Structure of the Registry

The structure of Windows XP's registry is so similar to the structure of its file system that I can't help but make the analogy. Figure 1-4 compares Registry Editor, the tool you use to edit the registry, and Windows Explorer. (You learn how to use Registry Editor in Chapter 2, "Using the Registry Editor.") In the editor's left pane, which is called the key pane, you see the registry's hierarchy, just as you see the file system's hierarchy in Windows Explorer's left pane. Each folder in the key pane is a registry key. In the editor's right pane, which is called the value pane, you see a key's values, just as you see a folder's contents in Windows Explorer's right pane.

Figure 1-4: If you're familiar with Windows Explorer, and I'll bet you are, you won't have any trouble understanding the registry's structure, which is similar to that of the file system.

Take another look at Figure 1-4. In Windows Explorer, you see each of the computer's disks under My Computer. Likewise, in Registry Editor, you see each of the registry's root keys under My Computer. Although you see the full name of each root key in Registry Editor, I tend to use the standard abbreviations you see in Table 1-3. The abbreviations are easier to type and read, and in a book like this one, they usually keep long names from splitting in unfriendly places when they wrap across two lines.

Keys

Keys are so similar to folders (Registry Editor even uses the same icon for keys as Windows Explorer uses for folders) that they have the same naming rules. You can nest one or more keys within another key as long as the names are unique within each key. A key's name is limited to 512 ANSI or 256 Unicode characters, and you can use any ASCII character in the name other than a backslash (\), asterisk (*), and question mark (?). In addition, Windows XP reserves all names that begin with a period for its own use.

The similarities between the registry and file system continue with paths. C:\Windows \System32\Sol.exe refers to a file called Sol.exe on drive C in a subfolder of \Windows called System32. HKCU\Control Panel\Desktop\Wallpaper refers to a value called Wallpaper in the root key HKCU in a subkey of Control Panel called Desktop. This notation is a fully qualified path. I often refer to a key and all its subkeys as a branch.

The last thing to tackle in this section is the concept of linked keys. Windows XP stores hardware profiles in HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\. Each hardware profile is a subkey nnnn, where nnnn is an incremental number beginning with 0000. The subkey Current is a link to whichever key is the current hardware profile, and root key HKCC is a link to Current. It all sounds terribly convoluted until you see the relationship in Figure 1-5. Think of links as aliases or shortcuts, if you care to continue the file system analogy.

Figure 1-5: When one key is linked to another, as in this example, the same subkeys and values appear in both places.

Values

Each key contains one or more values. In my analogy with Windows Explorer, values are similar to files. A value's name is similar to a file's name. A value's type is similar to a file's extension, which indicates its type. A value's data is similar to the file's actual contents. Click a key in Registry Editor's key pane, and the program shows the key's values in the value pane. In the value pane, you see three columns, which correspond to the three parts of a value:

• Name. Every value has a name. The same rules for naming keys apply to values: up to 512 ANSI or 256 Unicode characters except for the backslash (\), asterisk (*), and question mark (?), with Windows XP reserving all names that begin with a period. Within each key, value names must be unique, but different keys can have values with the same name.

• Type. Each value's type determines the type of data that it contains. For example, a REG_DWORD value contains a double-word number, and a REG_SZ value contains a string. The section "

• Data. Each value can be empty, or null, or can contain data. A value's data can be a maximum of 32,767 bytes, but the practical limit is 2 KB. The data usually corresponds to the type, except that binary values can contain strings, double-words, or anything else for that matter.

Every key contains at least one value, and that's the default value. When you look at the registry through Registry Editor, you see the default value as (Default). The default value is almost always a string, but ill-behaved programs can change it to other types. In most cases, the default value is null, and Registry Editor displays its data as (value not set). When instructions require that you change a key's default value, they usually say so explicitly: "Set the key's default value."

Types

Windows XP supports the following types of data in the registry. As you look through this list, realize that REG_BINARY, REG_DWORD, and REG_SZ account for the vast majority of all the settings in the registry:

• REG_BINARY. Binary data. Registry Editor displays binary data in hexadecimal notation, and you enter binary data using hexadecimal notation. An example of a REG_BINARY value is 0x02 0xFE 0xA9 0x38 0x92 0x38 0xAB 0xD9.

• REG_DWORD. Double-word values (32-bits). Many values are REG_DWORD values used as Boolean flags (0 or 1, true or false, yes or no). You also see time stored in REG_DWORD values in milliseconds (1000 is 1 second). 32-bit unsigned numbers range from 0 to 4,294,967,295 and 32-bit signed numbers range from -2,147,483,648 to 2,147,483,647. You can view and edit these values in decimal or hexadecimal notation. Examples of REG_DWORD values are 0xFE020001 and 0x10010001.

• REG_DWORD_BIG_ENDIAN. Double-word values with the most significant bytes stored first in memory. The order of the bytes is the opposite of the order in which REG_DWORD stores them. For example, the number 0x01020304 is stored in memory as 0x01 0x02 0x03 0x04. You don't see this data type much on Intel-based architectures.

• REG_DWORD_LITTLE_ENDIAN. Double-word values with the least significant bytes stored first in memory (reverse-byte order). This type is the same as REG_DWORD, and because Intel-based architectures store numbers in memory in this format, it is the most common number format in Windows XP. For example, the number 0x01020304 is stored in memory as 0x04 0x03 0x02 0x01. Registry Editor doesn't offer the ability to create REG_DWORD_LITTLE_ENDIAN values, because this value type is identical to REG_DWORD in the registry.

• REG_EXPAND_SZ. Variable-length text. A value of this type can include environment variables, and the program using the value expands those variables before using it. For example, a REG_EXPAND_SZ value that contains %USERPROFILE%\Favorites might be expanded to C:\Documents and Settings\Jerry\Favorites before the program uses it. The registry API (Application Programming Interface) relies on the calling program to expand the environment variables in REG_EXPAND_SZ strings, so it's useless if the program doesn't expand them. See Chapter 10, "Deploying User Profiles" to learn how to use this type of value to fix some interesting problems.

• REG_FULL_RESOURCE_DESCRIPTOR. Resource lists for a device or device driver. This data type is important to Plug and Play, but it doesn't figure much in your work with the registry. Registry Editor doesn't provide a way to create this type of value, but it does allow you to display it. See HKLM\HARDWARE\DESCRIPTION\Description for examples of this data type.

• REG_LINK. A link. You can't create REG_LINK values.

• REG_MULTI_SZ. Binary values that contain lists of strings. Registry Editor displays one string on each line and allows you to edit these lists. In the registry, a null character (0x00) separates each string, and two null characters end the list.

• REG_NONE. Values with no defined type.

• REG_QWORD. Quadruple-word values (64-bits). This type is similar to REG_DWORD but contains 64 bits instead of 32 bits. The only version of Windows XP that supports this type of value is Windows XP 64-Bit Edition. You can view and edit these values in decimal or hexadecimal notation. An example of a REG_QWORD value is 0xFE02000110010001.

• REG_QWORD_BIG_ENDIAN. Quadruple-word values with the most significant bytes stored first in memory. The order of the bytes is the opposite of the order in which REG_QWORD stores them. See REG_DWORD_BIG_ENDIAN for more information about this value type.

• REG_QWORD_LITTLE_ENDIAN. Quadruple-word values with the least significant bytes stored first in memory (reverse-byte order). This type is the same as REG_QWORD. See REG_DWORD_LITTLE_ENDIAN for more information. Registry Editor doesn't offer the ability to create REG_QWORD_LITTLE_ENDIAN values, because this value type is identical to REG_QWORD in the registry.

• REG_RESOURCE_LIST. List of REG_FULL_RESOURCE_DESCRIPTION values. Registry Editor allows you to view but not edit this type of value.

• REG_RESOURCE_REQUIREMENTS_LIST. List of resources that a device requires. Registry Editor allows you to view but not edit this type of value.

• REG_SZ. Fixed-length text. Other than REG_DWORD values, REG_SZ values are the most common types of data in the registry. An example of a REG_SZ value is Microsoft Windows XP or Jerry Honeycutt. Each string ends with a null character. Programs don't expand environment variables in REG_SZ values.

Of all the values in the registry, binary values are the least straightforward. When an application reads a binary value from the registry, deciphering its meaning is up to the program. This means that applications can store data in binary values using their own data structures, and those data structures mean nothing to you or any other program. Also, applications often store REG_DWORD and REG_SZ data in REG_BINARY values, which makes finding and deciphering them difficult, as you learn in Chapter 8, "Finding Registry Settings." In fact, some programs use REG_DWORD and four-byte REG_BINARY values interchangeably; thus, keeping in mind that Intel-based computers use little-endian architecture, the binary value 0x01 0x02 0x03 0x04 and the REG_DWORD value 0x04030201 are exactly the same thing.

Now I'm going to make things more difficult. The registry actually stores all values as binary values. The registry API identifies each type of value by a number, which programmers refer to as a constant, and which I tend to think of as the type number. You'll notice this type number mostly when you export keys to REG files—something you learn how to do in Chapter 2. For example, when you export a REG_MULTI_SZ value to a REG file, Registry Editor writes a binary value with the type number 7. Normally, the type number associated with each value type doesn't matter because you refer to them by their names, but there are times when the information in the Table 1-4 will come in handy: