Using the Registry Editors | Microsoft Windows 2000 Server Administrators Companion

On those occasions when you need to change values in the registry, you'll have to use some kind of registry editor. Many of the settings that you can change in control panels, Group Policy objects, or MMC snap-ins are actually stored in the registry, so you can think of these utilities as a kind of registry editor. Another kind is the custom-written script that you use to make a specific change, perhaps as part of a logon script or a file you distribute to your users. However, most of the time when you need to make a change directly to the registry, you'll use one of the two tools Microsoft includes with Windows 2000: Regedt32.exe or Regedit.exe.

What You Get

Why are there two registry editors in Windows 2000? Blame it on Windows NT 4. When Windows NT 3.1, 3.5, and 3.51 shipped, they included a registry editor called Regedt32. This tool was written to manipulate Windows NT registry keys and values, and it reflects Microsoft's standards for user interface design at the time it was written—1992 or thereabouts.

When Windows 95 was being developed, Microsoft realized that Regedt32 wasn't a good match for the Windows 95 interface or the underlying structural differences between the two systems' registries. Because Windows 95 also needed a registry editor, Microsoft developed a companion tool, Regedit, and shipped it with Windows 95.

To complicate matters, Microsoft includes both Regedt32 and Regedit with Windows NT 4. Although this might seem unnecessarily redundant, it is actually an advantage, as the two programs have different and complementary abilities. Microsoft continued to ship both programs as part of Windows 2000; except for a few minor cosmetic tweaks and plumbing-related bug fixes, the Windows 2000 versions are identical to their predecessors.

Windows XP does away with Regedt32, integrating most of its functionality into Regedit (The Load Registry Hive feature is gone, but the need for it is lessened, as very few situations now require the editing of the registry from a parallel installation). Thus users get the best of both worlds: the interface and search capabilities of Regedit along with the Windows NT underpinnings of Regedt32.

Regedit vs. Regedt32

With two editors to choose from, how do you know which one to use in a given circumstance? Both tools have the same fundamental capabilities. They allow you to do the following:

Browse a graphical structure that represents the registry hierarchy
See and modify keys, subkeys, values, and value contents, subject to the security privileges you have
Connect to a remote computer for which you have privileges and inspect, or even change, the contents of its registry

However, some significant differences exist, most of which revolve around features that are in one editor but not the other. Let's start with Regedt32. Because it was engineered specifically for Windows NT, it has some useful features that carry over into Windows 2000:

Allows you to see and change security ACLs on registry keys
Allows you to enable auditing on keys so that you can see who has attempted—or who has succeeded—in removing, adding, or editing keys or their contents
Supports all of the registry data types described earlier in the chapter; in addition, you can edit a value of one type using another type's editor (handy when editing REG_BINARY values)
Has a read-only mode that lets you inspect the registry without allowing changes
Can save and load hive files or individual keys
Uses the old-style multiple-document interface (MDI) paradigm, in which each root key has its own document window

In contrast, Regedit was designed to make full use of the Windows 95-style interface, so it looks quite a bit different from Regedt32. It also has the following different functionality:

Searches keys, value names, and value contents for a specified string. This feature is invaluable and is the primary reason to use Regedit.
Uses the familiar two-pane Windows Explorer interface, making it somewhat easier to compare the location of two keys or values. It also includes other Windows Explorer-like features, such as shortcut menus, in-place editing, and the familiar tree control.
Imports and exports selected keys (and their subordinate items) in a human-readable text file, instead of importing and exporting registry keys in binary form.
Includes a Favorites menu (in the Windows 2000 version), to which you can add whatever keys you feel the need to edit repeatedly.

How do you know which tool to use? Most of the time your personal preferences dictate which one you use. Some people like the way that Regedit works, whereas others prefer the old-school Regedt32 interface. If you're trying to find which key holds a particular value, you're better off using Regedit; on the other hand, if you need to set security permissions on a key, you'll have to use Regedt32.

A Whirlwind Tour of Regedit

As a user of Windows Explorer (or any version of Windows), you already know about 85 percent of what you need to use Regedit. This familiarity is entirely by design—Microsoft has tried to make it an easy-to-use tool by copying the user interface that you're already familiar with.

Regedit's main window is shown in Figure 37-2. The important parts of the interface are fairly simple to understand. Notice the following features:

The tree in the left pane of the Registry Editor window shows all of the root keys and subkeys; what you see here depends on which keys and subkeys you've expanded.
The right pane shows the values associated with the selected key in the left pane. Each value is shown with three items: the value name (the name (Default) is used for the unnamed default value that every key has), the value's type, and the value's contents or data.
The status bar at the bottom of the window shows the full path to the currently selected key. (Regedit can also copy this key's path to the clipboard for you, thanks to the Copy Key Name command on the Edit menu; this is handy when you're writing a book or otherwise documenting your work.)

