Helping people with computers... one answer at a time.
Viruses and other malware often work in part by making changes to your registry, so it's tempting to think that's all that needs to be restored. It's not.
I recently recovered from a nasty virus. ... I understand that a virus does its thing by making changes in the registry. I have a utility called erunt that makes a backup of the registry and has a utility to restore the same. If a virus is onboard would restoring the registry eliminate it? Could that registry backup be kept on a CD and restored to the hard drive and what would be the process?
Yes, you could burn your registry backup to a CD and then restore from that.
However, I'm a tad concerned. Viruses typically do much more than play with the registry, and many other programs keep information in the registry. Using this as your safety net may well simply replace one set of problems with another.
First, it's not true that viruses, spyware and other malware only modify the registry. While that's often an important part of how malware operates, they're actually often much more insidious. Additional techniques often involve modifying, replacing or infecting system or other common executable files, placing themselves in boot sectors, batch files, and other locations on your computer.
Even if a particular piece of malware only works by installing references to itself in the registry, fixing the registry does not remove the file containing the malware. As long as that file exists, you're still technically infected, and are at risk of re-enabling it.
The other concern I have is that other programs are making changes to the registry all the time. Legitimate changes. If you "roll back" the registry, and only the registry, to some prior point in time, then all those legitimate changes that were made since that backup was taken are lost.
In most cases that's fairly benign. But, for example, if you installed additional software since the registry backup was taken, then that software may not appear to be installed after a restore. Or only partially installed. Or it may simply not work at all, depending on how that particular software package works.
All in all, relying on a registry restore to recover from a malware infestation is, in my opinion, a very bad idea.
The alternative I recommend is this:
Be religious about running anti-spyware and anti-virus packages, keeping their databases up to date, running a firewall and keeping windows up to date. In other words, do everything you're supposed to do to avoid the problem in the first place.
Use a more complete backup solution. Any of the standard backup programs that backup all of your system, not just the registry. Then, if a restore becomes necessary, you restore your system to a previously known good state, rather than hoping that the registry is enough.
So then just when are registry backups appropriate?
I recommend them in situations where the window between making a change and seeing a problem is likely to be short - meaning that other legitimate changes you might care about are less likely to have happened between the backup and any restore.
For example, I recommend a registry backup prior to doing any manual work in the registry yourself. If you've been given instructions to make a change inside the registry by firing up the registry editor or executing a ".reg" file, then taking a backup snapshot immediately prior is a great idea. Then, if you encounter a problem, you can immediately restore.
To answer your final question: how would you restore a registry backup from a CD? That's going to depend heavily on the particular registry backup tool you're using. In your case, I'm not familiar with erunt, but looking at the product's web site they do seem to have extensive information on various ways to restore your registry, depending on the condition of your machine. So the general advice is to check the documentation for the tool you're using - ideally before a problem arises, so you'll know whether the tool is appropriate for your situation.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.