On those occasions when you need to change values in the registry, you'll have to use some kind of registry editor. Many of the settings that you can change in control panels, Group Policy objects, or MMC snap-ins are actually stored in the registry, so you can think of these utilities as a kind of registry editor. Another kind is the custom-written script that you use to make a specific change, perhaps as part of a logon script or a file you distribute to your users. However, most of the time when you need to make a change directly to the registry, you'll use one of the two tools Microsoft includes with Windows 2000: Regedt32.exe or Regedit.exe.
Why are there two registry editors in Windows 2000? Blame it on Windows NT 4. When Windows NT 3.1, 3.5, and 3.51 shipped, they included a registry editor called Regedt32. This tool was written to manipulate Windows NT registry keys and values, and it reflects Microsoft's standards for user interface design at the time it was written—1992 or thereabouts.
When Windows 95 was being developed, Microsoft realized that Regedt32 wasn't a good match for the Windows 95 interface or the underlying structural differences between the two systems' registries. Because Windows 95 also needed a registry editor, Microsoft developed a companion tool, Regedit, and shipped it with Windows 95.
To complicate matters, Microsoft includes both Regedt32 and Regedit with Windows NT 4. Although this might seem unnecessarily redundant, it is actually an advantage, as the two programs have different and complementary abilities. Microsoft continued to ship both programs as part of Windows 2000; except for a few minor cosmetic tweaks and plumbing-related bug fixes, the Windows 2000 versions are identical to their predecessors.
Windows XP does away with Regedt32, integrating most of its functionality into Regedit (The Load Registry Hive feature is gone, but the need for it is lessened, as very few situations now require the editing of the registry from a parallel installation). Thus users get the best of both worlds: the interface and search capabilities of Regedit along with the Windows NT underpinnings of Regedt32.
With two editors to choose from, how do you know which one to use in a given circumstance? Both tools have the same fundamental capabilities. They allow you to do the following:
However, some significant differences exist, most of which revolve around features that are in one editor but not the other. Let's start with Regedt32. Because it was engineered specifically for Windows NT, it has some useful features that carry over into Windows 2000:
In contrast, Regedit was designed to make full use of the Windows 95-style interface, so it looks quite a bit different from Regedt32. It also has the following different functionality:
How do you know which tool to use? Most of the time your personal preferences dictate which one you use. Some people like the way that Regedit works, whereas others prefer the old-school Regedt32 interface. If you're trying to find which key holds a particular value, you're better off using Regedit; on the other hand, if you need to set security permissions on a key, you'll have to use Regedt32.
As a user of Windows Explorer (or any version of Windows), you already know about 85 percent of what you need to use Regedit. This familiarity is entirely by design—Microsoft has tried to make it an easy-to-use tool by copying the user interface that you're already familiar with.
Regedit's main window is shown in Figure 37-2. The important parts of the interface are fairly simple to understand. Notice the following features:
Because these interface features are written with the standard Windows controls, all the keyboard navigation and control shortcuts you're accustomed to using with Windows Explorer work here. For example, you can jump to a particular key by clicking anywhere in the left pane and typing the first few letters of the key's name. You can also use the arrow keys to move around in either half of the Regedit window.
Figure 37-2. The Regedit user interface.
The Find command on the Edit menu in Regedit is worth its weight in gold when you need to find which key, or value, has a specific name or contents. The interface to this function is uncomplicated—as Figure 37-3 shows. Even with this simple interface, the tool is extremely valuable because it searches the entire registry for a specific value. Here's how to use the Find dialog box to get what you're looking for:
Figure 37-3. Regedit's Find dialog box.
When you have made your selections in the Find dialog box, click Find Next, and Regedit begins searching. Eventually, one of two things happens: either Regedit hits the end of the registry (in which case it tells you that it didn't find any matches), or it finds a match. In the latter case, the match is highlighted; if the match isn't really what you were looking for, choosing the Find Next command on the Edit menu (or F3, its accelerator) continues the search.
Every time you do a search, Regedit starts at the beginning of HKCR and works its way toward the end of HKCC. You can't change this search order, so you might as well get used to it.
