Manually triggering system restore after winXP crash

So my laptop crashed the other day. When I booted it up, there was an error:

"lsass.exe - invalid parameter was passed to the service."

I freaked out a bit, but was also not too upset because I had just backed up my system less than two weeks ago. And I am pretty good about backing up files that I work on a lot during the day, especially work files. So I didn't think I was going to lose much, even if I couldn't get my machine to boot up or otherwise access the hard drive.

So I googled this error message and came up with some threads in forums that didn't sound too positive at first, but then got better.

I first tried to start windows in Safe Mode, which isn't obvious how you do that (or even that it exists). Here's how. When your computer first starts up, start pressing and keep pressing F8 until there's a screen with lots of options for booting windows, including

• Safe Mode
• Safe Mode with networking
• Safe Mode with command prompt
• Last known good configuration

I tried all of these, but always the same error message.

Then I tried my Windows XP CD that came with my computer. You don't know where yours is? You should try and find it, because it's really helpful in these situations. I pressed "any" key when it asked if I wanted to boot via CD instead of hard drive. This entered windows XP setup mode. There is a recovery option that you can access by pressing R.

Here, windows asks me for the administrator password. Now, I have an account on the computer with admin rights, but it isn't the account they are interested in here. STUPID! You should be able to log in as any admin to access this. My computer never even prompted me with supplying an admin password when I got it (and when I reinstalled the OS several times since). So it rebooted when I guess wrong 3 times. Then I tried repairing the windows installation, but that didn't work either, though it changed the screen a bit (I think I may have lost SP2).

Then I tried to enter the recovery console again and this time it worked with a blank password! Then I tried to do a manual system restore with instructions from the thread I read online. I figured worst case scenario is that I have to completely reinstall the OS with the disks I got with the computer.

---

Manually getting system restore to work

This worked for me, but I am no expert. Do at your own risk! I am sorry if it doesn't work, but I am just sharing what worked for me.

Note: You can also buy a case for the hard drive that enables it to connect to another computer via USB and transfer files over if you think your computer is really toast. Or you can do that first before trying this.

System restore is a very powerful tool in getting your computer to work if it gets wacky on you. Windows resets itself to how it was at a restore point (which it thankfully takes restore points regularly). Problem is, if windows can't boot, you can't use this tool. Or can you? Turns out you can, but you have to do all the work yourself, here's how:

Enter recovery console, other otherwise access the hard drive at command prompt. A boot disk (floppy) may well not be good enough, as most windows XP systems have hard drives in the NTFS format, not FAT or FAT32 which can be read with those disks (which are MS-DOS). So you need either the recovery console or another hard drive with Windows XP on it (that isn't a great option on laptops, but can work on desktops), or a program called ntfsdos that is shareware. I used the recovery console, which you can find out more about from Microsoft.

In the recovery console, you only have access to the windows directory (c:\windows, usually), its subdirectories, and other system directories. This is great, because you want to access C:\system volume information. This is where the data from system restore points is. These have been copied out of the windows configuration directory at different points in time. You can manually restore the system by copying them back into the right place, here's how:

In C:\system volume information, there is a directory called _restore{some-long-set-of-characters}, and within that are directories named RP## with the ## increasing as you have more restore points. To get here, type this at the command prompt (which now should say C:\windows).

cd ..
cd "system volume information"
cd _resto~1
dir

This lists all the RP directories. Pick the one that is dated before your system messed up that is the highest number. If the number was 160, then type this:

cd RP160
cd snapshot

Then you want to copy some files here into the windows directory, but first you copy these files to a new directory so nothing gets removed from system restore. I'm calling anything that I modify iRestore or file.iRestore as this isn't something used by windows already.

mkdir iRestore
copy _registry_user_.default iRestore
copy _registry_machine_security iRestore
copy _registry_machine_software iRestore
copy _registry_machine_system iRestore
copy _registry_machine_sam iRestore

Then, you go into that new directory called iRestore and rename the files to what they will be called in the windows direcory:

cd iRestore

ren _registry_user_.default default
ren _registry_machine_security security
ren _registry_machine_software software
ren _registry_machine_system system
ren _registry_machine_sam sam

Now you will need to rename the offending files in c:\windows\system32\config and replace them with the new files. I'd go there and rename them at the command prompt like this:

cd C:\windows\system32\config
ren default default.irestore
ren security security.irestore
ren software software.irestore
ren system system.irestore
ren sam sam.irestore

Then go back to the system restore section and copy the files into the windows config:

cd C:\System~1\_resto~1\PR[##]\snapshot\iRestore

copy default c:\windows\system32\config
copy security c:\windows\system32\config
copy software c:\windows\system32\config
copy system c:\windows\system32\config
copy sam c:\windows\system32\config

Now you have restored the system and just need to reboot it. You should be able to do that by typing exit at the prompt. If all else fails, you can turn off your computer. Congrats! When it boots back up you should have the system restored to what it would have been at an earlier time.