Most administrators go out of their way to avoid working with the registry, and I don't blame them. The registry is one of those aspects of Windows you are constantly being warned not to mess with. With the frequent threats of virtual nuclear destruction combined with the lack of documentation, the registry is a dark and scary place. In this chapter, you will learn the basics of the registry, how to modify it safely, and the hidden tricks and goodies the registry has to offer.
In the old days of 16-bit Windows, all settings were stored in initialization files. The two main files for storing settings were the SYSTEM.INI and WIN.INI files. As each application was installed, it stored its settings in these two files. Unfortunately, these applications could store only a limited set of entries because of the restrictive 64K size of INI files. To counteract this, application developers started using their own INI files. Although this might have seemed a good idea at first, as the number of applications grew, so did the number of INI files; and as each INI file grew, the system would often slow down.
The registry was born simultaneously with the birth of Windows NT in 1993 and is the answer to Windows INI files. The registry is a hierarchal, relational database that holds system information, OLE (Object Link Embedding) and Automation information, application settings, operating system configuration data, and more. The information stored includes everything from your display settings to your hardware configuration. To speed access time, the registry is stored in binary format and is composed of multiple files.
Under Windows 2000/XP/2003, user - related settings are stored in a file called ntuser.dat. This file is stored in the user's profile directory located in the %USERPROFILE% directory. System settings are stored in the SYSTEM32\CONFIG directory and consist of the following five files:
Default (HKEY_USERS\DEFAULT) ”Stores default settings for new users
SAM (HKEY_LOCAL_MACHINE\SAM) ”Stores system security information
Security (HKEY_LOCAL_MACHINE\Security) ”Stores network security information
Software (HKEY_LOCAL_MACHINE\Software) ”Stores specific application and operating system information
System (HKEY_LOCAL_MACHINE\System) ”Stores device driver and system information
The registry consists of top-level keys called hives:
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
These hives store all the keys ( subfolders ) that make up the registry. These keys store all the values (entries), which specify all the individual system settings.
HKEY_LOCAL_MACHINE (HKLM) stores all software, hardware, network, security, and Windows system information. This hive is the largest registry hive and stores two of the main registry hives.
HKEY_CLASSES_ROOT (HKCR) is actually a virtual link to HKLM\Software\Classes. This hive stores information about all file extensions, descriptions, icons, associations, shortcuts, automation, class IDs, and more.
HKEY_USERS (HKU) stores information about all users of the system and their individual settings. These individual settings include environment variables , color schemes, fonts, icons, desktop configuration, Start menu items, network, and more. Each time a new user logs on, a new key is created based on a default key.
HKEY_CURRENT_USER (HKCU) is actually a link to the currently logged-in user's key stored in HKEY_USERS. This hive is named by the user's SID (Security Identifier) value and not by the user's name . This key is rebuilt each time the system reboots.
HKEY_CURRENT_CONFIG (HKCC) is actually a link to the currently selected hardware profile stored in HKEY_LOCAL_MACHINE. Hardware profiles allow you to specify which device drivers are to be loaded for a given Windows session. Hardware profiles are commonly used with laptops to distinguish RAS, network, and local Windows sessions.
Like any other database, the registry contains various data types to store different types of values. Table 6.1, from Windows 2000 Registry Little Black Book (http://www.paraglyphpress.com) lists the various registry data types.
Data Type | Raw Type | Function |
---|---|---|
REG_NONE | Unknown | Encrypted data |
REG_SZ | String | Text characters |
REG_EXPAND_SZ | String | Text with variables |
REG_BINARY | Binary | Binary data |
REG_DWORD | Number | Numerical data |
REG_DWORD_BIG_ENDIAN | Number | Non-Intel numbers |
REG_LINK | String | Path to a file |
REG_MULTI_SZ | Multistring | String arrays |
REG_RESOURCE_LIST | String | Hardware resource list |
REG_FULL_RESOURCE_DESCRIPTOR | String | Hardware resource ID |
REG_RESOURCE_REQUIREMENTS_LIST | String | Hardware resource ID |
Because the registry is stored in multiple binary files, it cannot be viewed with a regular text editor. Windows 2000/XP/2003 include two registry editing tools: REGEDIT and REGEDT32. Both of these tools contain various functions, and it's best to know when to use which one.
REGEDIT is the registry-editing tool that comes included in all of Microsoft's 32-bit operating systems. Using this tool, you can add, delete, modify, back up, and restore registry keys and values from a local or remote machine. REGEDIT displays all the registry hives, even the aliased ones (see Figure 6.1). It also has the capability to search for registry keys and values. The most important thing to remember about REGEDIT is that changes happen immediately. There is no Apply, Cancel, or OK button here. The moment you make a change, the change is implemented ”so be careful.
Tip | REGEDIT includes additional features such as a registry Favorites menu and the capability to remember the last key viewed before closing REGEDIT. |
Warning | REGEDIT does not recognize all the registry data types. If you edit an unrecognized data type, it will be converted to a type that REGEDIT can recognize. |
REGEDT32 is a registry-editing tool that comes included in Windows 2000/XP/2003 (see Figure 6.2). REGEDT32 displays each hive in a separate window, and only displays the HKEY_LOCAL_MACHINE and HKEY_USERS hives when accessing a registry remotely. REGEDT32 includes all the editing features of REGEDIT, but has only a simple find key function. Unlike REGEDIT, REGEDT32 does not apply changes immediately. It applies changes only as you close the application. Some additional features include auto-refresh, read-only mode, and the ability to set registry permissions.
Note | Although remote registry access through REGEDT32 only displays two hives, from within these two hives you can still access all the aliased hives that REGEDIT normally displays. |
You've heard it a thousand times, but here it is again: editing the registry is dangerous. An incorrect registry setting can leave your system in shambles (trust me, I know). Here are some helpful registry editing tips:
Back up the entire registry or key you intend to modify. If your system starts acting up, you'll be glad you did.
Update your emergency repair disk (ERD) before you make any registry changes. This proves to be a valuable asset if your machine refuses to boot up properly.
Do not blindly make changes to the registry. Know what your intended registry change does. Research it.
Make one change at a time. This makes it easier to narrow down the cause of any problems you may have after editing the registry.
Always use REGEDT32 when you can. REGEDT32 does not apply changes until you exit the application and can work in read-only mode.