Windows Server 2003 Registry Architecture

The Windows Server 2003 Registry is a well-organized database containing an assortment of hardware-, software-, and user-related information. Its basic structure is hierarchical with multiple configuration layers. These layers or levels are grouped from the top down by hives, keys, subkeys, value entries, and finally the actual value for a given configuration parameter. A value entry is a parameter within the key or subkey, and a value is the specific value for the parameter.

Hives, Keys, and Subkeys

At the topmost level of the Registry's organization is a root key commonly referred to as a hive. There are five hives within the Registry, as shown in Figure 20.1, and they are all permanent (that is, they are hard-coded within Windows Server 2003). Because these hives are hard-coded, you can't delete, modify, or add another hive.

Figure 20.1. Displaying the five Registry hives with the Registry Editor.

Table 20.1 lists and describes each of these hives.

Coincidentally, some of the hives are also subkeys of other hives and are linked to one another. These hives and their corresponding linked paths are listed in Table 20.2.

The next organizational level is a key. Each key contains value entries or values and can also have subkeys branching off it. Those subkeys can then be considered keys for the configuration information branching off it.

Registry Location and Storage

The Windows Server 2003 Registry is stored in two separate places: in memory and on disk. At startup, the entire Registry is loaded into paged, pooled memory so that Windows Server 2003 can quickly retrieve information.

It's also stored in various files located within the %SYSTEMROOT%\System32\Config directory. You'll also notice the .sav and .log files in this directory. They serve as backup files for the Registry.

HKEY_LOCAL_MACHINE

The HKEY_LOCAL_MACHINE hive contains a variety of information pertaining to hardware devices (for example, memory, bus types, device drivers, and more) and the software installed on the system. As you can see in Figure 20.2, the hive contains the following five subkeys:

Figure 20.2. HKEY_LOCAL_MACHINE subkeys.

• HARDWARE

• SAM

• SECURITY

• SOFTWARE

• SYSTEM

These five subkeys are explained in the following sections.

The HARDWARE Subkey

As the name implies, the HARDWARE subkey contains all the hardware information for the system. When the system starts up, information is built about the hardware, and then at shutdown this information is wiped away. Therefore, the HARDWARE subkey is volatile.

NTDETECT.COM is in charge of gathering all information on the hardware. After it obtains the information, it passes that information to the HARDWARE subkey. The following are some examples of the hardware components that it detects:

• Adapter type

• Bus type

• Communication ports

• Floppy disks

• Keyboard

• Mouse

• Video

There are four subkeys within the HARDWARE subkey. These subkeys are also populated with information gathered from NTDETECT.COM. The four standard subkeys are the following:

• HARDWARE\ACPI This subkey is for the ACPI hardware and software interface specification that supports Plug and Play as well as advanced power management (APM).

• HARDWARE\DESCRIPTION This subkey contains hardware descriptions.

• HARDWARE\DEVICEMAP This subkey includes devices to device driver mappings.

• HARDWARE\RESOURCEMAP This subkey contains resource mappings that the devices use (such as physical memory ranges).

Note

Plug and Play APIs are used to read and write power management and Plug and Play device information from and to the Registry dynamically.

The SAM Subkey

The SAM subkey, shown in Figure 20.3, is similar to the HKEY_LOCAL_MACHINE\ SECURITY subkey in that it contains valuable information. By default, this subkey is locked down to the point that it's inaccessible to users via the Registry Editor. It stores local users and groups, along with access permissions for files and folders.

Figure 20.3. The HKEY_LOCAL_MACHINE\SAM subkey.

The SECURITY Subkey

Because of the security-sensitive information contained in the SECURITY subkey, it too is locked down tightly to protect the information. This subkey is, by default, inaccessible through the Registry Editor.

The information within this key pertains to users, groups, access permissions, and also includes application and device driverrelated information. The actual content of this subkey is determined whether or not you're still in Mixed mode with Windows NT 4 as a domain controller.

