TL;DR:
I've noticed that if I make a registry change and then hard-shutdown my Windows 10 system, the registry change does not appear after reboot.
I've also noticed that the deletion of a hibernation file can impact the ability for a Linux recovery tool to make changes to the Windows registry in an offline state. The tool seems unable to make persistent changes after the deletion of a hibernation file. I will list specific examples below.
Example 1:
- I add a key called "1111" into "HKLM\SOFTWARE". I then hard power down my box by holding the power button for 5 seconds.
- When I pull the registry back up, that key and its values are gone:
- (These images were edited for formatting purposes)
Example 2:
- Make a change in the registry (using regedit)
- Hibernate the system
- Boot into a Linux recovery tool
- Delete the hibernation file in order to mount the disk.
- Read the windows registry (from the recovery tool)
- The registry change is gone.
This seems equivalent to a hard shutdown on the box.
Example 3:
I see stranger behavior when I:
- Hibernate the box
- Boot to a Linux recovery tool and delete the hibernation file
- Make changes to the registry (from the recovery tool)
- Reboot the box
Those changes are not reflected in the registry either.
So what's going on here?
- When does Windows 10 write the registry changes to the disk?
- Why does the deletion of a hibernation file (in Example 3) prevent registry changes made from the recovery tool from being reflected on the next boot?
Hoping to get some clarification!
Best Answer
As documented on the MSDN page for
RegFlushKey
:This suggests that apart from flushing a specific key to disk immediately (which locks everyone else out of the registry until the flush is complete), the registry is automatically flushed periodically: a time is not given, but presumably it is at least more than the time you waited between writing the key and hard shutdown. In addition, it is flushed at shutdown, as you had already figured out.
You can use the
RegFlushKey
function in the software that manipulates said key, or create an additional tool with it to force writing a registry key to disk immediately, if this is crucial to your usage case.The now defunct "Saving application registry changes on Windows 8 or Windows Server 2012" Microsoft support article (archive.org linked here) states the following:
Also, an excerpt from Mokubai's response:
The linked How To Geek article in that response was very informative:
Between Fast Startup / Hybrid Shutdown and the delay in flushing the keys, most of the pieces come together. If the system managed to store the modification in memory but hadn't flushed to disk then it would get saved in the hibernation file on hybrid shutdown or just discarded on a hard shutdown. If the hibernation file is discarded by the recovery tool then the change will no longer exist either.