syscache.hve was corrupted

discfryer

Member
{Registry Hive Recovered} Registry hive (file): '\??\C:\System Volume Information\Syscache.hve' was corrupted and it has been recovered. Some data might have been lost.
On every boot.
Tried SFC /SCANNOW and chkdsk, no difference.
Any ideas?
 

Ex_Brit

Moderator
Staff member
No ,idea other than have you been using registry cleaners or those "magic" system repair USB drives advertised quite widely? The ALL will destroy a system if used indiscrimiately. Liekwise some viruses can do that too. If it were my system I would simply repair the system using a system disk as an in place "upgrade".
 

discfryer

Member
Never use registry cleaners, learned that lesson 20 years ago.
There is so little info on the web about this problem.
I did a test where I shut down, waited 15-20 minutes, and then checked Event Viewer upon reboot.
The Event Viewer apparently writes/logs the error at shutdown according to the timestamp.
I will try shutting down each program separately before reboot.
The next step, like you said, is to do system repair.
 

mqudsi

Mostly Harmless
Staff member
I would open an elevated command prompt and run chkdsk C: /f to check for any filesystem corruption.

Good luck!
 

mqudsi

Mostly Harmless
Staff member
If you use a Linux live cd to access your Windows installation, you can open the C:\System Volume Information\ folder and see its contents. You might see a file with a GUID name (e.g. {4136e8c9-7553-4fd1-b220-8186bf3dcd47}) that represents a backup of the syscache.hve file, in which case you can restore it (making sure to rename the old syscache.hve, syscache.log1, and syscache.log2 files both for posterity and because the log files are specific to the current syscache.hve and if you leave them around the system will think they're for the just-restored one and end up corrupting it.)
 

discfryer

Member

mqudsi,​

Thank you, It worked ! 😀
All the previous searching lead me nowhere.
Now this raises even more questions.
Checking properties of the old syscache.hve file shows 40Mb.
The new syscache.hve file shows 262Kb.
If OS is working fine then what were the other 39+Mb??
One more question, Do I need all these other files?
Thank you again.


SystemVolumeInformation.jpg
 

mqudsi

Mostly Harmless
Staff member
@discfryer That's amazing - it was really a last-ditch suggestion! I presume you had to do it in from a Linux environment as suggested?

Which one of the guid files did you end up copying as syscache.hve?

Everything to do with syscache.hve is undocumented, all I know about it is what I've been able to reverse engineer from my work on EasyRE. It contains some arcane bits of information to do with applocker and some software policies but the most important thing about them is that they contain (primarily?) generated/derived data that gets updated and replaced over time.

40 MiB of data is pretty much nothing in the age of terabyte disks - I would recommend leaving everything there because you never know. Nothing in the \System Volume Information is meant to be modified (or even seen - hence the need for doing these changes from a Linux CD) and Microsoft is free to do whatever it likes (including trash your installation) if it's not happy with what finds in there.

I would just consider myself lucky, forget I ever saw those files, and move on.
 

discfryer

Member
I'm not sure if the reply was ever posted as I don't see it.
I used a Linux distro to access the CVI files and renamed syscache.hve to syscache.old.
I rebooted and Windows had installed a new copy of syscache.hve.
I have not seen the corrupted message in the Event Viewer since doing this and presumed the problem is fixed.
 
Top