|
SOFTWARE
The key
HKLM\SOFTWARE
is second in interest only to
HKCU\Software
. It contains per-computer software settings, including many
Windows
settings. Because
Windows
and most applications store settings as per-
user
settings, this branch is a bit slimmer than
HKCU\Software
, but it still contains
numerous
settings that are useful for customization. The types of settings you find in
HKLM\SOFTWARE
are typically those that an administrator defines. Because
HKLM\SOFTWARE
contains per-computer settings, any changes you make here affect all users who log on to the computer. Also, restricted users don't have permission to change settings in
HKLM
.
The key
HKLM\SOFTWARE
is organized similarly to the way
HKCU\Software
is organized. Applications store settings in
HKLM\SOFTWARE\
Vendor
\
Program
\
Version
\
.
Vendor
is the
name
of the program's publisher,
Program
is the name of the program, and
Version
is the program's version number. Often,
Version
is
CurrentVersion
. This branch also contains a handful of subkeys that don't follow this organization. For example,
HKLM\SOFTWARE\Policies
contains per-computer policies. The sections following this one describe the most interesting and useful
parts
of
HKLM\SOFTWARE
.
Classes
The key
HKLM\CLASSES
contains per-computer file associations. This key contains the vast majority of file associations, as opposed to
HKCU\Classes
, which contains per-user file associations. Windows merges both subkeys to form
HKCR
. Appendix A, “File Associations,” describes
HKCR
in detail.
Clients
The key
HKLM\SOFTWARE\Clients
defines the client programs that Internet Explorer
associates
with different Internet services. You configure these clients on the Programs tab of the Internet Properties dialog box, shown in Figure D-2. For example, you can choose the mail client that Internet Explorer uses when you click a
mailto
link, or you can choose the news client to use when you click a
news
link. These choices also determine the programs that Internet Explorer launches when you choose one of the tools on the Tools menu.
Figure D-2
You associate client programs with Internet services by using the Programs tab.
The
Clients
key contains six subkeys by default:
Contacts
,
Internet Call
,
Mail
,
Media
,
News
, and
StartMenuInternet
. The default value of each
subkey
specifies the name of the application that is the default tool for that category. For example, if the default value of
HKLM\SOFTWARE\Clients\Mail
is Outlook Express, then Outlook Express is the default mail client that Internet Explorer starts when you click a
mailto
link.
Drill down a bit further and you find one subkey for each client program. For example,
Clients\Mail
contains the
Hotmail
,
MSN Explorer
, and
Outlook Express
subkeys. The organization of these subkeys is almost the same as the organization of the subkeys in
HKCR
. Typically, you find the subkeys
Protocols
and
shell
under each client program's subkey. The subkey
Protocols
defines the protocols associated with the application. For example, the key
HKLM\SOFTWARE\Clients\Mail\Outlook Express\Protocols
describes the command to run when users click a
mailto
link on a Web page. The subkey
shell
defines the command to run when users choose an option on Internet Explorer's Tools menu. The subkey
HKLM\SOFTWARE\Clients \Mail\Outlook Express\shell
describes the command to run when users click Tools, Mail And News, Read Mail in Internet Explorer.
Microsoft\Active Setup
A variety of Windows components, notably Internet Explorer
components
, still use Active Setup. The key
HKLM\SOFTWARE\Microsoft\Active Setup
contains these components' registrations. The subkey
FeatureComponentID
is sometimes useful for mapping a GUID to a component. Look for the GUID in this subkey; then look at the
REG_SZ
value to determine the component's name.
The key
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
is each component's registration. Each subkey is a component. For example, the subkey
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}
is for NetShow. Within each subkey, you see several values, some more interesting than others. First the
REG_BINARY
value
IsInstalled
indicates whether the component is installed or not. The value is
0x0001
if the component is installed; if not, the value is
0x0000
. The
REG_SZ
value
Version
contains the component's version.