The Modify command on the Edit menu lets you change the contents of the selected value entry. (You can also edit a value by selecting it and pressing Enter.) What you see next depends on the type of value you're editing; separate editor dialog boxes exist for string values, DWORD values, and binary values. Regedit lets you edit data types it doesn't support, such as REG_FULL_RESOURCE_ DESCRIPTOR or REG_MULTI_SZ; for those types, it opens the binary editor dialog box. The editor dialog boxes themselves are straightforward—each presents the current value and lets you edit it. The keyboard shortcuts for the Cut, Copy, and Paste commands work in the editor dialog boxes, too.
Regedit also allows you to add and remove keys, subkeys, and individual values. Now is a good time to reiterate Microsoft's frequent warning: making unnecessary changes to the registry will likely damage your computer. Be careful when you add data, and be doubly careful when you remove it. (See the sidebar "Being on Your Best Behavior," earlier in this chapter, for more details on why this is a good idea.) To add a new key as a child of the selected key, open the Edit menu, point to New, and choose Key. Regedit creates a new key and selects its name so you can set it correctly. (It defaults to New Key #1.)
The new key automatically has an unnamed value attached to it. You can add more values using the three remaining commands on the New submenu: String Value, Binary Value, and DWORD Value. Note that Regedit can't create any other data types, and if you create a binary value, components interpret it as raw REG_BINARY data. Creating a new value adds it as a child of the selected key and gives it a default name (New Value #1, New Value #2, and so on), which you can immediately change. Once you're done adding and naming the new values, you can use the standard editor dialog boxes to change their contents to the appropriate values.
Removing values and keys is simple. Select the item you want to remove and choose Delete from the Edit menu, or just press the Delete key. Regedit asks you to confirm your command; once you confirm it, the value or key is immediately removed.
You can import and export registry data from Regedit. The resulting text files are easy to read, and you can safely move them from machine to machine. In fact, the default association for .REG files automatically launches Regedit and loads the contents of the file when you double-click it. The Export Registry File command on the Registry menu lets you save the selected key to a file, and the Import Registry File command does the reverse. Note that importing a registry file from within Regedit happens immediately—a confirmation dialog box appears that tells you whether the import succeeded or not, but you don't get a chance to stop it. (If you launch a .REG file by clicking it, however, you do get a confirmation dialog box.)
Real World
Creating Your Own .REG Files
If you need to distribute registry changes to your users, one way to do it is with the policy mechanisms discussed in Chapter 10. However, sometimes using a .REG file makes more sense. For example, sites that don't have direct access to Active Directory resources can't receive group policy updates. You can easily mail out .REG files and have your users double-click them. (Of course, that creates a potential security problem, because anyone can send your users the same kinds of files—make sure to educate them about proper e-mail etiquette.)
The first, and easiest, way to create your own .REG file for distribution is to use Regedit to export the keys and values you want to pass around. As an alternative, you can create your own files using NotePad or any other text editor. Here's an example:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="drwtsn32 -p %ld -e %ld -g"
"UserDebuggerHotKey"=dword:00000000
The first line tells Regedit that it's looking at a .REG file. (The blank line that follows is required, too.) After that, the format is easy to understand: define a key by putting its full path in square brackets, and then follow it with each value you want to import, one per line. Enclose value names in double quotes, as well as string value contents. REG_DWORD values are specified using the DWORD: prefix; they don't have to be enclosed in quotes. You can bundle multiple keys into the same file as long as you add a blank line before each key name; each key can contain any number of values.
One tip: while you're becoming proficient with .REG files, you should practice by using a harmless destination path. Create your own key (say, HKLM \SOFTWARE\Testing123) and import your .REG files under it until you're sure that they make only the changes you want made.
If you're logged on with the right permissions, you can use Regedit to connect to another computer's registry and inspect or edit it. To accomplish this voodoo, your account must have administrative privileges on both the machine on which you're running Regedit and the other machine whose registry you wish to inspect or edit. In addition, Group Policy settings might prevent you from gaining access.
Assuming that your credentials are in order, you actually connect to the remote machine by choosing Connect Network Registry from the Registry menu. This command lets you browse your network to find the machine you want to connect to; once you've successfully connected, the computer's name appears in the left pane on the same level as My Computer. You can expand its root keys, poke around in the subkeys, search, and modify data to your heart's content. When you're done, choose Disconnect Network Registry from the Registry menu and select the computer to disconnect.
