Managing the System Registry Hive on Windows Server 2003 and Windows Server 2008 Integrity Systems
and selecting File → Unload Hive. When the Hive unloads, all changes are automatically
saved.
6. Reboot the system. Further deletion of any redundant ControlSet(s) may be necessary at
this time. If removal of unnecessary ControlSet(s) is difficult due to complex permissions,
then contact Microsoft Support Services, since they can assist in deleting them fully. Since
the system is now managing only one ControlSet (despite a second one existing), there will
be no additions to the unused ControlSet. This means the server can be rebooted without
risk of the 0x7b Stop Code, as long as system hive increases were minimal.
7. Perform the steps described in the section, “Creating a Pseudo LastKnownGood System
Registry Hive for Windows Server 2003 and Windows Server 2008” (page 16). Also carefully
review all of the section, “Proactive Avoidance” (page 20), to avoid the problem in the
future.
Recovery Specifics: Windows Server 2008
Recovery in Windows Server 2008 is subtly different, as there are two hotfixes that must be
installed. But since the server is not booting due to Stop Code 0x7B, some space must be created
first in the current System hive before the hotfixes can be installed. The approach taken here is
once again (as with Windows Server 2003) to create a System hive with a single ControlSet, thus
freeing up considerable space in the registry. Later, after the operating system boots, a pseudo
LastKnownGood registry is created should it ever be needed for system recovery (refer to
“Creating a Pseudo LastKnownGood System Registry Hive for Windows Server 2003 and
Windows Server 2008” (page 16) for instructions).
To implement this approach, complete the following steps:
1. Delete the duplicate ControlSet(s). This is done by viewing the server’s System hive Select
key (created as EditSYS in an earlier section). Figure 2 (page 8) shows an example of the
values in the Select key. The value of interest is the Current value. This value will be a single
digit, which denotes the ControlSet that the system boots from. For example, if the Current
value is set to “1” this indicates ControlSet001 is the ControlSet the system boots from.
The ControlSet that the system boots from must always be regarded as the “golden”
ControlSet, and should never be deleted. However, the other ControlSet(s) in the server’s
System hive can now be deleted. For example, if the Current ControlSet is “1”, and
ControlSet001 and ControlSet003 are listed in the System hive, then ControlSet003 can be
deleted.
Note that the Registry Editor under WinPE may not have sufficient rights to delete all keys
of the ControlSet (since it impersonates the System Account). If this is the case, the system
will still boot, but will not have all of the other ControlSets deleted. The remainder of a
partially-deleted ControlSet can be deleted once the system is back up after recovery is
completed. The primary goal here is to create some space in the System hive, so the system
will boot.
2. Once the unnecessary ControlSet(s) have been deleted (or partially deleted), then the EditSYS
hive must be unloaded from the Registry Editor. Do this by highlighting the EditSYS hive
and selecting File → Unload Hive. When the Hive unloads, all changes are automatically
saved.
3. Reboot the system.
4. When the system boots back to the operating system level, contact Microsoft to obtain the
following two hotfixes: KB973816 and KB973817. Details of these hotfixes are found here:
http://support.microsoft.com/kb/973816
http://support.microsoft.com/kb/973817
Hotfix KB973816 prevents the server from creating another ControlSet, as well as deletes all
of the other ControlSets from System hive. This hotfix requires a reboot, and directs you to
add a value to the registry to enable this functionality.
System Recovery 15