Helping people with computers... one answer at a time.

Viruses and other malware often work in part by making changes to your registry, so it's tempting to think that's all that needs to be restored. It's not.

I recently recovered from a nasty virus. ... I understand that a virus does its thing by making changes in the registry. I have a utility called erunt that makes a backup of the registry and has a utility to restore the same. If a virus is onboard would restoring the registry eliminate it? Could that registry backup be kept on a CD and restored to the hard drive and what would be the process?

Yes, you could burn your registry backup to a CD and then restore from that.

However, I'm a tad concerned. Viruses typically do much more than play with the registry, and many other programs keep information in the registry. Using this as your safety net may well simply replace one set of problems with another.

First, it's not true that viruses, spyware and other malware only modify the registry. While that's often an important part of how malware operates, they're actually often much more insidious. Additional techniques often involve modifying, replacing or infecting system or other common executable files, placing themselves in boot sectors, batch files, and other locations on your computer.

Even if a particular piece of malware only works by installing references to itself in the registry, fixing the registry does not remove the file containing the malware. As long as that file exists, you're still technically infected, and are at risk of re-enabling it.

The other concern I have is that other programs are making changes to the registry all the time. Legitimate changes. If you "roll back" the registry, and only the registry, to some prior point in time, then all those legitimate changes that were made since that backup was taken are lost.

".. relying on a registry restore to recover from a malware infestation is, in my opinion, a very bad idea."

In most cases that's fairly benign. But, for example, if you installed additional software since the registry backup was taken, then that software may not appear to be installed after a restore. Or only partially installed. Or it may simply not work at all, depending on how that particular software package works.

All in all, relying on a registry restore to recover from a malware infestation is, in my opinion, a very bad idea.

The alternative I recommend is this:

  • Be religious about running anti-spyware and anti-virus packages, keeping their databases up to date, running a firewall and keeping windows up to date. In other words, do everything you're supposed to do to avoid the problem in the first place.

  • Use a more complete backup solution. Any of the standard backup programs that backup all of your system, not just the registry. Then, if a restore becomes necessary, you restore your system to a previously known good state, rather than hoping that the registry is enough.

So then just when are registry backups appropriate?

I recommend them in situations where the window between making a change and seeing a problem is likely to be short - meaning that other legitimate changes you might care about are less likely to have happened between the backup and any restore.

For example, I recommend a registry backup prior to doing any manual work in the registry yourself. If you've been given instructions to make a change inside the registry by firing up the registry editor or executing a ".reg" file, then taking a backup snapshot immediately prior is a great idea. Then, if you encounter a problem, you can immediately restore.

To answer your final question: how would you restore a registry backup from a CD? That's going to depend heavily on the particular registry backup tool you're using. In your case, I'm not familiar with erunt, but looking at the product's web site they do seem to have extensive information on various ways to restore your registry, depending on the condition of your machine. So the general advice is to check the documentation for the tool you're using - ideally before a problem arises, so you'll know whether the tool is appropriate for your situation.

Article C2902 - January 18, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Michael Gallant
September 12, 2007 6:24 AM

how can you edit the registry to repair it after fixing an internal hard drive from virus's when the internal hard drive was attached VIA USB adapter.

December 26, 2007 6:55 PM

do u know any virus protection with a registry protection form virus to and dont give me no registry cleaner i am talking about registry protection form virus and spyware thanks

December 26, 2007 7:04 PM

and aslo i was thinking that virus detecter cant detect any virus form registry if that is right do i need to protect my registry

Leo A. Notenboom
December 28, 2007 9:32 AM

Hash: SHA1

Anti-virus scanners certainly can scan the registry, as can
anti-spyware scanners.


Version: GnuPG v1.4.7 (MingW32)


August 4, 2008 9:27 PM

whats the difference between registry files and system files? I really enjoy your column and have learnt a great deal from it. Recently I have been hit by a virus and have not fully recovered from it. But have been able to fix it to some extent using your suggestions from various articles. I must say that i always look forward to your articles every week.

The registry is a database of information. Files are ... files. :-) More info here: Why does Windows have a registry?


March 18, 2009 8:04 PM

hi all, I was thinking for a long time with this idea, pls give your comments on this, when we get a virus attack, the body itself produce immunity. likewise we build immunity in computer to prevent virus and update it. my idea is that can't we write programes for kill specific viruses and let spred automaticaly over the net, these programs should halmless to computers and must active whenever its meet a virus onboard.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.