Section 3.2. The Structure of the Registry

3.2. The Structure of the Registry

There are five primary, or root, branches of the Registry, each containing a specific portion of the information stored therein. These root keys can't be deleted, renamed, or moved, because they are the basis for the organization of the Registry. They are:

HKEY_CLASSES_ROOT

This branch contains the information that comprises your Windows file types. See the discussion of file types in Chapter 4 for details on the structure of most of the entries in this branch. A few special keys here, such as CLSID (short for Class ID), contain "registered" components of Windows and your installed applications. The contents of HKEY_CLASSES_ROOT are generally easy to edit, but it's best not to mess with anything in the CLSID branch, because almost none of it is in plain English.

This entire branch is a symbolic link,^[1] or "mirror," of HKEY_LOCAL_MACHINE\SOFTWARE\Classes but is displayed separately in this branch for clarity and easy access.

^[1] A symbolic link is different from a Windows shortcut you'd find on your hard disk. Information in a linked branch appears twice and can be accessed at two different locations, even though it's stored only once. This means that Find may stop in both places if they contain something you're looking for and, as you might expect, changes in one place will be immediately reflected in the mirrored location.

HKEY_USERS

This branch contains a sub-branch for the currently logged-in user, the name of which is a long string of numbers, which will look something like this:

S-1-5-21-1727987266-1036259444-725315541-500

This number is the SID (security identifier), a unique ID for each user on your system. See Chapter 8 for more information on SIDs.

While it may sound like a good idea to edit the contents of this branch, you should instead use the HKEY_CURRENT_USER branch described later, which is a symbolic link, or "mirror," of this branch. No matter which user is logged in, HKEY_CURRENT_USER will point to the appropriate portion of HKEY_USERS.

Because Windows only loads the profile (this portion of the Registry) of the currently logged-in user, only one user branch will ever be shown here. However, there will be a few other branches here, such as .default (used as a template when creating new user accounts), and a few others that will be of little interest to most users.

HKEY_CURRENT_USER

This branch simply points to a portion of HKEY_USERS, signifying the currently logged-in user. This way, any application can read and write settings for the current user without having to know which user is currently logged on.

In each user's branch are the settings for that user, such as Control Panel settings and Explorer preferences. Most applications store user-specific information here as well, such as toolbars, high scores for games, and other personal settings.

The settings for the current user are divided into several categories; among them are AppEvents, Control Panel, Identities, RemoteAccess, Software, and System. The most useful of these branches, Software, contains a branch for almost every application installed on your computer, arranged by manufacturer. Here and in HKEY_LOCAL_MACHINE\SOFTWARE (discussed later) can be found all of your application settings. As though Windows were just another application on your system, you'll find most user-specific Windows settings in HKEY_CURRENT_USER\Software\Microsoft\Windows.

HKEY_LOCAL_MACHINE

This branch contains information about all of the hardware and software installed on your computer that isn't specific to the currently logged-in user. The settings in this branch are the same for all users on your system.

The sub-branch of most interest here is the SOFTWARE branch, which contains all of the information specific to the applications installed on your computer. Both this branch and the aforementioned HKEY_CURRENT_USER\Software branch are used to store application-specific information. Those settings that are specific to each user (even if your computer has only one user), such as toolbar configurations, are stored in the HKEY_CURRENT_USER branch; those settings that are not user-dependent, such as installation folders, are stored in the HKEY_LOCAL_MACHINE branch. You'll want to look in both places if you're trying to find a particular application setting, because most manufacturers (even Microsoft) aren't especially careful about which branch is used for any given setting.

HKEY_CURRENT_CONFIG

This branch typically contains a small amount of information, most of which is simply symbolic links, or "mirrors," of other keys in the Registry. There's little reason to mess with this branch.

3.2.1. The Meat of the Registry: Values

Values are where Registry data are actually stored (keys are simply used to organize values). The Registry contains several types of values, each appropriate to the type of data they are intended to hold. There are seven types of values that are displayed in the Registry Editor, each of which is known by two different names (see Table 3-1).^[2] Each type is known by at least two different names, the common name and the symbolic name (shown in parentheses).

^[2] Another type of value, known as REG_LINK, is invisible in the Registry Editor. It facilitates symbolic links; the HKEY_CURRENT_USER branch, discussed earlier in this chapter, is an example.

^[3] Multi-String values are also sometimes called String Array values.

Although the Registry Editor allows you to view and edit all seven types of values, it only allows you to create the five most common (and not surprisingly, most useful) types.^[4] Although each of these value types is explained below, they'll make more sense when discussed in the context of the solutions throughout the rest of this book.

