I've noticed that if I make a registry change and then hard-shutdown my Windows 10 system, the registry change does not appear after reboot.
I've also noticed that the deletion of a hibernation file can impact the ability for a Linux recovery tool to make changes to the Windows registry in an offline state. The tool seems unable to make persistent changes after the deletion of a hibernation file. I will list specific examples below.
This seems equivalent to a hard shutdown on the box.
I see stranger behavior when I:
Those changes are not reflected in the registry either.
So what's going on here?
Hoping to get some clarification!
TL;DR: Shut your system down properly.
Hibernation is nothing to do with shutting down, it is closely related to suspend-to-RAM (sleep) except with the contents of RAM pushed to disk in order for it to be read back in and operation resumed from exactly where the system left off.
If you want the changes to persist then you need to disable hibernation and Windows Fastboot (which is a subset of hibernation). Or you can actually reboot rather than hibernate and restart.
The reason changes are not persisted is because they are not written to disk yet except in the hibernation file. Which you are deleting, meaning that the filesystem may well have to repair itself and go back to a "last known good" state.
While the system is hibernated there are going to be several key filesystem structures that may not have been written out to disk and are instead in RAM. The system will, upon resuming from hibernation, expect the disk to be in a very particular state and it is possible that disk caches and important system files get saved to the hibernation file rather than to the actual disk.
If you do a proper shutdown then Windows will properly flush working memory to disk, and then unmount the disk cleanly before powering down.
To force a proper shutdown open a command prompt and type
shutdown /s /f /t 0
/s is "shutdown",
/f to force, and
/t 0 to mean "now" (time = 0 seconds)
Or you can just disable fastboot and hibernation.
Related to you doing a hard shutdown the problem there is that Windows is not guaranteed to write any changes out to disk the same millisecond (or even minute) that you make the change. It will almost certainly be written within a few minutes but the probablility of it having actually been written will increase over time. It's unlikely to be written immediately, then near to the time you make the change the probability increases sharply, and will almost certainly have been written within an hour.
The thing is though, that by forcing a hard shutdown you are not giving the system a chance to safely write changes to disk.
Most modern filesystems are written to make changes in the safest way possible. In the past they have been referred to as "atomic", as in the change has either happened or it has not.
Today we know them as Journalled file systems because they keep a log of operations that will happen that can be either reverted or rolled forwards in the event of system failure and reboot. Upon startup from a power failure the system checks the journal and for each transaction it checks if the actual file data is written to disk and is "good". If it is then the transation rolls forwards and is completed, if not then it rolls back to the old data.
By using this order the disk is almost always in an easy to repair state.
But by forcing your system to power down unexpectedly you cannot guarantee whether the transaction has progressed far enough to roll forwards upon repair, and chances are that an operating system such as Linux will not care as much as Windows about the transaction history and is more likely than not to just make changes that roll everything backwards rather than forwards.
If you rebooted into Windows it might try or be able to repair the disk properly as it has a more intimate knowledge of the filesystem.
As documented on the MSDN page for
Calling RegFlushKey is an expensive operation that significantly affects system-wide performance as it consumes disk bandwidth and blocks modifications to all keys by all processes in the registry hive that is being flushed until the flush operation completes. RegFlushKey should only be called explicitly when an application must guarantee that registry changes are persisted to disk immediately after modification. All modifications made to keys are visible to other processes without the need to flush them to disk.
Alternatively, the registry has a 'lazy flush' mechanism that flushes registry modifications to disk at regular intervals of time. In addition to this regular flush operation, registry changes are also flushed to disk at system shutdown. Allowing the 'lazy flush' to flush registry changes is the most efficient way to manage registry writes to the registry store on disk.
This suggests that apart from flushing a specific key to disk immediately (which locks everyone else out of the registry until the flush is complete), the registry is automatically flushed periodically: a time is not given, but presumably it is at least more than the time you waited between writing the key and hard shutdown. In addition, it is flushed at shutdown, as you had already figured out.
You can use the
RegFlushKey function in the software that manipulates said key, or create an additional tool with it to force writing a registry key to disk immediately, if this is crucial to your usage case.
The documentation on
FSCTL_MARK_AS_SYSTEM_HIVE has this to say:
FSCTL_MARK_AS_SYSTEM_HIVEcontrol code informs the file system that the specified file contains the registry's system hive. The file system must flush system hive data to disk at just the right moment to avoid deadlocks and to ensure data integrity.
I don't believe there is any more detail available publicly than this.
Bear in mind that flushing the file system does not imply flushing the registry, because the registry can perform caching on top of the file system. To flush the registry first, you need to somehow cause
ZwFlushKey to be called on your key of interest.