Because these interface features are written with the standard Windows controls, all the keyboard navigation and control shortcuts you're accustomed to using with Windows Explorer work here. For example, you can jump to a particular key by clicking anywhere in the left pane and typing the first few letters of the key's name. You can also use the arrow keys to move around in either half of the Regedit window.

Figure 37-2. The Regedit user interface.

Searching for Keys and Values

The Find command on the Edit menu in Regedit is worth its weight in gold when you need to find which key, or value, has a specific name or contents. The interface to this function is uncomplicated—as Figure 37-3 shows. Even with this simple interface, the tool is extremely valuable because it searches the entire registry for a specific value. Here's how to use the Find dialog box to get what you're looking for:

Type the pattern you're looking for into the Find What box. You can search only for plain ASCII text—no wildcards are allowed. If you're searching for values, Regedit searches only string values (REG_SZ, REG_EXPAND_SZ, and REG_MULTI_SZ) for the pattern you give.
Use the options in the Look At box to control where Regedit looks for the specified value. By default, it searches for key names (the Keys check box), value names (the Values check box), and value contents (the Data check box), but you can fine-tune it.
The Match Whole String Only check box tells Regedit to find the entire search string, not just a portion of it. For example, if you search for "Windows" with this check box selected, the search ignores HKLM \SOFTWARE\Microsoft\Windows NT.

Figure 37-3. Regedit's Find dialog box.

When you have made your selections in the Find dialog box, click Find Next, and Regedit begins searching. Eventually, one of two things happens: either Regedit hits the end of the registry (in which case it tells you that it didn't find any matches), or it finds a match. In the latter case, the match is highlighted; if the match isn't really what you were looking for, choosing the Find Next command on the Edit menu (or F3, its accelerator) continues the search.

Every time you do a search, Regedit starts at the beginning of HKCR and works its way toward the end of HKCC. You can't change this search order, so you might as well get used to it.

Editing Value Contents

The Modify command on the Edit menu lets you change the contents of the selected value entry. (You can also edit a value by selecting it and pressing Enter.) What you see next depends on the type of value you're editing; separate editor dialog boxes exist for string values, DWORD values, and binary values. Regedit lets you edit data types it doesn't support, such as REG_FULL_RESOURCE_ DESCRIPTOR or REG_MULTI_SZ; for those types, it opens the binary editor dialog box. The editor dialog boxes themselves are straightforward—each presents the current value and lets you edit it. The keyboard shortcuts for the Cut, Copy, and Paste commands work in the editor dialog boxes, too.

Adding and Removing Keys and Values

Regedit also allows you to add and remove keys, subkeys, and individual values. Now is a good time to reiterate Microsoft's frequent warning: making unnecessary changes to the registry will likely damage your computer. Be careful when you add data, and be doubly careful when you remove it. (See the sidebar "Being on Your Best Behavior," earlier in this chapter, for more details on why this is a good idea.) To add a new key as a child of the selected key, open the Edit menu, point to New, and choose Key. Regedit creates a new key and selects its name so you can set it correctly. (It defaults to New Key #1.)

The new key automatically has an unnamed value attached to it. You can add more values using the three remaining commands on the New submenu: String Value, Binary Value, and DWORD Value. Note that Regedit can't create any other data types, and if you create a binary value, components interpret it as raw REG_BINARY data. Creating a new value adds it as a child of the selected key and gives it a default name (New Value #1, New Value #2, and so on), which you can immediately change. Once you're done adding and naming the new values, you can use the standard editor dialog boxes to change their contents to the appropriate values.

Removing values and keys is simple. Select the item you want to remove and choose Delete from the Edit menu, or just press the Delete key. Regedit asks you to confirm your command; once you confirm it, the value or key is immediately removed.

Importing and Exporting Registry Data

You can import and export registry data from Regedit. The resulting text files are easy to read, and you can safely move them from machine to machine. In fact, the default association for .REG files automatically launches Regedit and loads the contents of the file when you double-click it. The Export Registry File command on the Registry menu lets you save the selected key to a file, and the Import Registry File command does the reverse. Note that importing a registry file from within Regedit happens immediately—a confirmation dialog box appears that tells you whether the import succeeded or not, but you don't get a chance to stop it. (If you launch a .REG file by clicking it, however, you do get a confirmation dialog box.)

