Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

How to Fix Broken Registry Items: Visual Guide and Solutions

Data Security

illustration of an error message and falling blocks

Broken Registry Items have been the thorn in many an IT admin’s side almost since the day Microsoft introduced the Registry concept in Windows 3.1. Modern flavors of Windows tend to do a good job of maintaining the registry on their own, but there may still be some limited circumstances where broken registry items can cause issues. If you’re wondering ‘how to repair broken registry items’, read through the rest of this guide to learn what a broken registry item is, what symptoms it may cause, and how to fix it.

How to Identify Broken Registry Items + Their Cause

The Windows Registry is a hierarchical database of settings used by Windows components, drivers, and applications. It was introduced in 1992 to replace the messy practice of using separate configuration files for each user and application on the machine. The registry consists of hives, keys, and values. Hives are a collection of keys and are generally built around a unifying concept like a particular user or computer. Keys are roughly analogous to folders, while values are somewhat similar to individual files. All of these elements are organized into a hierarchical tree-like structure.

While the implementation has changed over time, every version of Windows since 3.1 has included a registry. Third-party developers also frequently make use of the registry, although there is no requirement to do so. The Varonis agent, for example, stores certain low-level configuration settings as registry values. As with other internal components in Windows, Microsoft has added a number of features over the years to make the registry both more reliable and more secure. The modern registry does not require regular cleaning or maintenance.

Quick Review: What Are Broken Registry Items?

A “broken” registry item is simply one or more entries in the Windows Registry that differs from the desired state for a given user, system, or application. This could mean the lack of a particular key, a key-value pair that is different from what is expected, duplicate registry entries, or leftover registry entries from a program that has been uninstalled. As much of the registry is specific to a particular user, configuration, and machine, there is no “correct” registry; the registry is said to be corrupt or broken when one or more entries start causing abnormal or undesired behavior.

What Causes Them? 

A broken registry item can be caused by a variety of different scenarios, ranging from failed hardware to ransomware. The registry is usually stored on a computer’s local disk, so any damage or changes to the disk can also cause broken registry items. For example, a power failure in the middle of a Windows Update could result in an incomplete change to the registry, leading to unexpected results. On occasion, uninstalling a program or driver might not remove the associated registry keys, leading to “orphaned” entries. 

In some cases, malware and malevolent hackers might even abuse the registry. Many types of malware add a startup entry in the registry to load their malicious payloads every time a computer starts. Some will even use the registry for exactly its intended purpose – storing configuration parameters that control the operation of the malware. Modifying the registry is an attack technique that’s been used by a number of Advanced Persistent Threat (APT) groups to evade defenses, perform reconnaissance on a target machine, or maintain persistence after an initial compromise. The REvil ransomware group, for example, has been known to store encryption keys used to lock a victim computer within the Windows registry.

Even misidentified or damaged hardware can cause broken registry items. The most recent versions of Windows can dynamically create registry items at or even after boot time to support features like Plug and Play. If the system fails to accurately identify the hardware, it may result in inaccurate registry entries. 

How to Fix Broken Registry Items

Prior to making any attempt at repairing broken registry items, you should be sure there is a highly compelling reason to do so. Changes to the registry have the potential to render a computer completely inoperable, requiring a complete reinstallation of Windows. Other possibilities include unstable operation, nonfunctional applications, data loss, and more. 

Microsoft developed the registry as an internal component of Windows and never intended for end-users to access or edit its contents. Registry changes for the sake of optimization or performance gains are not recommended and are likely to do more harm than good. Processor speeds, memory capacity, and storage space have all increased at a much faster rate than the size or complexity of the registry. Even with the millions of keys found in newer versions of Windows, the complete size of the registry will only be a small fraction of the size of a single HD movie. Removing broken registry items to free up more storage space is, therefore, akin to dealing with a flooded basement one airline-sized water bottle at a time.

If you are completely certain that broken registry items need to be addressed, there are several methods for doing so:

Method 1: System Restore Point

At the time of writing, Microsoft’s recommended approach to dealing with any type of registry error, including broken registry items, is to use the System Restore Point functionality that’s built into Windows. This works by restoring an earlier snapshot of the entire system, which includes the registry. This is often effective at resolving issues but is only an option when previous restore points already exist. Some versions of Windows will create restore points automatically before major events like system upgrades, but you can also create manual restore points at any time. In either case, System Protection must be enabled for the drive in question. This can be done by clicking on “Configure” from the “System Protection” tab of System Properties:

This method will not have an impact on personal files and has the potential to correct broken registry items for third-party applications. Entries added by malware or hackers can also be removed, provided the restore point dates to a time before the infection.

Method 2: Edit Registry via GPO

In a corporate environment where you might face the prospect of broken registry items on multiple machines throughout the network, using Group Policy Objects (GPOs) could be a viable option. GPOs allow an administrator to specify a common group of settings and apply them to a group of computers. The Group Policy Management Editor found in server editions of Windows can be used to centrally add, edit, or delete registry keys. There’s even a built-in Registry Editor to simplify these tasks.

