The Windows Registry

The Windows XP Registry is the central repository in which Windows and most Windows applications store configuration information, such as hardware settings, software configuration, licensing and registration data, associations between filename extensions and applications, and user preferences.

For most of your daily tasks with Windows XP, you will never need to touch the Registry. Almost everything you'll ever need to configure that shows up in the Registry can be handled through a Control Panel applet, application option dialogs, or, as discussed in the last section, TweakUI. But, there are some adjustments that can only be made through direct Registry settings, so you should know the basics of safe Registry editing.

There are hundreds of websites offering advice about performance improvements you can gain by altering Registry settings. My advice is to ignore these entirely . My experience is that much such advice is either out of date, specific to particular situations (but not yours), or flat-out wrong. (As a perfect example, while writing the previous section, I tried a Registry hack that purported to make the TweakUI XP Power Toy appear in the Control Panel, and it did do that, but it also made Explorer crash every time I clicked on a Control Panel icon.) There are, however, times when Registry editing is necessary; usually on the advice of a Microsoft Knowledge Base article, tech support person, or a helpful book like this one.

Structure of the Registry

The Registry is a specialized database of values , which can be compared to files, that are stored in a hierarchical structure of keys , which can be compared to folders. There are five top-level keys , under which all of the Registry's keys reside. Logically, then, each top-level key contains a plethora of hierarchically related keys, subkeys, values, and data. The top-level keys (in order of appearance) are as follows :

HKEY_CLASSES_ROOT (HKCR) This contains file association data. For example, when you click on a file ending in .TXT , the .TXT subkey contains the information that tells Windows to display the file using NOTEPAD.EXE. HKEY_CLASSES_ROOT builds itself by combining the values from HKEY_LOCAL_MACHINE\Software\Classes , which contains systemwide default application associations, and from HKEY_CURRENT_USER\Software\Classes , which contains user-specified preferences for application associations. If any keys appearing in both locations are in conflict, the settings specified under HKEY_CURRENT_USER will win. HKCR also contains the configuration information for COM and ActiveX objects and document type/MIME type associations.
HKEY_CURRENT_USER (HKCU) This is a "virtual" top-level key that actually references the subsection of HKEY_USERS pertaining to the currently logged-on user.
HKEY_LOCAL_MACHINE (HKLM) This stores all hardware and machine-specific setup information for your computer. For example, this key lists every device driver to load, all of your hardware's settings, all services and service configurations, and any software setup and configuration data that is common to all users.
HKEY_USERS (HKU) This contains a subkey for each user of the computer. Under each user's key, Windows stores user-specific information such as file locations, display preferences, software preferences, and recently accessed file lists. These keys are only loaded when the associated user is logged on.
HKEY_CURRENT_CONFIG (HKCC) This is another "virtual" top-level key whose contents are actually the contents of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current . This key is the selected hardware configuration specific to your current hardware profile.

Note

When referencing the Registry via a script or command-line utilityas well as in much of the documentation available for the Registrythe parent Registry hives are often referred to only by their three- or four-letter standard abbreviations. The accepted abbreviations are listed in parentheses behind their associated full names in the preceding list.

Physically, the Registry's data are stored in a small collection of files called hives . For each hive file there is corresponding file called a change log , which protects against corruption from system crashes. Most hive files can be found in folder %systemroot% \System32\Config . The Registry hive used to store per-user preference settings is named ntuser.dat (with corresponding change log file NTUSER.DAT.LOG ), and is stored in each user's profile folder, which is by default % systemdrive % \Documents and Settings\ username . This hive's data is loaded as a subkey under top-level key HKEY_USERS when a user logs on, and the same data appears under top-level key HKEY_CURRENT_USER when the user is the current primary user.

Another file, UsrClass.dat (and UsrClass.dat.LOG ), can be found a bit deeper under each user profile in %systemdrive% \Documents and Settings\ username \Local Settings\Application Data\Microsoft\Windows . This second hive holds the list of keys that add to and override systemwide settings that are specified in the HKEY_CLASSES_ROOT key. This feature makes it possible for users to have individualized document type/application associations (which used to be applied throughout the system) and for individual users to have customized application and ActiveX/COM object installations.

Note

You can see a complete listing of the full paths to all currently loaded Registry hives under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist .

Backing Up and Restoring the Registry

Before diving into Registry modifications, I'll talk about backing them up. Every computer book I've seen (including those I've written) stresses these facts:

1.	There is no Undo key in the Registry Editor.
2.	Improper changes to the Registry can keep Windows from booting, or can make subsystems fail to work.
3.	You should always perform a system backup, or at least back up the entire Registry before you make any changes to the Registry.

In the spirit of full disclosure, I have to tell you that items 1 and 2 are completely true, and I've never followed the advice of item 3 myself . Maybe I'm an idiot, maybe the warnings are a bit too strident, or maybe it's something in between. But, especially with Windows XP's System Restore feature to do all of the work for you, there's really no harm in taking a few extra moments to protect yourself against a preventable bad outcome.

You can back up the Registry in Windows XP in five ways: You can back it up as part of a regular disk backup; you can selectively back up portions of the Registry by exporting the keys with the Registry Editor; you can create a System Restore Point; you can use the command-line application REG.EXE ; or you can use a special-purpose Registry backup program.

Registry Backup and Recovery with Windows Backup

As discussed in Chapter 4, Windows XP includes a simple, straightforward backup and restore utility called NTBackup that you can use to back up your entire system, including data files, system files, and Registry files. (NTBackup is not installed by default on XP Home Edition; see Chapter 5 for instructions on installing it from your Setup CD.)

To back up only the Registry, follow these steps:

1.	Click Start, Run, and type `ntbackup` in the open box. Click OK.
2.	If the backup utility starts in the wizard interface, click the Advanced Mode option in the body of the main paragraph to take you out of the wizard and display the tabbed Backup Utility interface.
3.	Select the Backup tab and select the System State option in the tree in the left pane. The System State is composed of the Registry, the boot files, the Active Directory files, and the certificates.
4.	Enter a backup filename in the designated box. You should see something similar to what is displayed in Figure 6.15. It's best if you save this backup in another computer's shared network folder, or on a removable disk. Figure 6.15. The tabbed interface of the Windows XP Backup Utility application.
5.	Click the Start Backup button. You are then prompted for a backup description. Select the option to Replace the Data on the Media with This Backup.
6.	Click the Advanced button and uncheck the option to Automatically Backup System Protected Files with the System State. This ensures that you're grabbing only a backup of the Registry and cuts your backup file down from 1GB to somewhere between 10 and 50MB, depending on your Registry size . Click OK, and then click Start Backup.
7.	The Backup Progress dialog displays. When the job completes, click Close.

To restore the Registry from a backup made with NTBackup, follow these steps:

Caution

Do not test this procedure out on a properly functioning system. This is a drastic procedure meant only for recovering from Registry-related disasters and should not be attempted unless absolutely necessary, or if you are working on a lab machine specifically set up to test this process.

1.	Click Start, Run, and type `ntbackup` in the open box. Click OK.
2.	If the backup utility starts in the wizard interface, click the Advanced Mode option in the body of the main paragraph to take you out of the wizard and to display the tabbed Backup Utility interface.
3.	Select the Restore and Manage Media tab.
4.	Select Tools, Options, Always Replace the File on My Computer because your Registry files already exist. Click OK.
5.	In the right pane, expand the list of catalogued backups until you find the one you want to restore. If you do not see your backup job in the list, click Tools, Catalog a Backup File, and enter the location for the backup file in the resulting box. Select the applicable backup set and select System State in the left pane.
6.	Click Start Restore. A dialog warns you that System State is always restored to the current location. Because that's what you want to happen, click OK.
7.	Click OK on the Advanced Options dialog.
8.	Confirm the proper name and location of the backup set, and then click OK.
9.	When the restore completes, you must restart the system to successfully load the restored Registry files.

Exporting and Importing Registry Files with the Registry Editor

The Registry Editor that is included with Windows XP allows you to selectively export anything from a single subkey to an entire Registry key. If you're performing significant modifications, this is a good way to ensure that you can figure out what the original values were if you need to roll back your changes.

To back up a key including all subkeys and values, follow these steps:

1.	Click Start, Run, type `regedit` , and click OK.
2.	Select the key you want to back up from the list in the left pane.
3.	Select File, Export.
4.	In the Common File dialog, select a directory and enter the filename where you would like to save the exported Registry entries. Caution The default extension for an exported Registry file is `.REG` . Double-clicking on a `.REG` file automatically imports the file into the Registry after providing a single confirmation box. To prevent too-easy accidental Registry imports, I suggest you save exported Registry files as text files, with the `.TXT` extension.
5.	Select Selected Branch in the Export Range option box, and click Save.

Because this is a plain-text file, you can open it in Notepad to see the contents. I often use this method to deploy changes to several computers: I make limited Registry changes on a single system, export the change as a .REG file, edit the file down to just the modified entries, move the file to a network folder, and import the file on other machines.

Importing a Registry file exported through the Registry Editor is just as straightforward as exporting:

1.	Click Start, Run, type `regedit` , and click OK.
2.	Select File, Import.
3.	In the Common File dialog, enter the filename containing the data you want to import.
4.	Select Open.

