken here is to configure the system so that it only manages a single
ControlSet. This method frees up considerable space in the registry. Later, after the operating
system has booted, a pseudo “LastKnownGood” registry is created should it ever be needed for
system recovery (refer to “Creating a Pseudo LastKnownGood System Registry Hive for Windows
Server 2003 and Windows Server 2008” (page 16) for instructions).
To prevent the operating system from managing multiple ControlSets, a registry subkey
(ReportBootOK) must be edited to disable the feature. More details about this registry subkey
are found here:
http://technet.microsoft.com/en-us/library/cc739989(WS.10).aspx
To implement this approach, complete the following steps:
1. The ReportBootOK subkey resides in the Software hive, which means another hive must be
loaded using RegEdit. Load the Software hive in the same manner that you loaded the
System hive in the previous section. As before, a name for the Software hive must be given
while loaded. As an example, EditSOFTWARE can be used.
2. Once the EditSOFTWARE hive is loaded, enumerate the following keys:
HKLM\EditSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the Winlogon key is the value named ReportBootOK. By default this value is set to “1”.
You must change this value to “0”. This prevents the creation of more ControlSets.
3. Unload the EditSOFTWARE hive by highlighting it, then selecting File → Unload Hive,
which automatically writes the changes to the system Software hive.
4. Delete the duplicate ControlSet(s). This is done by viewing the server’s System hive Select
key (created as EditSYS in the previous section). Figure 2 (page 8) shows an example of
the values in the Select key. The value of interest is the Current value. This value will be a
single digit, which denotes the ControlSet that the system boots from. For example, if the
Current value is set to “1” this indicates ControlSet001 is the ControlSet the system boots
from.
The ControlSet that the system boots from must always be regarded as the “golden”
ControlSet, and should never be deleted. However, the other ControlSet(s) in the server’s
System hive can now be deleted. For example, if the Current ControlSet is “1”, and
ControlSet001 and ControlSet003 are listed in the System hive, then ControlSet003 can be
deleted.
Note that the Registry Editor under WinPE may not have sufficient rights to delete all keys
of the ControlSet (since it impersonates the System Account). If this is the case, the system
will still boot, but will not have all of the other ControlSets deleted. The remainder of a
partially-deleted ControlSet can be deleted once the system is back up after recovery is
completed. The primary goal here is to create some space in the System hive, so the system
will boot.
5. Once the unnecessary ControlSet(s) have been deleted (or partially deleted), then the EditSYS
hive must be unloaded from the Registry Editor. Do this by highlighting the EditSYS hive
14