Registry settings can be found under Preferences -> Windows Settings section of both the computer and user configuration items for a given GPO:

To add a new key or launch the registry wizard, right-click on “Registry”:

The registry wizard can be used for all sorts of purposes, including applying entire registry hives from one computer to the rest of the network:

As applying incorrect registry settings via this method has the potential to render an entire group of computers inoperable, you should exercise extreme care when using GPOs to deal with broken registry items.

Method 3: DISM.exe

Short for Deployment Imaging and Servicing Management (DISM), the DISM tool is typically used by administrators to service Windows image files that are deployed to entire fleets of computers. However, some features of DISM can be used to diagnose and correct issues with the Windows registry. The tool will compare the current state of the system it’s run on with a known good Windows image (typically from Windows Update), and can then be used to correct any discrepancies. 

DISM is built-in to Windows, so all you’ll need is an Administrator account and comfort using a command-line tool. To get started, click the start menu and enter “cmd’ in the search box. Right-click on “Run as administrator” and enter your password:

DISM has a large number of different switches, but from a registry perspective, there are three that are most useful. “Dism.exe /Online /Cleanup-Image /ScanHealth” will scan for corruption in critical Windows components such as the registry. If any corruption is found, you can use “Dism.exe /Online /Cleanup-Image /CheckHealth” to determine whether the corruption can be repaired. If it can be repaired, the “Dism.exe /Online /Cleanup-Image /RestoreHealth’ command will restore any damaged files from known good copies via Windows Update. Note that you will need a working Internet connection for this to work.

Method 4: Manually Edit the Registry

In some unusual cases, you may be aware of a specific registry key that does not match a known desired parameter. Incident Responders may also manually have to remove entries created by malware or threat actors. This method has a high potential to produce adverse effects, as even a small typo in a registry value could dramatically change the behavior of the machine. It is advisable to create a system restore point or even export the current registry before making any changes. 

To access the Registry Editor, click the start menu and type regedit.exe in the search box. You may be prompted for an administrator password. The Registry Editor UI allows you to browse through the various hives and keys and add or edit specific values. In this example we’re editing the value that controls the default keyboard layout for a particular machine:

There are additional methods to manually edit the registry, including through the use of PowerShell or the Windows Management Instrumentation (WMI) interface, but if you haven’t used either of these features before it’s not a good idea to start with registry modifications.

Method 5: Third-Party Registry Cleaners (Not Recommended)

A wide range of companies sell products touted as “registry cleaners”. Microsoft’s official stance on these types of utilities is that they are unnecessary, may lead to irreparable issues or data loss, and could even contain spyware or viruses. Unlike the engine in your car, the registry does not need routine maintenance to keep functioning. As a collection of user and device-specific settings, there is often no such thing as a “correct” value for any given registry key. Using our example of HKEY_LOCAL_MACHINE\SYSTEM\Keyboard Layout\Preload again, a registry cleaner has no way of knowing if the value for US English is correct for me, or if it should be changed to German. 

One issue that registry cleaners can potentially address is the “orphaned” entries left behind by uninstalled programs. These aren’t really “broken” registry items, however, as such leftover entries rarely have any impact at all on system behavior. And, as already stated, the registry takes up so little space that removing old keys and values will have no meaningful impact on available storage space. If for some reason you do choose to install a registry cleaner, make sure it is from a reputable vendor with an established track record. 

Method 6: Reset Your PC or Reinstall Windows 

While it’s not the most convenient option, using the Reset this PC option in Windows 8.1 and later will erase the existing registry and install a new copy. This is virtually guaranteed to fix any broken registry items since any erroneous, malicious, or duplicate entries will be deleted. This does mean that you’ll need to reinstall any applications that came with your PC, but in Windows 10 and later you have the option of preserving personal files. Reset this PC can be found in the Recovery section of the Settings app in Windows 10 and above. It can also be easily accessed by typing “reset” in the search bar of the Start menu.

If you’re facing such a severe registry error that your machine won’t even boot, it’s likely that the only option is to completely reinstall the Windows operating system. To do this, you can download an ISO image from Microsoft and write the image to a USB or optical disk.

Conclusion

Although rare, broken registry items can have a serious impact on the stability of a PC. Fortunately, a corrupted registry isn’t an automatic indicator of system compromise or malware activity. If you’re concerned about the possibility of an attacker manipulating the registry, you might want to check out a UEBA solution like Varonis DatAlert. These types of solutions watch for signs of suspicious activity, such as modifications to the registry, and alert security teams in real-time so that immediate action can be taken. 

Robert Grimmick

Robert Grimmick

Robert is an IT and cyber security consultant based in Southern California. He enjoys learning about the latest threats to computer security.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.