The most interesting value is the
REG_EXPAND_SZ
value
StubPath
. If this value exists, Windows executes the command it contains after the operating system creates a new user profile. If you don't see this value, nothing happens. To keep Windows from running the command, remove the value
StubPath
from that component's subkey in
Installed Components
.
Microsoft\Command Processor
The
command-prompt
window supports file and folder name completion, as well as a few other features. You can configure these features using Tweak UI, as described in Chapter 5, “Mapping Tweak UI,” or you can hack them directly in the registry. This key is similar to
HKCU\Software\Microsoft\Command Processor
. The difference is that this key applies to all users, whereas the key in
HKCU
applies only to the current console user. The following list describes the settings in the subkey
Command Processor
, which configure the command-prompt window:
-
AutoRun
.
This
REG_SZ
value, which has no default, contains a list of commands that run automatically when you start a command-prompt window.
-
CompletionChar
.
This is a
REG_DWORD
value. It specifies the ASCII character code of the key to use for file name completion. You can set this value to
0x00
,
0x01
through
0x1F
,
0x20
, or
0x40
. The Tab key is
0x09
and is the default.
-
DefaultColor
.
This
REG_DWORD
value defaults to
. Valid values range from
0x00
through
0xFE
. It specifies the default background and foreground color of a command-prompt window. The first hexadecimal digit specifies the background color, and the second digit specifies the foreground
color
. The digits
correspond
to the colors shown in Table D-1.
-
DelayedExpansion
.
This is a
REG_DWORD
value with a default of
0x00
. It specifies whether the command prompt delays environment variable expansion. If the value is
0x01
, the command prompt interprets the exclamation point (!) as an environment variable that expands only when used.
-
EnableExtensions
.
This
REG_DWORD
value has a default value of
0x01
. It determines whether command-processor extensions are enabled or not. Setting this value to
0x00
disables extensions. You need to disable extensions only when they interfere with a script language with which they aren't compatible.
-
PathCompletionChar
.
This is a
REG_DWORD
value that specifies the ASCII character code of the key to use for
path
completion. Set this value to
0x00
,
0x01
through
0x1F
,
0x20
, or
0x40
. The Tab key is
0x09
. You can use the same key that you use for file name completion, which expands both.
Table D-1
Values for
DefaultColor
|
Value
|
Color
|
|
|
Black
|
|
1
|
Blue
|
|
2
|
Green
|
|
3
|
Aqua
|
|
4
|
Red
|
|
5
|
Purple
|
|
6
|
Yellow
|
|
7
|
White
|
|
8
|
Gray
|
|
9
|
Light Blue
|
|
A
|
Light Green
|
|
B
|
Light Aqua
|
|
C
|
Light Red
|
|
D
|
Light Purple
|
|
E
|
Light Yellow
|
|
F
|
Bright White
|
Microsoft\Driver Signing
The key
HKLM\SOFTWARE\Microsoft\Driver Signing
contains values that configure the Windows driver-signing feature. Microsoft digitally signs driver files so that Windows can verify that Microsoft tested the driver file and that the file hasn't changed since Microsoft
tested
it. This key's only value,
Policy
, controls how Windows handles driver files that aren't signed. Here are the possible values:
-
0x00
.
Windows
installs
unsigned device drivers (Ignore).
-
0x01
.
Windows warns the user that the device driver is unsigned and enables the user to choose whether or not to install it (Warn).
-
0x02
.
Windows does not install unsigned device drivers (Block).
This setting comes from the Driver Signing Options dialog box, shown in Figure D-3. It applies to all users, unless you clear the Make This Action The System Default check box. The figure shows the values associated with each option.
Figure D-3
In an enterprise environment, blocking unsigned device drivers is the safest option.
Microsoft\DrWatson
The
DrWatson
subkey stores configuration settings for Dr. Watson for Windows (Drwtsn32.exe), the application error debugger. These entries specify how Dr. Watson for Windows notifies the user of an application error, and how its log file and crash dump file are configured. Dr. Watson adds these entries the first time it starts:
-
AppendToLogFile
.
