The Windows Server 2003 Registry is a well-organized database containing an assortment of hardware-, software-, and user-related information. Its basic structure is hierarchical with multiple configuration layers. These layers or levels are grouped from the top down by hives, keys, subkeys, value entries, and finally the actual value for a given configuration parameter. A value entry is a parameter within the key or subkey, and a value is the specific value for the parameter. Hives, Keys, and SubkeysAt the topmost level of the Registry's organization is a root key commonly referred to as a hive. There are five hives within the Registry, as shown in Figure 20.1, and they are all permanent (that is, they are hard-coded within Windows Server 2003). Because these hives are hard-coded, you can't delete, modify, or add another hive. Figure 20.1. Displaying the five Registry hives with the Registry Editor.Table 20.1 lists and describes each of these hives.
Coincidentally, some of the hives are also subkeys of other hives and are linked to one another. These hives and their corresponding linked paths are listed in Table 20.2.
The next organizational level is a key. Each key contains value entries or values and can also have subkeys branching off it. Those subkeys can then be considered keys for the configuration information branching off it. Registry Location and StorageThe Windows Server 2003 Registry is stored in two separate places: in memory and on disk. At startup, the entire Registry is loaded into paged, pooled memory so that Windows Server 2003 can quickly retrieve information. It's also stored in various files located within the %SYSTEMROOT%\System32\Config directory. You'll also notice the .sav and .log files in this directory. They serve as backup files for the Registry. HKEY_LOCAL_MACHINEThe HKEY_LOCAL_MACHINE hive contains a variety of information pertaining to hardware devices (for example, memory, bus types, device drivers, and more) and the software installed on the system. As you can see in Figure 20.2, the hive contains the following five subkeys: Figure 20.2. HKEY_LOCAL_MACHINE subkeys.
These five subkeys are explained in the following sections. The HARDWARE SubkeyAs the name implies, the HARDWARE subkey contains all the hardware information for the system. When the system starts up, information is built about the hardware, and then at shutdown this information is wiped away. Therefore, the HARDWARE subkey is volatile. NTDETECT.COM is in charge of gathering all information on the hardware. After it obtains the information, it passes that information to the HARDWARE subkey. The following are some examples of the hardware components that it detects:
There are four subkeys within the HARDWARE subkey. These subkeys are also populated with information gathered from NTDETECT.COM. The four standard subkeys are the following:
Note Plug and Play APIs are used to read and write power management and Plug and Play device information from and to the Registry dynamically. The SAM SubkeyThe SAM subkey, shown in Figure 20.3, is similar to the HKEY_LOCAL_MACHINE\ SECURITY subkey in that it contains valuable information. By default, this subkey is locked down to the point that it's inaccessible to users via the Registry Editor. It stores local users and groups, along with access permissions for files and folders. Figure 20.3. The HKEY_LOCAL_MACHINE\SAM subkey.The SECURITY SubkeyBecause of the security-sensitive information contained in the SECURITY subkey, it too is locked down tightly to protect the information. This subkey is, by default, inaccessible through the Registry Editor. The information within this key pertains to users, groups, access permissions, and also includes application and device driverrelated information. The actual content of this subkey is determined whether or not you're still in Mixed mode with Windows NT 4 as a domain controller. The SOFTWARE SubkeyApplication-specific information including, but not limited to, path statements, licensing, and executable paths is stored in the SOFTWARE subkey. Because this subkey resides under the HKEY_LOCAL_MACHINE key, the configuration information is applied globally (that is, systemwide). This is an important point because these configurations differ from those located in HKEY_CURRENT _USER\Software for individual users. Within this subkey, you'll also find various other subkeys relating to the applications that are installed on the system. For example, under HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\, you can find the configurations and version numbers of all the Microsoft-installed software. The SYSTEM SubkeyAnother sensitive subkey that is very important to Windows Server 2003 is the SYSTEM subkey. The majority of the information stored in this subkey is the following:
HKEY_CLASSES_ROOTAlthough HKEY_CLASSES_ROOT is considered a hive, it's actually an alias for the key HKEY_LOCAL_MACHINE\SOFTWARE\Classes. This key stores all file associations, information regarding shortcuts, OLE, and much more. The file association basically points to the appropriate application that will execute when you use a file with that specific extension. Also, particular icons are associated with a particular file type. So, for example, when you view files in Windows Explorer, you can see a document (.doc) with a Microsoft Word icon. When you open that file, Microsoft Word is launched and opens the file. Some of the file associations are shown in Figure 20.4. Figure 20.4. File associations located in HKEY_CLASSES_ROOT.The HKEY_CURRENT_USER\Software\Classes alias was first introduced and implemented in Windows 2000 to enhance support for user-based settings. This feature is called per-user class registration. It provides more flexibility and customization by allowing applications to define associations per user as needed. In other words, a system with multiple users can have different application settings for each individual. HKEY_CURRENT_CONFIGThe HKEY_CURRENT_CONFIG is yet another hive that aliases another subkey. This time it references HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\ Current. If you check this reference, you'll notice that there really isn't any particularly useful data in this subkey because it's really just a pointer to a numbered subkey that has the current hardware profile. As you would expect, the data contained within this hive is hardware profilerelated information. Windows Server 2003 systems use hardware profiles by default, and you can add more depending on the hardware configuration changes you'll have. For the most part, mobile users will have more than one profile. HKEY_CURRENT_USERThe HKEY_CURRENT_USER is a unique and dynamic hive. It's unique in that it contains information on the currently logged-on user and more specifically maps to HKEY_USERS\<SecurityID>, where the SID represents the user. It's dynamic because each time a user logs on, the key is refreshed and built from scratch. The information contained within this key varies depending on the particular user logging in. Generally speaking, it includes information such as user preferences (keyboard mappings, desktop settings, network drive connections, application-specific preferences, and much more). In the case where the user logs on to the system for the first time, a default user profile is used. There are several subkeys underneath the HKEY_CURRENT_USER hive, including, but not limited to, the following subkeys:
HKEY_USERSThe HKEY_USERS subkey represents the currently loaded user profiles. It contains a subkey for each user, but only two subkeys for the user currently logged on and the default user profile appear. The three loaded profiles are the following:
Each user profile is loaded from the disk subsystem, not from the Registry itself. The default location of the profiles is located in %SystemDrive%\Documents and Settings\<user_name> or %SystemDrive%\Documents and Settings\Default User\. |