Examining the Regedit User Interface

This section can be used as a brief reference when working with Regedit. It provides a description of all the functions of the registry editor. The following sections contain instructions and tips on using Regedit, as well as directions for modifying the registry.

The Registry Editor window contains four main regions (Fig. 3.1):

The menu bar. The menu bar contains the following menu items: Registry, Edit, View, Favorites (this menu item was first introduced with Windows 2000), and Help.
Left pane. The left pane displays the registry hierarchy organized in keys and subkeys.
Right pane. The right pane displays value entries contained within a selected registry key. Each value entry is identified by its name, which is displayed in the Name column; data type, which is displayed in the Type column (a small icon to the left of the name helps to identify the data type); and the value, which is displayed in the Data column.
Status bar. The status bar indicates the path to the selected registry entry. It is helpful when you need to view the full path to the registry key containing the selected registry entry.

click to expand
Figure 3.1: The Registry Editor window

When you start Regedit, the Registry Editor window displays only the top-level registry keys below the My Computer icon. These are the root keys described in Chapter 1.

If you click [+] to the left of the folder, this will expand the respective registry key displaying its subkey hierarchical structure. This operation expands the key tree to the next nesting level and resembles similar methods of opening folders in Windows Explorer.

If the subkeys contain other nested keys, they'll also have the [+] sign to the left of the folder. The subkeys, in turn, can also be expanded to view the next level of the registry hierarchy. This method of organizing the registry information is known as nesting. Any number of nesting levels is possible. This hierarchical organization is the main difference between the registry and the initialization files. It provides a significant advantage over the methods for storing the initialization information used in Windows 3.x.

When you reach the lowest level of nesting, the [−] sign will appear to the left of the folder icon. This means that the key can't be expanded further and you can only go back up the hierarchical tree.

If neither the [+] nor [−] icons are present, this means that the key doesn't contain any subkeys.

Table 3.1 provides a list of keyboard shortcuts used for viewing and navigating the registry using Regedit.exe.

Table 3.1: Keyboard Shortcuts Used in Regedit.exe
Key	Description

<+>	Expands the selected registry key by one level to show its subkeys
<−>	Collapses the selected registry key by one level
<↑>	Moves you up to the next key
<↓>	Moves you down to the next key
<→>	Expands the selected key by one level to show subkeys; if there are no subkeys, moves you down to the next key
<←>	Collapses the selected key if it was open; otherwise, moves you up to the next key
<Tab>	Moves you to the next pane of the Registry Editor window

Registry value entries are displayed in the right pane of the Registry Editor window. Each value entry contains three parts: name, data type, and value data.

Like any parameter, each registry value entry has a name. Many value entries provided by Microsoft use a "Default" name (as you'll see later when you begin intense work with Regedit). All of the names of the value entries are displayed in the Name column in the right pane of the Registry Editor window. These names are assigned to the value entries by the software and hardware developers.

Data types that describe the registry value entries are displayed in the Type column.

Definitions of all of the registry data types defined and used in Windows NT/2000/XP as well as in Windows Server 2003 are provided in Chapter 1.

For the sake of convenience, the Regedit.exe utility uses special icons, which are displayed to the left of the value names. These icons allow the user to quickly distinguish between binary and text data. A brief description of the icons displayed in the Registry Editor window is provided in Table 3.2.

Table 3.2: Icons Used for Designating Registry Data Types in Regedit.exe
Data type	Description

	`Designates binary data (including` `REG_BINARY, REG_DWORD, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR`, `and` `REG_RESOURCE_REQUIREMENTS_LIST`)
	Designates text data and readable characters. For example: "On The Microsoft Network" (string data types, such as `REG_EXPAND_SZ, REG_MULTI_SZ`, and `REG_SZ`)

The Data column contains text or binary data that correspond to the value of the selected registry entry. You can edit, create, or delete this data to optimize software functionality or troubleshoot.

A brief description of the Registry Editor menu items is shown below.

The File Menu Commands

The File menu contains the following commands:

Import…
Export…
Load Hive…
Unload Hive…
Connect Network Registry…
Disconnect Network Registry…
Print…
Exit

The Import… command allows you to import previously exported registry files in ASCII or REG format.

The Export… command exports either the whole registry, or only a part of it, as a REG file or an ASCII file.