Specifies whether Dr. Watson for Windows overwrites the existing log file with new data or appends new data to the end of the existing log file. By default, the log file is named Drwtsn32.log and is stored in the system root directory. If this
REG_DWORD
value is
0x00
, Dr. Watson overwrites the file; if it's
0x01
, it appends the new error information to the file.
-
CrashDumpFile
.
Specifies the location of the crash dump file for Dr. Watson for Windows. The crash dump file is a binary file that is created when a program stops abnormally. The crash dump file can be interpreted by the Windows Debugger. All users must have permission to read and write to the crash dump file. By default, the crash dump file is named user.dmp and resides in the root of the system directory. Set this
REG_SZ
value to the path and file name of the crash dump file.
-
CreateCrashDump
.
Specifies whether Dr. Watson for Windows creates a binary crash dump file when a program stops abnormally. The crash dump file can be interpreted by the Windows Debugger. If the value of this
REG_DWORD
value is
0x01
, the location of the crash dump file must appear in the value of the CrashDumpFile entry. By default, the crash dump file is named user.dmp and is in the system root directory.
-
DumpAllThreads
.
Specifies which application threads are included in the log file that Dr. Watson for Windows creates when an application error occurs. By default, the log file is named Drwtsn32.log and is in the system root directory. If this
REG_DWORD
value is
0x01
, Dr. Watson includes all threads.
-
DumpSymbols
.
Specifies whether Dr. Watson for Windows includes the symbol table for each application module in its log file. The symbol table consists of the name and memory address of each symbol. By default, because it can be very large, the symbol table is not included in the log file. If this
REG_DWORD
value is
0x01
, Dr. Watson includes the debug symbols.
-
Instructions
.
This
REG_DWORD
value specifies how many instructions
preceding
and following the faulty instruction are included in the instruction disassembly portion of Drwtsn32.log, the log file for Dr. Watson for Windows. The default value is
10
.
-
LogFilePath
.
This
REG_SZ
value specifies the location of Drwtsn32.log, the log file for Dr. Watson for Windows. The log file contains diagnostic data about application errors that occur. All users must have permission to read and write to the log file.
-
MaximumCrashes
.
This
REG_DWORD
value specifies how many errors Dr. Watson for Windows maintains at any given time in its application error viewer and in the Event Viewer application log. When the number of recorded errors
reaches
the value of this entry, Dr. Watson operates normally and adds new errors to its log and crash dump file, but it does not add any new errors to its application log viewer or to the Event Viewer application log until it is reset. The user is not notified that the number of crashes has reached the maximum. To reset Dr. Watson for Windows, run Drwtsn32.exe. You can either click Clear or increase the value in the Number Of Errors To Save box. When you click Clear, you delete all errors from the application error viewer in Dr. Watson for Windows, and you delete all events from the Event Viewer application log, even those not generated by Dr. Watson for Windows. However, records of the application errors
remain
in the Drwtsn32.log and in the crash dump file, user.dmp, if one has been selected. The default value is
10
.
-
NumberOfCrashes
.
This
REG_DWORD
value counts the number of application errors Dr. Watson for Windows is maintaining in its application error viewer and in the Event Viewer application log. When this value reaches the value of
MaximumCrashes
, Dr. Watson for Windows operates normally and adds new errors to its log and crash dump file, but it does not add any new errors to its application log viewer or to the Event Viewer application log until it is reset. The user is not notified that the number of crashes has reached the maximum. To reset Dr. Watson for Windows, run Drwtsn32.exe. You can either click Clear or increase the value in the Number Of Errors To Save box. When you click Clear, you delete all errors from the application error viewer in Dr. Watson for Windows, and you delete all events from the Event Viewer application log, even those not generated by Dr. Watson for Windows. However, records of the application errors remain in the Drwtsn32.log and in the crash dump file, user.dmp, if one has been selected.
