Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I recover from a virus by just restoring my registry?

Question:

I recently recovered from a nasty virus. … I understand that a virus does
its thing by making changes in the registry. I have a utility called erunt that
makes a backup of the registry and has a utility to restore the same. If a
virus is onboard would restoring the registry eliminate it? Could that registry
backup be kept on a CD and restored to the hard drive and what would be the
process?

Yes, you could burn your registry backup to a CD and then restore from
that.

However, I’m a tad concerned. Viruses typically do much more than
play with the registry, and many other programs keep information in the
registry. Using this as your safety net may well simply replace one set of
problems with another.

Become a Patron of Ask Leo! and go ad-free!

First, it’s not true that viruses, spyware and other malware only modify the
registry. While that’s often an important part of how malware operates, they’re
actually often much more insidious. Additional techniques often involve
modifying, replacing or infecting system or other common executable files,
placing themselves in boot sectors, batch files, and other locations on your
computer.

Even if a particular piece of malware only works by installing references to
itself in the registry, fixing the registry does not remove the file containing
the malware. As long as that file exists, you’re still technically infected,
and are at risk of re-enabling it.

The other concern I have is that other programs are making changes to the
registry all the time. Legitimate changes. If you “roll back” the registry, and
only the registry, to some prior point in time, then all those legitimate
changes that were made since that backup was taken are lost.

“.. relying on a registry restore to recover from a
malware infestation is, in my opinion, a very bad idea.”

In most cases that’s fairly benign. But, for example, if you installed
additional software since the registry backup was taken, then that software may
not appear to be installed after a restore. Or only partially installed. Or it
may simply not work at all, depending on how that particular software package
works.

All in all, relying on a registry restore to recover from a malware
infestation is, in my opinion, a very bad idea.

The alternative I recommend is this:

  • Be religious about running anti-spyware and anti-virus packages, keeping
    their databases up to date, running a firewall and keeping windows up to date.
    In other words, do everything you’re supposed to do to avoid the problem in the
    first place.

  • Use a more complete backup solution. Any of the standard backup programs
    that backup all of your system, not just the registry. Then, if a restore
    becomes necessary, you restore your system to a previously known good
    state, rather than hoping that the registry is enough.

So then just when are registry backups appropriate?

I recommend them in situations where the window between making a change and
seeing a problem is likely to be short – meaning that other legitimate changes
you might care about are less likely to have happened between the backup and
any restore.

For example, I recommend a registry backup prior to doing any manual work in
the registry yourself. If you’ve been given instructions to make a change
inside the registry by firing up the registry editor or executing a “.reg”
file, then taking a backup snapshot immediately prior is a great idea. Then, if
you encounter a problem, you can immediately restore.

To answer your final question: how would you restore a registry backup from
a CD? That’s going to depend heavily on the particular registry backup tool
you’re using. In your case, I’m not familiar with erunt, but looking at the
product’s web site they do seem to have extensive information on various ways
to restore your registry, depending on the condition of your machine. So the
general advice is to check the documentation for the tool you’re using –
ideally before a problem arises, so you’ll know whether the tool is appropriate
for your situation.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “Can I recover from a virus by just restoring my registry?”

  1. how can you edit the registry to repair it after fixing an internal hard drive from virus’s when the internal hard drive was attached VIA USB adapter.

    Reply
  2. do u know any virus protection with a registry protection form virus to and dont give me no registry cleaner i am talking about registry protection form virus and spyware thanks

    Reply
  3. and aslo i was thinking that virus detecter cant detect any virus form registry if that is right do i need to protect my registry

    Reply
  4. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Anti-virus scanners certainly can scan the registry, as can
    anti-spyware scanners.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHdTM5CMEe9B/8oqERAuVsAJ9IkehlwqbWrIx1J2+wtPoS7Qy6xwCfeSrz
    m82yhJVTwxJZ+Ai/3WJxhjg=
    =VD2N
    —–END PGP SIGNATURE—–

    Reply
  5. whats the difference between registry files and system files? I really enjoy your column and have learnt a great deal from it. Recently I have been hit by a virus and have not fully recovered from it. But have been able to fix it to some extent using your suggestions from various articles. I must say that i always look forward to your articles every week.

    The registry is a database of information. Files are … files. :-) More info here: Why does Windows have a registry?

    -Leo

    Reply
  6. hi all, I was thinking for a long time with this idea, pls give your comments on this, when we get a virus attack, the body itself produce immunity. likewise we build immunity in computer to prevent virus and update it. my idea is that can’t we write programes for kill specific viruses and let spred automaticaly over the net, these programs should halmless to computers and must active whenever its meet a virus onboard.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.