Real World

Creating Your Own .REG Files

If you need to distribute registry changes to your users, one way to do it is with the policy mechanisms discussed in Chapter 10. However, sometimes using a .REG file makes more sense. For example, sites that don't have direct access to Active Directory resources can't receive group policy updates. You can easily mail out .REG files and have your users double-click them. (Of course, that creates a potential security problem, because anyone can send your users the same kinds of files—make sure to educate them about proper e-mail etiquette.)

The first, and easiest, way to create your own .REG file for distribution is to use Regedit to export the keys and values you want to pass around. As an alternative, you can create your own files using NotePad or any other text editor. Here's an example:

 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="drwtsn32 -p %ld -e %ld -g"
"UserDebuggerHotKey"=dword:00000000

The first line tells Regedit that it's looking at a .REG file. (The blank line that follows is required, too.) After that, the format is easy to understand: define a key by putting its full path in square brackets, and then follow it with each value you want to import, one per line. Enclose value names in double quotes, as well as string value contents. REG_DWORD values are specified using the DWORD: prefix; they don't have to be enclosed in quotes. You can bundle multiple keys into the same file as long as you add a blank line before each key name; each key can contain any number of values.

One tip: while you're becoming proficient with .REG files, you should practice by using a harmless destination path. Create your own key (say, HKLM \SOFTWARE\Testing123) and import your .REG files under it until you're sure that they make only the changes you want made.

Connecting to a Remote Machine's Registry

If you're logged on with the right permissions, you can use Regedit to connect to another computer's registry and inspect or edit it. To accomplish this voodoo, your account must have administrative privileges on both the machine on which you're running Regedit and the other machine whose registry you wish to inspect or edit. In addition, Group Policy settings might prevent you from gaining access.

Assuming that your credentials are in order, you actually connect to the remote machine by choosing Connect Network Registry from the Registry menu. This command lets you browse your network to find the machine you want to connect to; once you've successfully connected, the computer's name appears in the left pane on the same level as My Computer. You can expand its root keys, poke around in the subkeys, search, and modify data to your heart's content. When you're done, choose Disconnect Network Registry from the Registry menu and select the computer to disconnect.

By default, the Windows 2000 registry isn't adequately protected from anonymous network users. See the section entitled Securing the Registry later in this chapter for information about protecting the registry from anonymous access.

Renaming Keys and Values

You can change the name of a key or a value by choosing Rename from the Edit menu. In most cases, you won't want or need to do this. Because software looks for specific named values in the registry, changing the name of one of them is a bad idea. However, when you add keys or values based on advice from Microsoft Knowledge Base articles, it's possible to misspell the name (or, worse yet, to type it correctly but find out that the name in the Knowledge Base article is wrong!), and the Rename command is your only alternative to deleting and re-creating the key.

A Whirlwind Tour of Regedt32

Regedt32 is a more sophisticated and powerful tool than Regedit, but it's a little harder to use. Figure 37-4 shows a representative session. Notice that the user interface doesn't look like Windows Explorer. That's because Regedt32 uses the old-style MDI interface, in which each root key has its own child window. This arrangement actually works as an advantage, because it's easy to make icons of the windows you're not using (especially when you connect to a remote machine).

Figure 37-4. The old-style MDI interface and appearance of Regedt32.

Editing Value Contents

To edit a value, just double-click it and the appropriate editor dialog box opens. This is easy enough, and the editors themselves are easy to understand—except the editor for REG_FULL_RESOURCE_DESCRIPTOR. But that's OK because you shouldn't be editing items in HKLM\HARDWARE anyway, especially because changes won't be saved.

Regedt32 also allows you to edit an item as though it were of a different type. For example, you can edit a REG_SZ as binary data, or a REG_DWORD as a string. Most of the time this is fairly useless, but sometimes you'll need to take advantage of this facility to do something like editing a bit mask that's stored as a REG_DWORD. Use the bottom four commands on the Edit menu—there's one for each supported data type (Binary, String, DWORD, and Multi String) that you can edit.

When using these data type editors, be aware of these quirks:

In the Binary Editor, you can see items in either binary or hex. The editor marks offsets in the data by showing you a 32-byte offset count on the left and a 0-31 scale across the top. This makes it easy to locate bytes at specific offsets if you need them.
The Multi-String Editor expects you to enter one string per line, using the Return or Enter keys to skip to the next line.
The DWORD Editor lets you enter values in binary, hex, or decimal. The editor dialog box is smart enough to ignore any illegal keystrokes (like 2 when editing a binary value).