-
SoundNotification
.
This
REG_DWORD
value specifies whether Dr. Watson for Windows generates a sound when it detects an application error. If the value of this entry is
0x01
, you can enter the name of a wave file (.wav) in the value of the WaveFile entry.
Otherwise
, Dr. Watson generates two standard beeps.
-
VisualNotification
.
This
REG_DWORD
value specifies whether Dr. Watson for Windows displays a message box when it detects an application error. While the message box is displayed, no new messages or windows can be displayed, but background processes are not affected. If the
buttons
on the message box are not clicked within five minutes, the message box is removed.
-
WaveFile
.
This
REG_SZ
value specifies the file containing the sound that Dr. Watson for Windows plays when it detects an application error. This entry is used only when the computer has a sound card and the value of the SoundNotification entry is
0x01
.
Microsoft\Internet Explorer
The key
HKLM\SOFTWARE\Microsoft\Internet Explorer
contains Internet Explorer settings that apply to every user who logs on to the computer. For example, the subkey
AboutURLs
contains the URLs of Web pages that Internet Explorer displays in special scenarios. The subkey
AdvancedOptions
defines templates for the options on the Internet Options dialog box's Advanced tab.
Microsoft\Sysprep
You won't see
HKLM\SOFTWARE\Microsoft\Sysprep
on your computer unless you installed Windows from a disk image that you prepared with Sysprep. Chapter 15, “Cloning Disks with Sysprep,” describes how to use this tool. The values in this subkey are useful for understanding what Sysprep has done:
Microsoft\Windows NT\CurrentVersion
The key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
contains useful subkeys for learning more about Windows but not customizing it. The values in this subkey describe the current version of Windows, the registered owner, and the path in which you installed the operating system. For IT professionals, the three most useful subkeys are in the following list:
-
HotFix
.
This key contains one subkey for each hotfix installed on the computer. The value Installed is
0x01
if the hotfix is installed; it's
0x00
otherwise. The
HotFix
key fills up quickly when you use Windows Update or Automatic Updates to download and install hotfixes. IT professionals can inventory the hotfixes installed on different computers by writing scripts that extract the contents of this key and dump them to text files on the network.
-
ProfileList
.
This key contains one subkey for each user profile you see in the User Profiles dialog box.
-
Winlogon
.
This key contains values that define the logon process, as well as the last user who logged on to the computer. There are two interesting customizations in this key, both of which you learn in Chapter 18, “Fixing Common IT Problems.” The first is that you can display a legal notice when users log on to the operating system. The second is that you can use this key to automatically log on to the computer using a specific account. You can do that a specific number of times. For example, you can configure this key to automatically log on as Administrator, install an application, and then log off of the operating system. See Chapter 18 for more information about this useful IT trick.
Microsoft\Windows NT\CurrentVersion\Winlogon
The
Winlogon
subkey stores configuration data for the Winlogon service.
Winlogon
provides support for interactive logon to Windows. This subkey stores data that applies to all users of the computer. The
Winlogon
subkey in
HKCU
stores data that applies to a specific user. The following list describes settings in the
Winlogon
key:
-
AutoRestartShell
.
Specifies whether the Windows user interface (typically, Explorer.exe) restarts automatically if it stops unexpectedly. Set this
REG_DWORD
value to
0x01
(the default value) to restart the user interface.
-
DCacheMinInterval
.
This
REG_SZ
value specifies how often the list of domains in the Unlock Workstation dialog box is updated. The list of domains is updated before it is displayed to the user if its age exceeds the value of this entry. A memory cache on the local computer stores the domain list. When the value of this entry is set to the default of two minutes and a user unlocks a workstation or server, the system retrieves domain data and updates the list. The short update interval ensures that the domain list is current. However, refreshing the list can cause a noticeable delay. You can use this entry to increase the time between domain list updates, eliminating some of the delay. However, if the domain list changes between updates, users still will not see the most current list of domains. This value doesn't exist in the registry by default. Add it if required.