The SOFTWARE Subkey

Application-specific information including, but not limited to, path statements, licensing, and executable paths is stored in the SOFTWARE subkey. Because this subkey resides under the HKEY_LOCAL_MACHINE key, the configuration information is applied globally (that is, systemwide). This is an important point because these configurations differ from those located in HKEY_CURRENT _USER\Software for individual users.

Within this subkey, you'll also find various other subkeys relating to the applications that are installed on the system. For example, under HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\, you can find the configurations and version numbers of all the Microsoft-installed software.

The SYSTEM Subkey

Another sensitive subkey that is very important to Windows Server 2003 is the SYSTEM subkey. The majority of the information stored in this subkey is the following:

• Control set configurations The control set configuration pertains to the data that is needed to control the system boot process. This information is associated with current and prior control sets. The current control set defines the system profile, while its subkeys provide more detail, such as the computer name, the services running on the system, and instructions for Windows Server 2003 in case of a system crash.

• Windows Server 2003 setup information This information contains various Windows Server 2003 setup parameters, such as OSLoaderPath and SystemPartition.

• Disk subsystem configuration The disk subsystem configuration information pertains to the devices, volumes, RAID settings, and more. The Disk Management snap-in uses this information to display the disk subsystem information.

HKEY_CLASSES_ROOT

Although HKEY_CLASSES_ROOT is considered a hive, it's actually an alias for the key HKEY_LOCAL_MACHINE\SOFTWARE\Classes. This key stores all file associations, information regarding shortcuts, OLE, and much more. The file association basically points to the appropriate application that will execute when you use a file with that specific extension. Also, particular icons are associated with a particular file type. So, for example, when you view files in Windows Explorer, you can see a document (.doc) with a Microsoft Word icon. When you open that file, Microsoft Word is launched and opens the file. Some of the file associations are shown in Figure 20.4.

Figure 20.4. File associations located in HKEY_CLASSES_ROOT.

The HKEY_CURRENT_USER\Software\Classes alias was first introduced and implemented in Windows 2000 to enhance support for user-based settings. This feature is called per-user class registration. It provides more flexibility and customization by allowing applications to define associations per user as needed. In other words, a system with multiple users can have different application settings for each individual.

HKEY_CURRENT_CONFIG

The HKEY_CURRENT_CONFIG is yet another hive that aliases another subkey. This time it references HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\ Current. If you check this reference, you'll notice that there really isn't any particularly useful data in this subkey because it's really just a pointer to a numbered subkey that has the current hardware profile.

As you would expect, the data contained within this hive is hardware profilerelated information. Windows Server 2003 systems use hardware profiles by default, and you can add more depending on the hardware configuration changes you'll have. For the most part, mobile users will have more than one profile.

HKEY_CURRENT_USER

The HKEY_CURRENT_USER is a unique and dynamic hive. It's unique in that it contains information on the currently logged-on user and more specifically maps to HKEY_USERS\<SecurityID>, where the SID represents the user. It's dynamic because each time a user logs on, the key is refreshed and built from scratch.

The information contained within this key varies depending on the particular user logging in. Generally speaking, it includes information such as user preferences (keyboard mappings, desktop settings, network drive connections, application-specific preferences, and much more). In the case where the user logs on to the system for the first time, a default user profile is used.

There are several subkeys underneath the HKEY_CURRENT_USER hive, including, but not limited to, the following subkeys:

• AppEvents

• Console

• Control Panel

• Environment

• Identities

• Keyboard Layout

• Printers

• Session Information

• Software

• Unicode Program Groups

• Volatile Environment

HKEY_USERS

The HKEY_USERS subkey represents the currently loaded user profiles. It contains a subkey for each user, but only two subkeys for the user currently logged on and the default user profile appear. The three loaded profiles are the following:

• .DEFAULT During startup, this is the default profile used before a user is logged on to the system. In other words, if no one is logged on to the system, this is the only profile in use.

• <SecurityID> Also known as the SID, this profile identifies the user currently logged on.

• <SecurityID_Classes> This profile represents all the class information for the user currently logged on.

Each user profile is loaded from the disk subsystem, not from the Registry itself. The default location of the profiles is located in %SystemDrive%\Documents and Settings\<user_name> or %SystemDrive%\Documents and Settings\Default User\.