I recently recovered from a nasty virus. … I understand that a virus does
its thing by making changes in the registry. I have a utility called erunt that
makes a backup of the registry and has a utility to restore the same. If a
virus is onboard would restoring the registry eliminate it? Could that registry
backup be kept on a CD and restored to the hard drive and what would be the
However, I’m a tad concerned. Viruses typically do much more than
play with the registry, and many other programs keep information in the
registry. Using this as your safety net may well simply replace one set of
problems with another.
Become a Patron of Ask Leo! and go ad-free!
First, it’s not true that viruses, spyware and other malware only modify the
registry. While that’s often an important part of how malware operates, they’re
actually often much more insidious. Additional techniques often involve
modifying, replacing or infecting system or other common executable files,
placing themselves in boot sectors, batch files, and other locations on your
Even if a particular piece of malware only works by installing references to
itself in the registry, fixing the registry does not remove the file containing
the malware. As long as that file exists, you’re still technically infected,
and are at risk of re-enabling it.
The other concern I have is that other programs are making changes to the
registry all the time. Legitimate changes. If you “roll back” the registry, and
only the registry, to some prior point in time, then all those legitimate
changes that were made since that backup was taken are lost.
malware infestation is, in my opinion, a very bad idea.”
In most cases that’s fairly benign. But, for example, if you installed
additional software since the registry backup was taken, then that software may
not appear to be installed after a restore. Or only partially installed. Or it
may simply not work at all, depending on how that particular software package
All in all, relying on a registry restore to recover from a malware
infestation is, in my opinion, a very bad idea.
The alternative I recommend is this:
Be religious about running anti-spyware and anti-virus packages, keeping
their databases up to date, running a firewall and keeping windows up to date.
In other words, do everything you’re supposed to do to avoid the problem in the
Use a more complete backup solution. Any of the standard backup programs
that backup all of your system, not just the registry. Then, if a restore
becomes necessary, you restore your system to a previously known good
state, rather than hoping that the registry is enough.
So then just when are registry backups appropriate?
I recommend them in situations where the window between making a change and
seeing a problem is likely to be short – meaning that other legitimate changes
you might care about are less likely to have happened between the backup and
For example, I recommend a registry backup prior to doing any manual work in
the registry yourself. If you’ve been given instructions to make a change
inside the registry by firing up the registry editor or executing a “.reg”
file, then taking a backup snapshot immediately prior is a great idea. Then, if
you encounter a problem, you can immediately restore.
To answer your final question: how would you restore a registry backup from
a CD? That’s going to depend heavily on the particular registry backup tool
you’re using. In your case, I’m not familiar with erunt, but looking at the
product’s web site they do seem to have extensive information on various ways
to restore your registry, depending on the condition of your machine. So the
general advice is to check the documentation for the tool you’re using –
ideally before a problem arises, so you’ll know whether the tool is appropriate
for your situation.