-
DCacheUpdate
.
This
REG_BINARY
value stores domain
names
in binary form for internal Winlogon programming code to use.
-
DefaultDomainName
.
This
REG_SZ
value stores the name of the domain to which the user most recently logged on successfully. The value of this entry appears in the Log On To Windows dialog box the
next
time the dialog box is displayed.
-
DefaultUserName
.
This
REG_SZ
value stores the last user name entered in the Log On To Windows dialog box. The value of this entry appears in the Log On To Windows dialog box the next time the dialog box is displayed. It is also used in automated
logons
and unattended setup.
-
DontDisplayLastUserName
.
This
REG_DWORD
value specifies whether a user name appears in the Log On To Windows dialog box. By default, Windows displays the user name of the last user who logged on successfully (as stored in the value of
DefaultUserName
) in the Log On To Windows dialog box. If the value of this entry is
0x01
, the User Name box in the Log On To Windows dialog box is blank.
-
KeepRasConnection
.
This
REG_DWORD
value specifies whether Windows
closes
all
open
dial-up (Routing and Remote Access) connections when a user logs off.
-
LogonPrompt
.
This
REG_SZ
value specifies a message for the Log On To Windows dialog box. By default, there is no logon prompt message. This value doesn't exist by default. Add it if required.
-
ProfileDlgTimeOut
.
This
REG_DWORD
value defines the starting time for the User Environment Countdown Timer. (The default is 30 seconds.) This timer determines how long the system waits for a user response before it uses a default value. The value of this entry is used when either of the following events occur:
-
RasForce
.
This
REG_SZ
value specifies whether the Log On Using Dial-Up Connection check box is selected by default when the system starts. This check box appears on the Log On To Windows dialog box that is displayed when the user logs on to Windows. The system uses the value of this entry only when you have created a dial-up connection by using Network and Dial-up Connections and the computer is a member of a domain.
-
RemoteBootOk
.
This
REG_SZ
value specifies whether Winlogon declares startup to be successful. If you change the value of this entry to
, you must use another program (such as Bootok.exe or Bootvrfy.exe) to declare the startup successful.
-
RemoteControllerMissing
.
Stores the computer setting for the domain controller message. (The user setting is stored in the value of the ReportDC entry.) This entry determines, in part, whether the system displays the following message when it cannot contact the domain controller that stores a user's roaming user profile:
“A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes made to your profile since you last logged on might not be available.”
When the value of this entry is equal to
TRUE
, the system displays the message. When the value is any other string and when this value is absent from the registry, the system does not display the message. Two entries manage the display of the domain controller message: ReportDC and ReportControllerMissing. The system displays this message only when both entries are set to the display setting–that is, when ReportDC is either set to
1
or does not appear in the registry, and when ReportDomainController appears in the registry with a value of
TRUE
. By default, the message does not display.
-
RunLogonScriptSync
.
This
REG_DWORD
value specifies whether the system waits for the logon script to finish running before it starts Windows Explorer and creates the desktop. If this value is
0x01
, Windows Explorer does not start until the logon script is finished.
-
ScreenSaverGracePeriod
.
This
REG_DWORD
value specifies when password protection of a screen saver becomes effective. This entry specifies the delay between the appearance of a password-protected screen saver and the enforcement of the password requirement. Password protection of a screen saver is not effective immediately. By default, a brief period elapses within which the user can use the mouse or the keyboard to stop the screen saver without entering the password. This delay is designed to minimize the disruption that results when the screen saver starts while the user is working. You can add this entry to the registry to adjust the length of the delay. To make password protection effective immediately, set the value of this entry to
0x0
. The default value is
0x05
.
-
SFCDIICacheDir
.
This
REG_EXPAND_SZ
value specifies an alternate location for the Windows File Protection cache.