To export the registry branch, proceed as follows:

Select the registry branch you wish to export. Then select the Export… command from the File menu.
The Export Registry File window (Fig. 3.2) will open. Enter the file name in the File name field. By default, this file will be given the REG filename extension. If you need to save the exported file in another format, select the option you need from the Save as type list below the File name field. Despite all of the apparent similarities between the Regedit.exe versions supplied with Windows 9x, Windows NT 4.0/Windows 2000, Windows XP, and Windows Server 2003, these are different versions of the same application. The Regedit.exe version included in Windows XP and Windows Server 2003 allows you to save exported registry files in various formats, including both the newer format used in Windows 2000/XP and Windows Server 2003 (use the Registration files (*.reg) option for this purpose) and the registry file format used by Windows 9x and Windows NT 4.0 (use the Win9x/NT 4 Registration files (*.reg) option for this purpose). Furthermore, now you can save the exported registry file as a hive (select the Registry Hive Files option) and in text format (use the Text Files (*.txt) option)

Figure 3.2: The Export Registry File window
If you need to export only the branch that you have selected previously, set the Selected branch radio button in the Export range option group. However, if you frequently modify the system registry, exporting the whole registry would be better. Exported registry files will provide you with additional options if you need to troubleshoot a damaged system.
Click the Save button.

You can view the saved file using any text editor to make sure that everything was saved correctly. Exported registry files contain unformatted ASCII text.

Be very careful when working with exported registry files, especially when you export registry files for experimental purposes. For example, experienced administrators can solve problems by editing the exported registry file, and then importing this file back into the system. However, before you start introducing changes, take all necessary precautions:

Create a backup copy of the exported registry file that you need to edit. If you make an error during the editing session, you can correct the problem by importing the backup copy of the REG file.
If you're going to experiment with the registries of various operating systems (including Windows 9x/ME, Windows NT/2000, Windows XP and Windows Server 2003), store the exported registry files for each operating system in folders dedicated specifically to this purpose. This will help you avoid problems caused by importing incompatible registry files.
By default, REG files are associated with the Regedit.exe application (Fig. 3.3). The Regedit.exe application merges these files into the registry (Merge is the operation performed by default). In contrast to its predecessors, Regedit.exe versions supplied with Windows XP and Windows Server 2003 prompt you to confirm if you really want to add the contents of an exported file to the registry (Fig. 3.4). Be very careful at this stage, in order to avoid accidentally importing incompatible or incorrect registry settings.

Figure 3.3: By default, REG files are associated with the Regedit.exe application

Figure 3.4: Registry Editor prompts you to confirm that you really want to add the contents of the exported REG file to the registry

The Load Hive… and Unload Hive… commands were first introduced to Regedit.exe with the release of Windows XP and are also present in Regedit.exe version included with the products of the Windows Server 2003 family. We saw above that these represent the same functionality that was provided by the similarly named commands present in the older application, Regedt32.exe. These commands allow you to load registry files previously exported from the registry and saved in the registry hive format, or unload registry hives, respectively. Note that only those registry keys that actually represent physical hives can be saved in the registry hive format (a complete list of registry hives was provided in Chapter 1). Furthermore, the Load Hive… and Unload Hive… commands are only applicable to the HKEY_USERS and HKEY_LOCAL_MACHINE keys. Therefore, these commands will be available only if one of these registry keys is selected. In all other cases, the commands will be grayed and unavailable. The hive that you have loaded in the registry becomes one of the subkeys under the root keys mentioned above.

To load a registry hive, proceed as follows:

Select the HKEY_USERS or HKEY_LOCAL_MACHINE registry key to activate the appropriate menu command.
Select the Load Hive… command from the File menu. The Load Hive window will open, allowing you to select the previously exported registry hive. Select the required hive file and click Open.

Enter the name that will be used for the newly loaded hive (Fig. 3.5). This name will be used for the new subkey that will appear in the registry after you load the hive (Fig. 3.6). Now you are able to edit the loaded registry hive to carry out the required modifications.

click to expand
Figure 3.5: Loading a registry hive

click to expand
Figure 3.6: The newly loaded copy of the SYSTEM hive (SYS_COPY) now appears as a nested subkey under HKEY_LOCAL_MACHINE root key

Note

In order to be allowed to carry out this procedure, you need to log on to the local system as the Administrator or a user belonging to the Administrators group. If your computer is part of a network, network security policy will also influence your ability to perform this operation.

Having finished the editing of the loaded registry hive, you can unload it by selecting it, and then choosing the Unload Hive… command from the file menu. You need to save any changes to the hive that you're going to unload, in order to restore them later.