By default, the Windows 2000 registry isn't adequately protected from anonymous network users. See the section entitled Securing the Registry later in this chapter for information about protecting the registry from anonymous access.
You can change the name of a key or a value by choosing Rename from the Edit menu. In most cases, you won't want or need to do this. Because software looks for specific named values in the registry, changing the name of one of them is a bad idea. However, when you add keys or values based on advice from Microsoft Knowledge Base articles, it's possible to misspell the name (or, worse yet, to type it correctly but find out that the name in the Knowledge Base article is wrong!), and the Rename command is your only alternative to deleting and re-creating the key.
Regedt32 is a more sophisticated and powerful tool than Regedit, but it's a little harder to use. Figure 37-4 shows a representative session. Notice that the user interface doesn't look like Windows Explorer. That's because Regedt32 uses the old-style MDI interface, in which each root key has its own child window. This arrangement actually works as an advantage, because it's easy to make icons of the windows you're not using (especially when you connect to a remote machine).
Figure 37-4. The old-style MDI interface and appearance of Regedt32.
To edit a value, just double-click it and the appropriate editor dialog box opens. This is easy enough, and the editors themselves are easy to understand—except the editor for REG_FULL_RESOURCE_DESCRIPTOR. But that's OK because you shouldn't be editing items in HKLM\HARDWARE anyway, especially because changes won't be saved.
Regedt32 also allows you to edit an item as though it were of a different type. For example, you can edit a REG_SZ as binary data, or a REG_DWORD as a string. Most of the time this is fairly useless, but sometimes you'll need to take advantage of this facility to do something like editing a bit mask that's stored as a REG_DWORD. Use the bottom four commands on the Edit menu—there's one for each supported data type (Binary, String, DWORD, and Multi String) that you can edit.
When using these data type editors, be aware of these quirks:
As with Regedit, Regedt32 doesn't do any sanity checking on the values you enter, so it's your responsibility to make sure that they're correct.
To add a key, select the key under which you want the new key to appear. For example, to add a subkey to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ESENT, you would select that key and then choose Add Key from the Edit menu, which opens a dialog box in which you name the new key. Once it's named, the new key immediately appears.
Unlike Regedit, Regedt32 doesn't automatically add an unnamed value to the new key, so if you need that default value for some reason, you'll have to add it manually. To add a value, you use the Add Value command on the Edit menu. Adding a value requires the following steps:
Figure 37-5. The Regedt32 Add Value dialog box.
Regedt32 allows you to remove a key (and all its subordinate items) or a single value—just select the target item and press the Delete key (or choose Delete from the Edit menu). By default, Regedt32 makes you confirm what you're doing; if you feel daring, you can save yourself an extra step by clearing the Confirm On Delete command on the Options menu (although we strongly recommend that you leave it selected).
Regedt32 offers you two different ways to move data between your registry and an external disk file. The first way involves loading and saving individual sets of keys with the Registry menu's Save Key and Restore commands, whereas the second involves loading and unloading entire hive files with the Load Hive and Unload Hive commands (from the Registry menu).
What's the difference? Recall that hive files are self-contained entities that contain a particular set of keys. When you save a key with the Save Key command, you're really creating a new hive that coexists equally with the predefined hives you read about earlier in the chapter. You can then reattach that hive in two ways: by creating a new key inside an existing hive (which is what the Load Hive command does) or by overwriting a key with the contents of the saved hive, as Restore does.
Creating a new hive with a set of saved keys in it is easy: Select the key you want to save, and then choose the Save Key command from the Registry menu. When prompted, give the new hive file a name, and Regedt32 saves it. Notice that you can't save a hive unless you have adequate permission to all subkeys of the selected key; for example, even when you are logged on as administrator, you can't save HKLM\HARDWARE to a hive.
Once you have saved the hive file, you can load it into a new key or load it over the top of an existing key. To load the hive file into a new key, select the HKLM or HKU root keys and then choose Load Hive from the Registry menu. (It will be disabled the rest of the time.) When prompted, choose the hive file you want to load, and then name the new key you want the hive to be loaded under.
To load a hive file over the top of an existing key, select the key you want to overwrite and then choose Load Key from the Registry menu; after you choose the file and confirm that you're ready to eliminate the selected key, Regedt32 loads the hive and replaces all of the key's existing contents with the hive contents (provided, of course, that you have permission to do so).