-
SfcScan
.
Specifies when Windows File Protection scans protected files for changes. By default, it
scans
protected files only during setup. The possible settings are as
follows
:
-
. Windows File Protection scans files only during setup.
-
1
. Windows File Protection scans files at setup and each time you start Windows. This setting delays each startup.
-
2
. Windows File Protection scans files the next time you start the system.
-
SfcShowProgress
.
This
REG_DWORD
value hides the file scan progress window. This window provides status information that might be helpful to advanced users, but it might confuse novices. If this value is
0x01
, users see the file scan progress window.
-
Shell
.
This
REG_SZ
value specifies the programs that provide the user interface to the operating system. By default, Winlogon starts the programs specified in the value of
Userinit
, including Userinit.exe. Userinit.exe starts the user interface program. However, if Winlogon cannot start the programs specified in the value of
Userinit
, Winlogon directly runs the programs specified in the value of this entry.
-
ShowLogonOptions
.
This
REG_DWORD
value specifies whether logon options are displayed in the Log On To Windows dialog box when the dialog box opens. The Log On To Windows dialog box has an Options button that alternately hides and displays the Domain box and the Log On Using Dial-Up Connection options. If this value is
0x01
, the options are displayed; otherwise, they are hidden.
-
SlowLinkProfileDefault
.
This
REG_DWORD
value directs the system to wait for the remote copy of the roaming user profile to load, even if the profile is loading slowly. Also, the system waits for the remote copy when the user is notified about a slow connection but does not respond in the time allowed.
-
SlowLinkTimeOut
.
Defines which connections Winlogon considers to be slow. If the server storing a user's profile does not respond before the time specified in the value of this entry, Winlogon considers the link to the server to be slow, and it offers the user the option of using a profile stored on the local computer instead of waiting for the server. This entry is used only when the value of
SlowLinkDetectEnabled
is
1
. You can increase the value of
SlowLinkTimeOut
to favor the server-based profile. This is particularly useful for clients using addresses assigned by Dynamic Host Configuration Protocol (DHCP), or for computers accessing server-based profiles over slow wide area network (WAN) connections, such as dial-up connections.
-
Welcome
.
This
REG_SZ
value specifies the text that appears in the caption bar beside the title of the Log On To Windows, Windows Security, Computer Locked, and Unlock Computer dialog boxes. This value doesn't exist by default. Add it to customize the caption of the previous dialog boxes.
Policies
Windows stores per-computer policies in the key
HKLM\SOFTWARE\Policies
, the preferred branch for registry-based policies. Restricted users don't have permission to change the
Policies
subkey, which
prevents
them from circumventing policies by editing the registry. Windows supports hundreds of policies that enable IT professionals to control the computer's configuration. Chapter 7, “Using Registry-Based Policy,” shows you how to customize policies by building custom administrative templates.
Very often, using policies is the best and most interesting way to customize Windows. For example, many of the customizations you learn about in Chapter 4, “Hacking the Registry,” rely on policy settings in the registry to change behaviors. Some policies enable you to change behavior that annoys you. In this regard, the per-user policies in
HKCU\Software\Policies
offer more customization possibilities that the policies that you find in
HKLM\SOFTWARE\Policies
.
Although editing the registry directly is
certainly
one way to customize policies, there are better ways. The first is to use Group Policy Editor to edit the local Group Policy Object (GPO). This provides a user interface for the policies, limiting your settings to valid choices. Chapter 7, “Using Registry-Based Policy,” describes how to edit the local GPO. In short, type
gpedit.msc
in the Run dialog box, and then edit the policies under Computer Configuration and User Configuration in Administrative Templates. The second way is to write scripts that change policies. I use scripts when I need to repeat the same setting many times, such as when I'm configuring multiple computers or when I reinstall Windows on computers often. Chapter 11, “Scripting Registry Changes,” shows you how to write scripts to edit the registry.
|