Note

The Load Hive… and Unload Hive… commands can be particularly useful for troubleshooting unbootable Windows installations. If you have a parallel OS installation that is bootable, you can boot into that system, load the hive from the damaged system, and edit it appropriately in order to eliminate the problem. More detailed information and step-by-step instructions for this process will be provided in Chapters 6, 12, and 13.

The Connect Network Registry… command allows you to edit the registry of a remote computer. This command will be available only if the computer running Regedit is part of a network that contains servers running Windows NT/2000, Windows Server 2003, or Novell NetWare. To connect to a remote registry, you need to specify the name of the computer where the remote registry is located (Fig. 3.7). Note that the set of options available for browsing and searching the network is significantly extended in comparison to the functionality provided by the Registry Editor version supplied with Windows NT/2000, where, actually, only the Browse option was available.

click to expand
Figure 3.7: The Select Computer window now provides extended browsing and searching functionality

Note

To be able to carry out this procedure, you need to log on to the local system as the Administrator or a user belonging to the Administrators group. If your computer is part of a network, network security policy will also influence your ability to perform this operation.

To disconnect the remote registry, use the Disconnect Network Registry… command. If you are not currently part of a network, this command will be unavailable.

You can use the Print… command from the File menu to print the whole registry or only a part it. The ability to print a selected branch of the registry is a convenient alternative.

Use the Exit command to close the Registry Editor window and terminate the registry-editing session.

The Edit Menu Commands

The Edit menu contains commands that allow you to find and modify registry entries:

Modify
Modify Binary Data
New
Permissions
Delete
Rename
Copy Key Name
Find
Find Next

The Modify command is used for editing data contained in the registry entries. This option will be available only if you select one of the entries displayed in the right pane of the Registry Editor window. Modify Binary Data allows you to edit any data (including other data types) in the binary-editor window. As with the previous command, this will also become available only after you select one of the registry values listed in the right pane of the registry-editor window.

The New command allows you to add new keys and value entries. Note that, in comparison to the Regedit.exe version supplied with Windows NT/2000, which allowed you to add only string data, binary data, and DWORD data, the newer version of Regedit.exe supplied with Windows XP and Windows Server 2003 provides an extended set of options. It also allows you to add multi-string and expandable-string data (Fig. 3.8). These options become available after selecting the New option. The same options will be available in the right-click menu.

click to expand
Figure 3.8: The New command allows you to add new keys, string, binary, DWORD, multi-string, and expandable string values

Note

As you certainly have noticed, even this extended functionality is rather limited, because an actual list of existing registry data types (which was provided in Chapter 1) is much longer. For example, built-in registry editors don't allow you to manually create the data such as, for example, REG_QWORD, REG_RESOURCE_LIST, and so on. However, there are freeware utilities that provide such functions (for example, the REGLN tool available for downloading from http://www.ntinternals.net allows to create registry values of the REG_LINK data type). Of course, if you decide to use any of the tools of this type, you must do so at your own risk, because they are even more dangerous than registry editors.

Other options of the Edit menu, such as Rename and Delete, allow you to delete and rename the value entry. You can also delete the value entry by selecting it and clicking the <Del> key. To rename the value entry, right-click it, select the Rename command, and enter the new name.

Note

Deletion of registry keys and value entries using the Regedit.exe utility is irreversible. Regedit.exe has no Undo command. Because of this, you should be very careful when deleting keys and value entries. Windows will display a warning message prompting you to confirm your intention to delete the registry entry. After you confirm it, it will be impossible to cancel the operation.

The Copy Key Name command allows you to copy the selected key name to the clipboard. Later, you can paste the copied key name using the Paste command present in any text editor. Remember that the registry is a hierarchical database and the path to the registry entry you need may be very long and difficult to memorize. Because of this, many users appreciate this feature. The Copy Key Name command is easy to use in combination with other commands such as Find and Find Next; you may use it for various purposes, including registry editing and inserting key names into the text.

Commands such as Find/Find Next are used for searching registry keys and value entries. When you select the Find command from the Edit menu, the Find dialog opens, allowing you to describe the key, value entry, or its data (Fig. 3.9). You can search for keys, value entries or data in any combination. The values to search for can be both text and numeric.

click to expand
Figure 3.9: The Find dialog

To find the registry entry you need, enter the value to be searched into the Find what field. You can also restrict the search range by selecting one of the following options listed in the Look at group:

Keys. The function will only search for registry keys. Both root and nested keys will be found.
Values. The function will only search for value names that are displayed in the right pane of the Registry Editor window (in the Name column).
Data. The function will only search for data.

