Chapter 6: Inside the Registry
In Brief
Most administrators go out of their way to avoid working with the registry, and I don't blame them. The registry is one of those aspects of Windows you are constantly being warned not to mess with. With the frequent threats of virtual nuclear destruction combined with the lack of documentation, the registry is a dark and scary place. In this chapter, you will learn the basics of the registry, how to modify it safely, and the hidden tricks and goodies the registry has to offer.
Holy INI Files, Batman !
In the old days of 16-bit Windows, all settings were stored in initialization files. The two main files for storing settings were the SYSTEM.INI and WIN.INI files. As each application was installed, it stored its settings in these two files. Unfortunately, these applications could store only a limited set of entries because of the restrictive 64K size of INI files. To counteract this, application developers started using their own INI files. Although this might have seemed a good idea at first, as the number of applications grew, so did the number of INI files; and as each INI file grew, the system would often slow down.
And Then Came the Registry
The registry was born simultaneously with the birth of Windows NT in 1993 and is the answer to Windows INI files. The registry is a hierarchal, relational database that holds system information, OLE (Object Link Embedding) and Automation information, application settings, operating system configuration data, and more. The information stored includes everything from your display settings to your hardware configuration. To speed access time, the registry is stored in binary format and is composed of multiple files.
Windows 2000/XP/2003 Registry Files
Under Windows 2000/XP/2003, user - related settings are stored in a file called ntuser.dat. This file is stored in the user's profile directory located in the %USERPROFILE% directory. System settings are stored in the SYSTEM32\CONFIG directory and consist of the following five files:
-
Default (HKEY_USERS\DEFAULT) ”Stores default settings for new users
-
SAM (HKEY_LOCAL_MACHINE\SAM) ”Stores system security information
-
Security (HKEY_LOCAL_MACHINE\Security) ”Stores network security information
-
Software (HKEY_LOCAL_MACHINE\Software) ”Stores specific application and operating system information
-
System (HKEY_LOCAL_MACHINE\System) ”Stores device driver and system information
The Registry Hierarchy
The registry consists of top-level keys called hives:
-
HKEY_CLASSES_ROOT
-
HKEY_CURRENT_USER
-
HKEY_LOCAL_MACHINE
-
HKEY_USERS
-
HKEY_CURRENT_CONFIG
These hives store all the keys ( subfolders ) that make up the registry. These keys store all the values (entries), which specify all the individual system settings.
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE (HKLM) stores all software, hardware, network, security, and Windows system information. This hive is the largest registry hive and stores two of the main registry hives.
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT (HKCR) is actually a virtual link to HKLM\Software\Classes. This hive stores information about all file extensions, descriptions, icons, associations, shortcuts, automation, class IDs, and more.
HKEY_USERS
HKEY_USERS (HKU) stores information about all users of the system and their individual settings. These individual settings include environment variables , color schemes, fonts, icons, desktop configuration, Start menu items, network, and more. Each time a new user logs on, a new key is created based on a default key.
HKEY_CURRENT_USER
HKEY_CURRENT_USER (HKCU) is actually a link to the currently logged-in user's key stored in HKEY_USERS. This hive is named by the user's SID (Security Identifier) value and not by the user's name . This key is rebuilt each time the system reboots.
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG (HKCC) is actually a link to the currently selected hardware profile stored in HKEY_LOCAL_MACHINE. Hardware profiles allow you to specify which device drivers are to be loaded for a given Windows session. Hardware profiles are commonly used with laptops to distinguish RAS, network, and local Windows sessions.
Registry Data Types
Like any other database, the registry contains various data types to store different types of values. Table 6.1, from Windows 2000 Registry Little Black Book (http://www.paraglyphpress.com) lists the various registry data types.
| Data Type | Raw Type | Function |
|---|---|---|
| REG_NONE | Unknown | Encrypted data |
| REG_SZ | String | Text characters |
| REG_EXPAND_SZ | String | Text with variables |
| REG_BINARY | Binary | Binary data |
| REG_DWORD | Number | Numerical data |
| REG_DWORD_BIG_ENDIAN | Number | Non-Intel numbers |
| REG_LINK | String | Path to a file |
| REG_MULTI_SZ | Multistring | String arrays |
| REG_RESOURCE_LIST | String | Hardware resource list |
| REG_FULL_RESOURCE_DESCRIPTOR | String | Hardware resource ID |
| REG_RESOURCE_REQUIREMENTS_LIST | String | Hardware resource ID |
REGEDIT vs. REGEDT32
Because the registry is stored in multiple binary files, it cannot be viewed with a regular text editor. Windows 2000/XP/2003 include two registry editing tools: REGEDIT and REGEDT32. Both of these tools contain various functions, and it's best to know when to use which one.
Using REGEDIT
REGEDIT is the registry-editing tool that comes included in all of Microsoft's 32-bit operating systems. Using this tool, you can add, delete, modify, back up, and restore registry keys and values from a local or remote machine. REGEDIT displays all the registry hives, even the aliased ones (see Figure 6.1). It also has the capability to search for registry keys and values. The most important thing to remember about REGEDIT is that changes happen immediately. There is no Apply, Cancel, or OK button here. The moment you make a change, the change is implemented ”so be careful.
Figure 6.1: The Windows REGEDIT screen.
| Tip | REGEDIT includes additional features such as a registry Favorites menu and the capability to remember the last key viewed before closing REGEDIT. |
| Warning | REGEDIT does not recognize all the registry data types. If you edit an unrecognized data type, it will be converted to a type that REGEDIT can recognize. |
Using REGEDT32
REGEDT32 is a registry-editing tool that comes included in Windows 2000/XP/2003 (see Figure 6.2). REGEDT32 displays each hive in a separate window, and only displays the HKEY_LOCAL_MACHINE and HKEY_USERS hives when accessing a registry remotely. REGEDT32 includes all the editing features of REGEDIT, but has only a simple find key function. Unlike REGEDIT, REGEDT32 does not apply changes immediately. It applies changes only as you close the application. Some additional features include auto-refresh, read-only mode, and the ability to set registry permissions.
Figure 6.2: The Windows REGEDT32 screen.
| Note | Although remote registry access through REGEDT32 only displays two hives, from within these two hives you can still access all the aliased hives that REGEDIT normally displays. |
Registry Editing Safety Tips
You've heard it a thousand times, but here it is again: editing the registry is dangerous. An incorrect registry setting can leave your system in shambles (trust me, I know). Here are some helpful registry editing tips:
-
Back up the entire registry or key you intend to modify. If your system starts acting up, you'll be glad you did.
-
Update your emergency repair disk (ERD) before you make any registry changes. This proves to be a valuable asset if your machine refuses to boot up properly.
-
Do not blindly make changes to the registry. Know what your intended registry change does. Research it.
-
Make one change at a time. This makes it easier to narrow down the cause of any problems you may have after editing the registry.
-
Always use REGEDT32 when you can. REGEDT32 does not apply changes until you exit the application and can work in read-only mode.
EAN: 2147483647
Pages: 89