^[4] In previous versions of Windows, the Registry Editor only allowed you to create String, Binary, and DWORD values. The ability to create Multi-String and Expandable String values is new in Windows XP. Note that you'll find little reason to ever create the other two available types shown in Table 3-1.

String values

String values contain strings of characters, more commonly known as plain text. Most values of interest to us will end up being string values; they're the easiest to edit and are usually in plain English.^[5] String values are easy to edit; just double-click and type a string of text into the text field (Figure 3-3).

^[5] Although Windows is available in a wide variety of localized languages, most of the internal Registry data will still be in English, primarily because Microsoft is located in the United States, but also because the programming languages used to write Windows components and applications are all based on American English.

Figure 3-3. Edit a string value by typing text into this box

In addition to standard strings, there are two far less common string variants, used for special purposes:

String array value

Contains several strings, concatenated (glued) together and separated by null characters. Although the Registry Editor now lets you create these values, it's impossible to type null characters (character #0 in the ASCII character set) from the keyboard. The only way to place a null character into a Registry value is either programmatically or via cut-and-paste from another application.

Expanded string value

Contains special variables, into which Windows substitutes information before delivering it to the owning application. For example, an expanded string value intended to point to a sound file may contain %SystemRoot%\Media\doh.wav. When Windows reads this value from the Registry, it substitutes the full Windows path for the variable, %SystemRoot%; the resulting data then becomes (depending on where Windows is installed) c:\Windows\Media\doh.wav. This way, the value data is correct regardless of the location of the Windows folder.

Binary values

Similarly to string values, binary values hold strings of characters. The difference is the way the data is entered. Instead of a standard text box, binary data is entered with hexadecimal codes in an interface commonly known as a hex editor.^[6] Each individual character is specified by a two-digit number in base-16 (e.g., the number 6E in base-16 is the number 110 in good-ol' base-10), which allows characters not found on the keyboard to be entered. See Figure 3-4 for an example. Note that you can type hex codes on the left or normal ASCII characters on the right, depending on where you click with the mouse.

^[6] See Section 4.2.2 for an example of how a hex editor is used.

The contents of binary values often don't appear in plain English, making understanding their use, not to mention modifying them, that much more difficult. Figure 3-4 shows a binary value that just happens to have readable text.

Figure 3-4. Binary values are entered differently from the common string values, but the contents are sometimes nearly as readable

Note also the various Resource List value types (see Table 3-1), which are just special cases of binary values; you'll find very little reason to ever mess with these.

DWORD values

Essentially, a DWORD is a number. Often, the contents of a DWORD value are easily understood, such as 0 for no and 1 for yes, or 60 for the number of seconds in some timeout setting. A DWORD value is used where only numerical digits are allowed, whereas string and binary values allow anything.

In the DWORD value editor (Figure 3-5), you can change the base of the number displayed. For values of 9 or smaller, this option won't make any difference. For 10 and larger, however, the wrong selection will result in the wrong value being entered. In most cases, you'll want to select Decimal (even though it's not the default), since decimal notation is what we use for ordinary counting numbers. Note that if there's already a number in the Value data field, it will be instantly converted when you switch the Base, which is a good way to illustrate the difference between the two.

Figure 3-5. DWORD values are just numbers, but they can be represented in Decimal or Hexadecimal notation

In some circumstances, the particular number entered into a DWORD value is actually made up of several components, called bytes. This way, several values can be represented by a single number. While this notation is often convenient for programmers, it's decidedly inconvenient for lowly users fishing around in the Registry. The REG_DWORD_BIGENDIAN type is a variant of the DWORD type, wherein said bytes are simply represented in the opposite order.

You can create a value (or key) anywhere in the Registry and by any name and type that suits your whim. However, unless Windows or an application is specifically designed to look for the value, it will be ignored and your addition will have absolutely no effect.

Most Registry editing involves modifying existing values, as opposed to creating new ones. This often makes things easier, as the existing value and its contents can be used as an example.

The application that creates each value in the Registry solely determines the particular type and purpose of the value. In other words, no strict rules limit which types are used in which circumstances or how values are named. A programmer may choose to store, say, the high scores for some game in a binary value called High Scores or in a string value called Lard Lad Donuts.

An important thing to notice at this point is the string value named (default) that appears at the top of every key.^[7] The default value cannot be removed or renamed, although its contents can be changed; an empty default value is signified by value not set. The (default) value doesn't necessarily have any special meaning that differentiates it from any other value, apart from what might have been assigned by the programmer of the particular application that created the key.

^[7] In the more simplistic Registry found in Windows 3.1 and Windows NT 3.x, each key had only one value. Starting in Windows 95, a key could contain any number of values; the default value simply took the place of the lone value from previous versions, allowing compatibility with older applications that were written before the change took effect. In fact, many things you'll find in the Registry are designed with such "legacy" support in mind.