As with Regedit, Regedt32 doesn't do any sanity checking on the values you enter, so it's your responsibility to make sure that they're correct.

Adding Keys and Values

To add a key, select the key under which you want the new key to appear. For example, to add a subkey to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ESENT, you would select that key and then choose Add Key from the Edit menu, which opens a dialog box in which you name the new key. Once it's named, the new key immediately appears.

Unlike Regedit, Regedt32 doesn't automatically add an unnamed value to the new key, so if you need that default value for some reason, you'll have to add it manually. To add a value, you use the Add Value command on the Edit menu. Adding a value requires the following steps:

Select the key to which you want to add a value, and then use the Add Value command. The Add Value dialog box shown in Figure 37-5 appears.
Type the name of the new value into the Value Name field. (Leave it blank if you want to add the <No Name> default value.)
Use the Data Type list box to select the type for the new value. Click OK. A type-specific editor dialog box appears; which one you get depends on the type you specified in the Value Name field.

Figure 37-5. The Regedt32 Add Value dialog box.
Fill in the data you want stored in the value, and then click OK to save the new value or click Cancel to leave the registry untouched.

Removing Keys and Values

Regedt32 allows you to remove a key (and all its subordinate items) or a single value—just select the target item and press the Delete key (or choose Delete from the Edit menu). By default, Regedt32 makes you confirm what you're doing; if you feel daring, you can save yourself an extra step by clearing the Confirm On Delete command on the Options menu (although we strongly recommend that you leave it selected).

Loading, Unloading, and Importing Registry Data

Regedt32 offers you two different ways to move data between your registry and an external disk file. The first way involves loading and saving individual sets of keys with the Registry menu's Save Key and Restore commands, whereas the second involves loading and unloading entire hive files with the Load Hive and Unload Hive commands (from the Registry menu).

What's the difference? Recall that hive files are self-contained entities that contain a particular set of keys. When you save a key with the Save Key command, you're really creating a new hive that coexists equally with the predefined hives you read about earlier in the chapter. You can then reattach that hive in two ways: by creating a new key inside an existing hive (which is what the Load Hive command does) or by overwriting a key with the contents of the saved hive, as Restore does.

Creating a new hive with a set of saved keys in it is easy: Select the key you want to save, and then choose the Save Key command from the Registry menu. When prompted, give the new hive file a name, and Regedt32 saves it. Notice that you can't save a hive unless you have adequate permission to all subkeys of the selected key; for example, even when you are logged on as administrator, you can't save HKLM\HARDWARE to a hive.

Once you have saved the hive file, you can load it into a new key or load it over the top of an existing key. To load the hive file into a new key, select the HKLM or HKU root keys and then choose Load Hive from the Registry menu. (It will be disabled the rest of the time.) When prompted, choose the hive file you want to load, and then name the new key you want the hive to be loaded under.

To load a hive file over the top of an existing key, select the key you want to overwrite and then choose Load Key from the Registry menu; after you choose the file and confirm that you're ready to eliminate the selected key, Regedt32 loads the hive and replaces all of the key's existing contents with the hive contents (provided, of course, that you have permission to do so).

For example, let's say you save the contents of HKLM\SOFTWARE\AOL to a hive file. If you select HKLM and use the Load Hive command, you can create a new key (called, perhaps, AOL) and load the original contents into it. If you select the existing copy of HKLM\SOFTWARE\AOL and use the Restore command, then whatever is stored in the key before restoring the hive is lost.

Connecting to a Remote Machine's Registry

To connect to a remote machine using Regedt32, choose Select Computer from the Registry menu. The familiar Select Computer dialog box opens, in which you can browse your domain or workgroup and pick the machine whose registry you want to administer. You will be connected if you have administrative access to the remote machine; you might also see a dialog box alerting you that the registry keys from the remote machine won't be updated automatically. As soon as you dismiss that confirmation message, two more MDI windows open: one for HKLM and one for HKU. Each window's title includes the name of the remote machine (for example, HKEY_LOCAL_MACHINE on FALCON) so you can identify which windows contain what information.

Once these windows are open, you can browse and edit just as you would on the local machine (subject, of course, to permissions on the keys you're editing). When you establish a connection to a remote machine, you're actually making a remote procedure call (RPC) connection, which remains open until you use the Close command to close the last window displaying data from that server.

By default, the Windows 2000 registry isn't adequately protected from anonymous network users. See the section entitled Securing the Registry, later in this chapter for information about protecting the registry from anonymous access.

