Editing a windows XP installation's registry without being able to log in



I've got a windows XP installation that has a corrupt registry. A worm (which was removed) had hijacked the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon entry (which should have a value of Userinit=C:\windows\system32\userinit.exe

When the worm was removed, the corrupt entry was deleted entirely, and now the system automatically logs off immediately after attempting to log in. Regardless of the user and boot mode, no accounts can be logged in to.

The only thing required to correct this behavior is to restore the registry key, but I cannot come up with any ways of editing the registry without logging in to an account. I tried remotely connecting to the registry but the required services aren't enabled on the machine.

I tried booting on the same machine using the BartPE boot CD but I could not find any way of editing the registry on the C:\Windows installation - running regedit only modifies the X:\I386\ registry in memory.

So, what can I use modify the registry of an un-login-able Windows XP instance so that I can log in again?

Thanks guys.

EDIT: The fix worked. The solution to the auto-logoff problem was, as hoped, to simply add the value mentioned above to the appropriate registry entry.

This can be done using the BartPE Boot CD, as described in the accepted answer below, but I used the Offline NT Registry Editor software mentioned in another answer. The steps were:

  1. Boot from the NT Registry Editor CD
  2. Follow the directions until the appropriate boot sector is loaded.
  3. Instead of using one of the default options for modifying passwords or user accounts, type "software" to edit that hive.
  4. Type '9' to enter the command line based registry editor.
  5. Type "cd Microsoft" (enter) "cd Windows NT" (enter) "cd CurrentVersion" (enter) "cd Winlogon" (enter)
  6. Type "nv 1 Userinit" to create a new value under the Winlogon key
  7. Type "ev Userinit" to edit the new value, and when prompted, type "C:\windows\system32\userinit.exe" (enter)
  8. Type 'q' to quit the registry editor, and as you back out of the system, follow directions to write the hive back to disk.
  9. Restart your computer and log in - problem solved.

(generic 'warning: back up your registry' disclaimer)


Posted 2011-02-16T04:22:50.413

Reputation: 803



You should be able to load the registry hive from your BartPE boot CD. You can follow the instructions listed here:

To load a hive into the registry

  1. Open Registry Editor
  2. In the registry tree (on the left), click either the HKEY_USERS or HKEY_LOCAL_MACHINE keys
  3. On the File menu, click Load Hive.
  4. In Look in, click the drive, folder, or network computer and folder that contains the hive you want to load.
  5. Click Open.
  6. In Key Name, type the name that you want to assign to the hive, and then click OK.


  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

James T

Posted 2011-02-16T04:22:50.413

Reputation: 8 515

Thank you. I didn't end up using this solution, but if the registry can be edited in this way, it's even better. This answer accepted because it allows the user to make a fix using a UI. – Alain – 2011-02-16T15:09:06.183


You can edit your Windows XP Registry with Offline NT Password & Registry Editor which can be found here

Remember to backup your registry files.


Posted 2011-02-16T04:22:50.413

Reputation: 593

I'm familiar with that program, I've used it many times to reset the password / gain administrative privileges on locked out computers, but I wasn't aware it could navigate the entire registry. – Alain – 2011-02-16T04:51:56.440

The system stops responding to my keyboard as soon as I boot into it. I was getting the same problem with other boot software too. No idea what's causing that - the bios is having no problem recognizing it initially. – Alain – 2011-02-16T04:53:02.760

Alright, I got a more simple keyboard hooked up and used this software to solve my problem. – Alain – 2011-02-16T15:06:45.000


To remotely edit services on a machine where the services aren't started these command will work to start the services

First change the mode of the service

SC \\machinename config servicename Start= auto

Then start or stop the service.

SC \\machinename Start servicename

That whole process of manually doing this is much more difficult than using BartPE as mentioned above. But this is just a way to complete the above remote registry edit.


Posted 2011-02-16T04:22:50.413

Reputation: 31

I got an "access denied" error when I attempted this command. (Even in elevated command prompt and even though the user accounts have no password on them.) I encountered the same problem when attempting to network-access the machine using a suite of Sysinternals tools (PSExec - http://technet.microsoft.com/en-us/sysinternals/bb897553). I assumed the computer either was explicitly configured to prevent remote access or the auto-logoff problem affected the ability to use such commands.

– Alain – 2011-02-16T16:22:48.870

It's also possible that this didn't work because the computers had never been on the same network before I took this one in to repair it. The user account on my computer was not configured to have administrative access over the other. I wonder if before doing this I would have to find a way to remotely give my computer administrative privileges over B. – Alain – 2011-02-16T16:28:55.227

With the SC command if you know the local admin account or another privledged account you can specify the username and password to use. – Bob – 2011-02-16T17:32:57.540


Do you have another Windows computer available? If they are networked, you should be able to use regedit on the working computer to edit the registry of the broken one.

Out of interest, have you tried booting from the Windows XP installation disk to perform a repair?


Posted 2011-02-16T04:22:50.413

Reputation: 1 563

1From OP: I tried remotely connecting to the registry but the required services aren't enabled on the machine. – Alain – 2011-02-16T15:06:12.973