Importing a Registry setting through the Registry Editor overwrites existing keys or values and adds missing keys or values, but it does not delete extra keys or values that are not contained in the Registry file. However, you can use a Registry file to explicitly specify subkeys or values to delete. I'll show you how in the section "Deploying Registry Settings with .REG Files," later in this chapter.

Note

Remember when I suggested changing the extension of the previous Registry file from .REG to .TXT so you wouldn't accidentally import the settings? You can use the inverse to enable a two-step, REGEDIT-free Registry file import. Simply rename the Registry file you want to import with a .REG extension. Then double-click the Registry file to quickly import the contents of the file into your Registry. You can't back out of the import after you've confirmed it exists, so ensure you know what you're importing before you run the REG file.

Backing Up with System Restore

A System Restore Point allows you to restore your computer to a previous state, rolling back changes to device drivers, system files, and the Registry. By manually requesting that Windows create a Restore Point before you forage into the Registry, you can make changes and easily roll them back if something doesn't work.

For instructions on creating and restoring a Restore Point, see "System Restore," p. 220.

Command-Line Backup and Restore Using `reg.exe`

A command-line Registry manipulation tool called reg.exe is included with Windows XP. This tool is useful for selectively backing up or restoring specific Registry subkeys. Numerous functions are available in reg.exe , including Registry exporting and importing.

Note

You can do quite a few things with reg . Use the command reg /? for a complete usage syntax of the command.

To back up a Registry key using reg.exe , use the following syntax:

 reg export  rootkey  \  subkey filename

For rootkey , you can use the abbreviations HKLM , HKCU , HKCR , HKU , or HKCC . Subkey must be the full name of a Registry key under the selected root. Filename is the name of the file to which you want to save the exported data.

To restore a Registry key using reg , use the following syntax:

 reg import  filename

When importing, filename can be any file created by reg export , from the regedit Registry Editor's Export command, or created manually with a text editor.

Editing the Registry

The primary interface to the Registry, the Registry Editor, displays a representation of the Registry using an interface that is similar to the familiar layout of folders and files as viewed through Windows Explorer. To run it, click Start, Run and enter regedit .

Figure 6.16 shows a Registry Editor window. The left pane contains the five top-level keys. The status bar along the bottom displays the full path of the currently selected key. I've expanded the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE keys to show the first round of subkeys beneath each. The right pane shows values assigned to the key selected in the left-hand pane.

Figure 6.16. The Registry Editor: unfiltered access to your system's configuration database.

Just as a disk's folders can contain subfolders , and in each there may be files as well, Registry keys can contain subkeys, and each key can contain values as well. Most Registry editing tasks consist of locating one or two existing values and changing them. Occasionally, you will need to add new values or subkeys; it is impossible for you to add a new top-level Registry key.

The five main value data types in the Registry are as follows:

REG_DWORD This is a single hexadecimal or decimal number. You can select decimal or hexadecimal display when you're editing a particular value.
REG_BINARY This is a block of binary data displayed in the REGEDIT interface in hexadecimal format.
REG_SZ This is a plain-text string of alphanumeric characters .
REG_MULTI_SZ This is similar to REG_SZ , but it can contain multiple lines of text.
REG_EXPAND_SZ This is similar to REG_SZ , but the string can contain environment variables such as %SYSTEMROOT% or %USERNAME% . When a program requests such a value from Windows, the environment values are automatically substituted in before the program sees the data.

There are other data types, but they are rarely encountered , and never need to be edited by hand.

To open the Registry Editor, click Start, Run, type regedit in the Open field, and click OK. You can dig through the top-level keys into subkeys in the left pane. Values associated with each key are displayed in the right pane.

To change the data associated with a value, double-click the value and change the value data in the resulting dialog. For numeric (DWORD) values, you can select a decimal or hexadecimal display; use whichever mode is more convenient for you.

Keep in mind that all changes are final. There is no Undo. If you delete a key or value, the only way to put it back is to manually re-add it or restore it from backup.

Caution

Here's that strident warning again: Editing the Registry can change the configuration of your system. Therefore, by nature, it is a potentially dangerous task. Do not directly manipulate the Registry when using a GUI setting can do the same job, and never blindly fiddle with the Registry unless you are aware of what the potential consequences are.

Some Registry-based settings take effect immediately; others require a restart of an associated application or a reboot of the system.

Editing the Registry Remotely

If you need to edit the Registry of a system other than your own, you can connect to a Registry over the network. To perform this function on a Workgroup network, three conditions must be met:

The remote computer must have an account with the same logon name and password as the account you're currently using.
The account on the remote computer must be a Computer Administrator account.
Simple File Sharing must be disabled on the remote computer. This means that the remote computer cannot be running Windows XP Home Edition, but it can be running Windows XP Professional with Simple File Sharing disabled. Windows 2000 Professional or a Server version are editable as well.

If your network meets these conditions, in the Registry Editor, simply click File, Connect Network Registry, and enter the computer name for the remote system in the resulting dialog. The remote computer's HKEY_CURRENT_USER section will not be displayed.

Editing a Hive File

At some point you may find that you need to edit the Registry of a Windows system that cannot boot. To edit a dead system's Registry, you can install its boot drive in another computer and use that computer's Registry Editor to mount and edit the Registry files on the added disk. Once the hard drive from the dead computer is running in a new computer, follow these steps:

Log on as a Computer Administrator and start regedit .

Select HKEY_USERS in the left pane, and from the menu select File, Load Hive.

In the Load Hive (open file) dialog, click My Computer, open the drive that came from the dead computer, and browse to the file corresponding to the Registry section that you need to edit (see Table 6.3). Click Open.

Table 6.3. Hive Files for Various Registry Sections

Registry Section	Hive File
`HKEY_CLASSES_ROOT`	`\windows\system32\config\software` (look at subkey `Classes` )
`HKEY_CURRENT_USER`	`\Documents and Settings\` `username` `\ntuser.dat`
`HKEY_LOCAL_MACHINE\Hardware`	(none, this is created dynamically when Windows boots)
`HKEY_LOCAL_MACHINE\SAM`	`\windows\system32\config\sam`
`HKEY_LOCAL_MACHINE\Security`	`\windows\system32\config\security`
`HKEY_LOCAL_MACHINE\Software`	`\windows\system32\config\software`
`HKEY_LOCAL_MACHINE\System`	`\windows\system32\config\system`

For a key name, enter xxx or something clearly not normal.

Browse into key xxx and make the necessary changes, as shown in Figure 6.17.

Figure 6.17. Editing a Registry hive mounted from another computer's disk.

Hightlight xxx under HKEY_USERS in the left pane and from the menu select File, Unload Hive. Confirm by checking Yes.

Now you can shut down Windows and return the hard disk to the original computer.

(Alternatively, if the disk in the dead system has more than one partition, you can leave the disk in the original computer, and install a fresh copy of Windows into an alternative partition. Boot that copy of Windows and locate and edit the hive files from the original partition.)

Deploying Registry Settings

When a Registry change has to be made in several computers, it can be impractical to visit each one and manually make the changes. On a corporate domain network, Registry settings can easily be deployed through Active Directory. If don't have a domain network, there are still some ways to quickly install Registry changes in multiple computers.

Deploying Registry Settings with `.REG` Files

The easiest method for distributing Registry settings is through the use of a .REG file. You saw how to export and import .REG files earlier in this chapter, in the section "Exporting and Importing Registry Files with the Registry Editor" ( page 262 ), but in that section you were exporting an entire Registry key. Let's take a look at using .REG files to deploy a limited group of settings.

In the earlier example, you selected the top-level Registry key and exported the entire thing to a .REG file. If you viewed the resulting file in the Registry Editor, you probably noticed fairly significant and unruly content. That is because the .REG file contained all keys, subkeys, values, and data in the branch of the Registry that you exported. Let's manually create a .REG file that adds a key and some values to HKEY_CURRENT_USER . Create the following file in a plain-text editor, such as Notepad:

 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\My Settings] @="this is the default value" "ValueName1"="String Value" "ValueName2"="String Value" "ValueName3"=dword:0000002a

Save this file as mysettings.reg . To import the settings, follow these steps:

1.	Double-click the `mysettings.reg` file.
2.	You see a pop-up confirmation message that asks `Are you sure you want to add the information in c:\mysettings.reg to the registry?` Click Yes to import the file.
3.	You then receive a confirmation box stating `Information in C:\mysettings.reg has been successfully entered into the registry` . Click OK.

After you import the .REG file, open the Registry Editor (Start, Run, regedit ). Expand HKEY_CURRENT_USER , and you should see a subkey named My Settings that contains values as displayed in Figure 6.18.

Figure 6.18. The Registry key and values created by `mysettings.reg` .

Note

Importing a .REG file by double-clicking it is pretty straightforward, but what about those two confirmation boxes? What if you don't want your users to know that you are importing Registry settings? And what's more, you don't want them having an opportunity to reject the setting by clicking No on the confirmation dialog. Fortunately, you can silently install a Registry file from the command line using the following command:

 regedit /s mysettings.reg

Add a line like the preceding to a logon or startup script, and you can quickly, easily, and silently deploy Registry settings to users and computers throughout your environment.

Deploying Registry settings using .REG files overwrites existing keys, values, or data and adds missing keys, values, or data. .REG files do not delete extra keys, values, or data that are in the Registry but not in the Registry file. To delete information in the Registry, you must use regedit , remove the key using a script (as demonstrated in the next section), or explicitly define the keys or values you want to delete within the .REG file. To demonstrate , I show you how to manually create two .REG files to manipulate values created under the HKEY_CURRENT_USER\My Settings key created earlier in this section.

First, create the following file in a plain-text editor, such as Notepad, and save the file as WhackOneValue.reg :

 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\My Settings] "ValueName2"=-

Notice the minus ( - ) sign where the data normally goes for the value. This directs the Registry Editor to delete the associated name and data pair when you run or import the .REG file. After you run WhackOneValue.reg , open the Registry Editor. You no longer find ValueName2 under HKEY_CURRENT_USER\My Settings . Note that if you had the Registry Editor open when you ran the script, you might need to press F5 to refresh the display before seeing the effect of the script.

Next, create the following file in Notepad and save the file as WhackMySettings.reg :

 Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\My Settings]

Notice the minus ( - ) sign in front of HKEY_CURRENT_USER . This directs the Registry Editor to delete the following key when you run or import the .REG file. After you run WhackMySettings.reg , open the Registry Editor. You no longer find the My Settings key under HKEY_CURRENT_USER . Again, if you had Registry Editor open when you ran the script, you might need to press F5 to refresh the display before seeing the effect of the script.

Deploying Registry Settings with VBScript

Managing the Registry with VBScript is amazingly straightforward using the RegRead , RegWrite , and RegDelete methods against the WScript.Shell object.

Note

For full downloadable Windows Scripting Host documentation in the Windows Help File format, see the Microsoft Developers Network Scripting resources at http://msdn.microsoft.com/scripting.

The following code listing creates a Registry subkey named My Settings under the HKEY_CURRENT_USER key. The script uses the RegWrite method to populate the default value, plus three additional values under the new subkey. Each new value is populated with data. After populating the key, values, and data, the script displays the data values by reading the Registry with the RegRead method. Enter the following lines of code into a plain-text editor, such as Notepad, and save the file as mysettings.vbs .

 Set myReg = CreateObject("WScript.Shell") key =  "HKEY_CURRENT_USER\My Settings" 'Write the keys myReg.RegWrite key & "\",              "this is the default value" myReg.RegWrite key & "\Boolean Value", "True" myReg.RegWrite key & "\String Value",  "Upgrading and Repairing", "REG_SZ" myReg.RegWrite key & "\DWORD Value",   42, "REG_DWORD" 'Read the keys WScript.Echo "Default Value: " & myReg.RegRead(key & "\") WScript.Echo "Boolean Value: " & myReg.RegRead(key & "\Boolean Value") WScript.Echo "String Value:  " & myReg.RegRead(key & "\String Value") WScript.Echo "DWORD Value:   " & myReg.RegRead(key & "\DWORD Value") set myReg = Nothing

After you type the command cscript mysettings.vbs , open the Registry Editor (Start, Run, regedit ). Expand HKEY_CURRENT_USER , and you should see a subkey named My Settings, containing values created by the script.

To demonstrate the use of the RegDelete methodand to clean up the useless Registry key created previouslycreate a script file named delkey.vbs containing the following five lines.

 'Delete the keys Set myReg = CreateObject("WScript.Shell") key =  "HKEY_CURRENT_USER\My Settings" myReg.RegDelete key & "\" Set myReg = Nothing

After you run the command cscript whackmysettings.vbs , open the Registry Editor. You should no longer see the My Settings key under HKEY_CURRENT_USER . If you had Registry Editor opened when you ran the script, you might need to press F5 to refresh the display before seeing the effect of the script.

Because startup , shutdown , logon , and logoff scripts can all be written using VBScript, the previous samples give you an easy way to deploy scripted changes to the Registry of any systems on which you control the related script policies.

Caution

Often, deploying settings through the startup , shutdown , logon , or logoff scripts is your only way to distribute Registry edits now that .REG and .VBS files effectively function as a sort of poor man's virus for virus authors who can't afford compilers. You definitely don't want to get your users in the habit of opening .VBS or .REG attachments from their email. In fact, many corporate email scanners automatically delete attachments of these types, and Outlook XP automatically blocks both types of attachments. Therefore, a user might not even be able to open or run .VBS or .REG files if you don't deploy them through the system scripts.

The Windows Registry