For example, let's say you save the contents of HKLM\SOFTWARE\AOL to a hive file. If you select HKLM and use the Load Hive command, you can create a new key (called, perhaps, AOL) and load the original contents into it. If you select the existing copy of HKLM\SOFTWARE\AOL and use the Restore command, then whatever is stored in the key before restoring the hive is lost.
To connect to a remote machine using Regedt32, choose Select Computer from the Registry menu. The familiar Select Computer dialog box opens, in which you can browse your domain or workgroup and pick the machine whose registry you want to administer. You will be connected if you have administrative access to the remote machine; you might also see a dialog box alerting you that the registry keys from the remote machine won't be updated automatically. As soon as you dismiss that confirmation message, two more MDI windows open: one for HKLM and one for HKU. Each window's title includes the name of the remote machine (for example, HKEY_LOCAL_MACHINE on FALCON) so you can identify which windows contain what information.
Once these windows are open, you can browse and edit just as you would on the local machine (subject, of course, to permissions on the keys you're editing). When you establish a connection to a remote machine, you're actually making a remote procedure call (RPC) connection, which remains open until you use the Close command to close the last window displaying data from that server.
By default, the Windows 2000 registry isn't adequately protected from anonymous network users. See the section entitled Securing the Registry, later in this chapter for information about protecting the registry from anonymous access.
Regedt32 allows you to set security on registry keys by selecting a key and choosing the Permissions command from the Security menu. Everything you learned about setting permissions on files (see Chapter 9) is still true here, and the basic operations work exactly the same way: you select an object and then grant or deny specific privileges to specific users and groups. Figure 37-6 shows an example. Note that five security principles are shown in the Permissions dialog box: Administrators, Authenticated Users, CREATOR OWNER, Server Operators, and SYSTEM. The exact contents you see on your computer vary according to the security template you have applied; more restrictive templates might change these permissions significantly.
Figure 37-6. The standard Permissions dialog box for a registry key.
In the Permissions dialog box, you can grant and deny the Read and Full Control permissions on keys. However, in general, you shouldn't do so on keys owned by the system; that's why Microsoft includes the security templates. You can easily set permissions accidentally that are so restrictive that software that needs registry access can't get it, or you can easily err in the opposite direction and set permissions that are unnecessarily loose.
When you set permissions using the Permissions dialog box, be sure to note whether you select the Allow Inheritable Permissions From Parent To Propagate To This Object check box. By default, this check box is selected, so when you apply new permissions, they are automatically propagated to all subkeys of the selected key. Depending on the level at which you apply these permissions, inheritance might have unintended consequences—if you loosen permissions on a key, you might accidentally loosen permissions on a subkey that should remain secure. Before you change permissions on any keys, be sure to make a good backup of your registry and make a note of the changes you've made so you can reverse them later.
Settings that belong to applications, of course, are another matter altogether. In Windows NT 4, the only way to determine appropriate permissions for most applications' keys is to tighten them down as much as possible, then gradually relax controls until the application starts working properly. Unfortunately, this approach is still required in Windows 2000.
When you click Advanced in the Permissions dialog box, you open the three-tabbed Access Control Settings dialog box. Each tab has a special meaning for registry keys:
Table 37-1. What the registry permissions mean
Permission | What Happens When Granted |
---|---|
Query Value | Allows user to query the registry for a specific value by providing the full path to that value |
Set Value | Allows user to create new values beneath a key or to overwrite an existing value |
Create Subkey | Allows user to create a new subkey beneath the specified key |
Enumerate Subkeys | Allows user to get a list of all subkeys of a particular key; similar to directory traversal of an NTFS volume |
Notify | Allows user to register a callback function that is triggered when the selected value changes |
Create Link | Allows user to create a link to a specified key (just as HKCR links to HKLM\Classes) |
Delete | Allows user to delete an individual value or key |
Write DAC | Allows user to rewrite access controls on the specified key |
Write Owner | Allows user to take ownership of the selected key |
Read Control | Allows user to read the discretionary access control list (DACL) for the specified key |
Figure 37-7. Assigning auditing permissions.
Four useful Regedt32 commands don't really fit elsewhere in this exposition: