Registry Hive Files

Previous page
Table of content
Next page

In Registry Editor, you see the registry's logical structure. This is how Windows XP presents the registry to you and the programs that use it, regardless of how the operating system actually organizes it on disk, which is much more complicated.

Physically, Windows XP organizes the registry in hives, each of which is in a binary file called a hive file. For each hive file, Windows XP creates additional supporting files that contain backup copies of each hive's data. These backups allow the operating system to repair the hive during the installation and boot processes if something goes terribly wrong. You find hives in only two root keys: HKLM and HKU. (All other root keys are links to keys within those two.) The hive and supporting files for all hives other than those in HKU are in %SYSTEMROOT%\System32\config. Hive files for HKU are in users' profile folders. Hive files don't have a file name extension but their supporting files do, as described in Table 1-5.

Table 1-5: Hive File Name Extensions

Extension

Description

None

Hive file

.alt

Not used in Windows XP. In Windows 2000, System.alt is a backup copy of the System hive file

.log

Transaction log of changes to a hive

.sav

Copy of a hive file made at the end of the text-mode phase of the Windows XP setup program
Note 

The Windows XP setup program has two phases: text-mode and graphics-mode. The setup program copies each hive file to a SAV file at the end of the text-mode phase so that it can recover if the graphics-mode phase fails. If graphics-mode phase does fail, the setup program repeats that phase after restoring the hive file from the SAV file.

Hives in HKLM

Table 1-6 shows the relationship between each registry hive and its hive file. Notice that the name of each hive is capitalized in the registry, which is sometimes a useful reminder while you're editing. What you should get out of this table is that each hive in the first column comes from the files in the second column. Thus, Windows XP loads the hive HKLM \SOFTWARE from the hive file Software, which is in %SYSTEMROOT%\System32\config. It loads the hive HKLM\SYSTEM from the hive file System, which is in the same location. To see the hive files that Windows XP has loaded, see HKLM\SYSTEM\CurrentControlSet \Control\hivelist\.

Table 1-6: Hive Files

Hive

Hive, Supporting Files

HKLM\SAM

SAM, SAM.LOG

HKLM\SECURITY

SECURITY, SECURITY.LOG

HKLM\SOFTWARE

Software, Software.log, Software.sav

HKLM\SYSTEM

System, System.log, System.sav

Did you notice that you don't find a hive file for HKLM\HARDWARE in Table 1-6? That's because this hive is dynamic. Windows XP builds it each time the operating system boots, and it doesn't save the hive as a hive file when it shuts down.

Note 

Other files in %SYSTEMROOT%\System32\config seem conspicuously out of place. AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt are Windows XP's event logs—Application, Security, and System, respectively. You can see in the registry where Windows XP stores each event log by looking at the subkeys of HKLM\SYSTEM\ControlSet001\Services\Eventlog. Userdiff is a file that Windows XP uses to convert user profiles from earlier versions of Windows (notably versions of Microsoft Windows NT) so that Windows XP can use them. The last out-of-place file is Netlogon.ftl, which remains a mystery to me.

Hives in HKU

Each subkey in HKU is also a hive. For example, HKU\.DEFAULT is a hive, and its hive file is %SYSTEMROOT%\System32\config\default. The remaining subkeys come from two different sources, though. The hive HKU\SID is in the hive file %USERPROFILE%\Ntuser.dat, while the hive HKU\SID_Classes is in the hive file %USERPROFILE%\Local Settings \Application Data\Microsoft\Windows\UsrClass.dat.

Each time a new user logs on to Windows XP, the operating system creates a new profile for that user using the default user profile. The profile contains a new Ntuser.dat hive file, which is the user profile hive. You learn much more about user profiles and how to deploy them in Chapter 10, "Deploying User Profiles."

To see which profiles Windows XP has loaded, and the hive file that corresponds to each hive, see the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. This key contains one subkey for each profile that the operating system has ever loaded, past or present. The subkey's name is the name of the hive in HKU, and the value ProfileImagePath contains the path to the hive file, which is always Ntuser.dat. ProfileList does not mention the SID_Classes hives, however; it contains only user profile hives.

Note 

Windows 2000 limited the size of the registry, but Windows XP does not. This means that the operating system no longer limits the amount of space that the registry hives consume in memory or on the hard disk. Microsoft made an architectural change to the way Windows XP maps the registry into memory, eliminating the need for the size limit you might have struggled with in Windows 2000.


Previous page
Table of content
Next page
Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185
Authors: Jerry Honeycutt
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Network Security Architectures
The Complete Cisco VPN Configuration Guide
Mastering Delphi 7
Special Edition Using FileMaker 8
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy