Registry Organization
Part IV, “Appendixes,” describes the contents of the registry in detail. Until you get there, the following overview makes it easier to get around in the registry.
Of the five root keys you learned about earlier, HKLM and HKU are more important than the others. These are the only root keys that Windows actually stores on disk. The other root keys are links to subkeys in HKLM or HKU. HKCU is a link to a subkey in HKU. HKCR and HKCC are links to subkeys in HKLM. Figure 1-6 illustrates this relationship between root keys and their links to subkeys.
Figure 1-6 Three of the registry's root keys are links to subkeys in HKU and HKLM.
Throughout this book, you'll see the terms per-user and per-computer, which indicate whether a setting applies to the user or the computer. Per-user settings are user specific—for example, whether or not a user prefers to display Windows Explorer's status bar. Per-computer settings apply to the computer and every user who logs on to the computer—for example, network configuration. Per-user settings are in HKCU, and per-computer settings are in HKLM. In Chapter 12, “Deploying User Profiles,” you learn how Windows keeps one user's settings separate from every other user's settings.
HKEY_USERS
HKU contains at least three subkeys:
.DEFAULT contains the per-user settings that Windows uses to display the desktop before any user logs on to the computer. This isn't the same thing as a default user profile, which Windows uses to create settings for users the first time they log on to the computer.
SID, where SID is the security identifier of the con sole user (the user sitting at the keyboard), contains per-user settings. HKCU is linked to this key. This key contains settings such as the user's desktop preferences and Control Panel settings.
SID_Classes, where SID is the security identifier of the console user, contains per-user class registrations and file associations. Windows merges the contents of keys HKLM\SOFTWARE\Classes and HKU\SID_Classes into HKCR.
NOTE
HKU\.DEFAULT is not the default user profile. For more information on default user profiles, see Chapter 12, “Deploying User Profiles.”
You'll usually see other SIDs in HKU, including the following. (See Table 1-1 for a refresher.)
S-1-5-18 is the well-known SID for the LocalSystem account. Windows loads this account's profile when a program or service runs in the LocalSystem account.
S-1-5-19 is the well-known SID for the LocalService account. Service Control Manager uses this account to run local services that don't need to run as the LocalSystem account.
S-1-5-20 is the well-known SID for the NetworkService account. Service Control Manager uses this account to run network services that don't need to run as the LocalSystem account.
You can ignore these SIDs when working in HKU.
Any other subkeys in HKU belong to secondary users. For example, if you use the Windows Runas command to run a program as a different user, the operating system loads that user account's settings into HKU. This feature, which runs under the Secondary Logon service , enables users to run programs with elevated privileges without requiring them to actually log on to a new session with a different account. For example, if I'm logged on to a computer using the account Jerry, which is in the Power Users group, but I need to perform a task requiring administrative privileges, I hold down the Shift key on my keyboard, right-click the program's shortcut, click Run As, and then type the Administrator account's name and password. The program then runs in the context of the Administrator account and, in this case, HKU contains settings for both the Jerry and Administrator accounts. This technique helps prevent human error as well as opportunistic viruses.
Figure 1-7 shows a typical HKU and describes each of its subkeys. You'll see on your computer the same default and service account settings that you see in the figure. The remaining subkeys and their SIDs will be different, depending on the SID of the console user account and whether other accounts have logged on to Windows.
Figure 1-7 Each subkey in HKU contains an account's settings.
HKEY_CURRENT_USER
HKCU contains the console user's per-user settings. This root key is a link to HKU\SID, where SID is the console user's security identifier. This branch includes environment variables, desktop settings, network connections, printers, and application preferences. Here's a snapshot of some of this root key's subkeys:
Associates sounds with events. For example, it associates sounds with opening menus, minimizing windows, and logging off of Windows.
Stores data for the console subsystem, which hosts all character-mode applications, including the MS-DOS command prompt. In addition, the Console key can contain subkeys for custom command windows.
Contains accessibility, regional, and desktop appearance settings. You configure most of these settings in Control Panel. However, this key contains a handful of useful settings that have no user interface; you can configure them only through the registry.
Stores environment variables that users have set. Each value associates an environment variable with the string that Windows substitutes for the variable. The default values for these entries are in the user's profile.
Contains one subkey for each identity in Microsoft Outlook Express. Outlook Express uses identities to allow multiple users to share a single mail client. With the Windows support for user profiles, one user's settings are separate from other users' settings, so this key is seldom necessary to use.
Contains information about the installed keyboard layouts.
Stores information about mapped network drives. Each subkey in Network is a mapped drive to which Windows connects each time the user logs on to the computer. The subkeys' names are the drive letters to which the drives are mapped. Each drive's key contains settings used to reconnect the drive.
Stores user preferences for printers.
Contains per-user application settings. Windows stores much of its own configuration in this key, too. Microsoft has standardized its organization so that programs store settings in HKCU\Software\Vendor\ Program\ Version\. The variable Vendor is the name of the program's publisher, the variable Program is the name of the program, and the variable Version is the program's version number. Often, as is the case with Windows, Version is simply CurrentVersion.
Contains environment variables that were defined when the user logged on to Windows.
Other subkeys you see in HKCU are usually legacy leftovers or uninteresting. They include UNICODE Program Groups, SessionInformation, and Windows 3.1 Migration Status.
HKEY_LOCAL_MACHINE
HKLM contains per-computer settings, which means the settings in this branch apply to the computer's configuration and affect every user who logs on to it. Settings range from device driver configurations to Windows settings. HKLM contains the following subkeys. (Notice that these subkeys are capitalized; I'll explain why later in this chapter.)
Stores data describing the hardware that Windows detects as it starts. The operating system creates this key each time it starts, and it includes information about devices and the device drivers and resources associated with them. This key contains information that IT professionals find useful during a network inventory.
Contains the Windows local security database, the Security Accounts Manager (SAM). Windows stores local users and groups in SAM. This key's access control list (ACL) prevents even administrators from viewing it. SAM is a link to the key HKLM\SECURITY\SAM.
Contains the Windows local security database in the subkey SAM, as well as other security settings. This key's ACL prevents even administrators from viewing it, unless they take ownership of it.
Contains per-computer application settings. Windows stores settings in this key, too. Microsoft standardized this key's organization so that programs store settings in HKLM\SOFTWARE\Vendor\Program\Version\. Vendor is the name of the program's publisher, Program is the name of the program, and Version is the program's version number. Often, as is the case with Windows, Ver sion is CurrentVersion. HKCR is a link to the key HKLM\SOFTWARE\Classes.
Contains control sets, one of which is current. The remaining sets are available for use by Windows. Each subkey is a control set named ControlSetnnn, where nnn is an incremental number beginning with 001. The operating system maintains at least two control sets to ensure that it can always start properly. These sets contain device driver and service configurations. HKLM\SYSTEM\CurrentControlSet is a link to ControlSetnnn, and the key HKLM\SYSTEM\Select indicates which ControlSetnnn is in use.
HKEY_CLASSES_ROOT
HKCR contains two types of settings. The first type is file associations that associate different file types with the programs that can open, print, and edit them. The second type is class registrations for Component Object Model (COM) objects. This root key is one of the most interesting in the registry to customize, because it enables you to change a lot of the operating system's behavior. This root key is also the largest in the registry, accounting for the vast majority of the space that the registry consumes.
Before Windows 2000, HKCR was a link to the key HKLM\SOFTWARE\Classes, but this root key is more complicated now. To derive HKCR, the operating system merges two keys: HKLM\SOFTWARE\Classes, which contains default file associations and class registrations, and HKCU\Software\Classes, which contains per-user file associations and class registrations. HKCU\Software\Classes is really a link to HKU\SID_Classes, which you learned about in the “HKEY_USERS” section in this chapter. If the same value appears in both branches, the value in HKCU\Software\Classes has higher precedence and wins over the value in HKLM\SOFTWARE\Classes. This new merge algorithm has several benefits:
Programs can register per-computer and per-user program file associations and program classes. (One user can have file associations that other users who share the computer don't have.) This is probably the biggest benefit of the merge.
Users who share a single computer can use two different programs to edit the same type of file without affecting each other.
Because per-user file associations and class registrations are in the users' profiles, they follow users from computer to computer when using roaming user profiles.
IT professionals can limit access to HKLM\SOFTWARE\Classes without preventing users from changing HKCU\Software\Classes, allowing for greater security in the registry without crippling users' ability to change associations.
Create a new key in the root of HKCR, and Windows actually creates it in HKLM\SOFTWARE\Classes. Windows doesn't provide a user interface other than Registry Editor to add class registrations to HKCU\Software\Classes, because the intention is to allow programs to register per-user program classes. When you edit an existing program class, the change is reflected in HKLM or HKCU, depending on where the program class already exists. If the program class exists in both places, Windows updates only the version in HKCU.
NOTE
HKCR is significant enough that it has its own appendix. Appendix A, “File Associations,” describes this root key in detail. You learn how it associates file extensions with file types, how Windows registers COM objects, and which subkeys are the most interesting to customize.
HKEY_CURRENT_CONFIG
HKCC is a link to configuration data for the current hardware profile, the key HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current. In turn, Current is a link to the key HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\nnnn, where nnnn is an incremental number beginning with 0000. For more information, see Appendix D, “Per-Computer Settings.”