Managing Security on Registry Keys

Regedt32 allows you to set security on registry keys by selecting a key and choosing the Permissions command from the Security menu. Everything you learned about setting permissions on files (see Chapter 9) is still true here, and the basic operations work exactly the same way: you select an object and then grant or deny specific privileges to specific users and groups. Figure 37-6 shows an example. Note that five security principles are shown in the Permissions dialog box: Administrators, Authenticated Users, CREATOR OWNER, Server Operators, and SYSTEM. The exact contents you see on your computer vary according to the security template you have applied; more restrictive templates might change these permissions significantly.

Figure 37-6. The standard Permissions dialog box for a registry key.

In the Permissions dialog box, you can grant and deny the Read and Full Control permissions on keys. However, in general, you shouldn't do so on keys owned by the system; that's why Microsoft includes the security templates. You can easily set permissions accidentally that are so restrictive that software that needs registry access can't get it, or you can easily err in the opposite direction and set permissions that are unnecessarily loose.

When you set permissions using the Permissions dialog box, be sure to note whether you select the Allow Inheritable Permissions From Parent To Propagate To This Object check box. By default, this check box is selected, so when you apply new permissions, they are automatically propagated to all subkeys of the selected key. Depending on the level at which you apply these permissions, inheritance might have unintended consequences—if you loosen permissions on a key, you might accidentally loosen permissions on a subkey that should remain secure. Before you change permissions on any keys, be sure to make a good backup of your registry and make a note of the changes you've made so you can reverse them later.

Settings that belong to applications, of course, are another matter altogether. In Windows NT 4, the only way to determine appropriate permissions for most applications' keys is to tighten them down as much as possible, then gradually relax controls until the application starts working properly. Unfortunately, this approach is still required in Windows 2000.

When you click Advanced in the Permissions dialog box, you open the three-tabbed Access Control Settings dialog box. Each tab has a special meaning for registry keys:

The Permissions tab's View/Edit button allows you to assign more granular permissions to individual users. For example, you can fine-tune who can create new values in a key by adjusting the setting for the Set Value permission. Table 37-1 shows the permissions you can grant or deny. Because most registry keys gain their permissions from inheritance, be aware that you might not be able to make changes here without turning inheritance off.
The Auditing tab lets you set auditing permissions for the selected key. First, you specify the users or groups whose actions you want to audit; next, you specify which particular actions you want recorded (Figure 377). Note that the actions you can audit are the same as the permissions shown in Table 37-1. You can audit successful or failed attempts to exercise these permissions.
The Owner tab lets you reassign ownership of the selected key, either with or without propagating that change to all subitems beneath it. Note that depending on your security settings, a change in ownership might result in an audit trail being generated.

Table 37-1. What the registry permissions mean

Permission	What Happens When Granted
Query Value	Allows user to query the registry for a specific value by providing the full path to that value
Set Value	Allows user to create new values beneath a key or to overwrite an existing value
Create Subkey	Allows user to create a new subkey beneath the specified key
Enumerate Subkeys	Allows user to get a list of all subkeys of a particular key; similar to directory traversal of an NTFS volume
Notify	Allows user to register a callback function that is triggered when the selected value changes
Create Link	Allows user to create a link to a specified key (just as HKCR links to HKLM\Classes)
Delete	Allows user to delete an individual value or key
Write DAC	Allows user to rewrite access controls on the specified key
Write Owner	Allows user to take ownership of the selected key
Read Control	Allows user to read the discretionary access control list (DACL) for the specified key

Figure 37-7. Assigning auditing permissions.

Miscellaneous Useful Tricks

Four useful Regedt32 commands don't really fit elsewhere in this exposition:

Regedt32 can't search values, but it can look for a key with a specified name. The Find Key command on the View menu lets you search the registry (beginning with the selected key and proceeding either up or down) for a particular key name. Searches can be case sensitive or not, and you can choose to search for the supplied text on its own or when it appears as part of another name.
You've already briefly worked with the Confirm On Delete command on the Options menu. When selected (as it is by default), Regedt32 asks you to confirm your intentions when you attempt to remove a key.
The Read Only Mode command on the Options menu toggles Regedt32 between read-only and normal modes. Read-only mode is a great boon because you can't mess anything up when it's on. It's a great way to learn by exploring with no risk of accidental damage.
The Auto Refresh command on the Options menu controls whether Regedt32 automatically updates your root key windows periodically. By default, it is enabled, so Regedt32 updates local windows by itself. On machines where lots of registry changes exist, you might want to disable automatic updates and use the View menu's Refresh All and Refresh Active commands to trigger updates only when you need them.