The Find dialog contains the Match whole string only option. When this option is set, Registry Editor will only find whole strings, excluding partial hits from the search range.

For example, if you've installed a number of applications with names including the "Paint" string (for example, Microsoft Paint, PaintShop Pro, etc.), Regedit.exe will find them all. However, if you only need to find entries related to Microsoft Paint, then use the Match whole string only option. If you need to find all the entries that contain the "Paint" string, clear the checkbox if it's set. This feature is useful if you don't remember the exact spelling of the string you're searching for, and need to find all possible variations.

Using the Match whole string only option increases the time required to perform the search. The amount of time can be significant if the registry is large.

To start the search procedure, fill in all the required fields in the Find dialog and click the Find Next button.

When Regedit.exe finds the matching item, it highlights it, thus helping to determine the key or subkey where the matching item resides. If Regedit.exe finds the data or value names, it will open the associated registry keys in the left pane and highlight the value name. However, it still may be difficult to determine the registry path to the item just found. Because of this, you should use the status bar, since it displays the path to the highlighted registry entry, including all parent keys and the name of the computer (as you know, the computer name won't necessarily be the name of the local system).

Now you have finally found the registry entry. But is it the entry you really need? If it is, you may edit this item and finish the search procedure; otherwise, ignore the result and continue searching. To find the next match, press <F3> or select the Find Next command from the Edit menu.

Note

When searching the registry, remember that the names of the keys and value entries may not be unique. The same name may be encountered many times. Because of this, the more information you provide for the search function, the more correct your result will be. For example, the "inbox" string is encountered about 10 times. Also, if you want to automate registry searches, consider using the Dureg.exe Resource Kit utility, which, besides estimation of the size of the whole registry or specific registry key, also provides searching capabilities. Command-line Resource Kit tools are especially useful for administrative scripting.

Finally, the Permissions command, allowing you to manage registry key permissions and audit the actions related to the registry keys, deserves special mention. Once again, it is necessary to emphasize the fact that, in Windows NT/2000, this functionality was available only in Regedt32.exe, where there was the Security menu command. In Windows XP and Windows Server 2003, this functionality was integrated into a single version of the registry editor - the Regedit.exe utility. Registry-key permissions can be assigned independently from the file system type on the system partition.

Modifying Keys and Value Entries

Now, since we have provided a brief overview of the Edit menu commands, let us proceed with a more detailed discussion of their use for adding, modifying, or deleting registry keys and value entries, and for setting registry-key permissions.

Adding New Keys

To add a new key to any registry hive, select the New | Key commands from the Edit menu. The procedure is straightforward and very similar to that of creating new folders in Windows Explorer. The new key will be created without prompting the user to provide a name, but you will be able to rename the new key after it has been created.

Adding New Value Entries

To add new registry value entries, select the New command from the Edit menu, then select the appropriate command, depending on the data type of the value entry to be created. Using Windows XP or Windows Server 2003 version of Regedit.exe, you can create string-value types (REG_SZ, REG_MULTI_SZ, and REG_EXPAND_SZ) and binary values (REG_DWORD or REG_BINARY). The new value entry will be created without prompting the user to provide a name, but you'll be able to rename and edit the value after it has been created.

Using the Binary Editor

When you select the binary value (REG_BINARY data type) and then select the Modify command from the Edit menu, Regedit.exe opens the Edit Binary Value window (Fig. 3.10). Note that you can use the binary editor to edit a value of any type by selecting the Modify Binary Data command. Enter the data into the Value data field of the Edit Binary Value window.

click to expand
Figure 3.10: The Edit Binary Value window

Editing String Values

Select the REG_SZ value in the right pane of the Registry Editor window. Then select the Modify command from the Edit menu to start the String Editor. The Edit String window (Fig. 3.11) allows you to edit string values.

click to expand
Figure 3.11: The Edit String window

Editing DWORD Values

When you double-click a REG_DWORD registry value entry or highlight an entry of this type and select the Modify command from the Edit menu, the DWORD editor starts (Fig. 3.12). By default, all REG_DWORD data are displayed in hex format. However, you can also display data using decimal format by selecting the appropriate radio button from the Base group at the bottom of the window.

click to expand
Figure 3.12: The Edit DWORD Value window

Editing Multi-String Values

The Edit Multi-String window (Fig. 3.13) opens when you double-click the multi-string value or select a multi-string value and then choose the Modify command from the Edit menu. This window allows you to edit multi-string values.

click to expand
Figure 3.13: The Edit Multi-String window

Viewing Resource Lists

As was already mentioned in Chapter 1, the system registry stores all information on the hardware installed on the computer. The registry even has special data types for this purpose, namely, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR, and REG_RESOURCE_REQUIREMENTS_LIST. These data types are only used in the HKEY_LOCAL_MACHINE\HARDWARE registry key. The value entries of these types are viewed in the Resource Lists (Fig. 3.14) and Resources windows (Fig. 3.15).

click to expand
Figure 3.14: The Resource Lists window

click to expand
Figure 3.15: The Resources window

Deleting Registry Keys and Value Entries

To delete a registry key or value entry, select the object that you wish to delete and then select the Delete command from the Edit menu. The system will prompt you to confirm your intention to delete the selected key or value entry (Fig. 3.16).

click to expand
Figure 3.16: The system prompts you to confirm your intention to delete a registry key or value entry

Note

Don't forget to back up the registry hives where you'll be deleting keys or value entries. Registry editors don't provide the capability to undo this operation. After having confirmed the deletion, you will have no other means of restoring the information other than the use of backup copies. As shown in Fig. 3.14, the warning message displayed by the system doesn't specify the name of the key you are about to delete. Before proceeding further, check the name of the selected key and make sure that you know what you're doing.

If you delete something from the HKEY_LOCAL_MACHINE\System\CurrentControlSet, you can restore this key using the Last Known Good configuration (see Chapter 6).

The View Menu Commands

The View menu contains commands that allow you to select the method of displaying the registry. It contains the following commands:

Status Bar
Split
Display Binary Data
Refresh

The Status Bar command in the View menu allows the user to hide the status bar. The status bar is useful because it helps you to navigate the registry. For this reason, I recommend that users (at least beginners) don't hide it.

The Split option moves the mouse cursor to the divider separating the left and right panes of the Registry Editor window. All you have to do is to move the mouse right or left to find a new position for the divider. After that, the only thing you need to do is to click the left (or right) mouse button.

Tip

Tip Resizing the Registry Editor window is similar to resizing Explorer or My Computer windows. You just need to move the mouse cursor to the divider, wait until it changes to a double arrow, click the left mouse button and drag the divider left or right. When you are done, release the mouse button.

The Display Binary Data command from the View menu, which was introduced with Windows XP and is present in all products of the Windows Server 2003 family, becomes available only after you select one of the value entries listed in the right pane of the Registry Editor window. This command allows you to view the selected data item using one of three formats: Byte, Word, or Dword. Notice that it doesn't allow you to edit the data (if you need to, select the value entry and choose the Modify Binary Data from the Edit menu).

click to expand
Figure 3.17: The Binary Data window

Another option on the View menu is the Refresh command. Note that when you enter changes into the registry, not all of them will immediately be displayed in the Registry Editor window. To refresh the Registry Editor window, select the Refresh command or press <F5>.

Note

Normally, in earlier versions of Windows NT, including Windows NT 4.0, all changes introduced into the system (including the changes to the system registry) come into force only after rebooting the system. Starting with Windows 2000, full-featured Plug and Play support was integrated into the system, resulting in fewer reboots. Windows 2000, Windows XP, and products of the Windows Server 2003 family require fewer reboots than previous versions of Windows NT. However, there are certain modifications that can come into force only after rebooting the system.

The Favorites Menu

As has already been mentioned, each newer version of Regedit.exe comes with new, enhanced functionality. One of the most useful functions, which was first introduced with Windows 2000 and is also present in Windows XP and Windows Server 2003, is the Favorites menu (Fig. 3.18).

click to expand
Figure 3.18: The new version of Regedit utility contains a Favorites menu

Anyone who frequently searches and edits the registry will appreciate this convenient feature. Using the Favorites menu, you can create a list of the registry keys you edit most frequently and, thus, avoid time-consuming search procedures.

To add a registry key to the Favorites list, proceed as follows:

Select the registry key that you want to add to the Favorites list.
From the Favorites menu, select the Add to Favorites command.
The Add to Favorites window will open (Fig. 3.19). You can accept the key name proposed by default, or enter a new name into the Favorite name field. Click OK to add the key to the Favorites list.

Figure 3.19: The Add to Favorites dialog

Now you will be able to navigate to this key by selecting its name from the Favorites list. If you need to delete the key from the Favorites list, select the Remove Favorite command from the Favorites menu. Select the key you need to delete from this list and click OK.