Windows registry

From Wikipedia, the free encyclopedia

In computing, the Windows registry is a database which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to "Control Panel" settings, or file associations, system policies, or installed software, the changes are reflected and stored in the registry.

The Windows Registry was introduced to tidy up the profusion of per-program INI files that had previously been used to store configuration settings for Windows programs. These files tended to be scattered all over the system, which made them difficult to keep track of.

Contents 1 Registry structure 1.1 HKEY_CLASSES_ROOT 1.2 HKEY_CURRENT_USER 1.3 HKEY_LOCAL_MACHINE 1.4 HKEY_USERS 1.5 HKEY_CURRENT_CONFIG 2 Editing the Registry 2.1 Manual editing 2.2 Command line editing 2.3 Editing by programs or scripts 3 Registry locations 3.1 Windows NT, 2000, XP, and Server 2003 3.2 Windows 95, 98, and Me 3.3 Windows 3.11 4 Policy files 4.1 Policy file editor 5 Useful Registry keys 6 Advantages of the Registry concept 7 Criticisms of the Registry concept 8 Registry alternatives in other operating systems 9 Problems with Windows 9x OS 10 See also 11 References 12 External links

[edit] Registry structure

The Registry is split into a number of logical sections. These are generally known by the names of the definitions used to access them in the Windows API, which all begin "HKEY" (an abbreviation for "Handle to Key"); often, they are abbreviated to a three- or four-letter short name starting with "HK".

Each of these keys is divided into subkeys, which may contain further subkeys, and so on. Any key may contain values. These values can be:

• String Value
• Binary Value (0 or 1)
• DWORD Value, a 32 bit unsigned integer (numbers between 0 and 4,294,967,295 [2³² – 1])
• Multi-String value
• Expandable String Value

Registry keys are specified with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE key. Values are not referenced via this syntax. Value names can contain backslashes (any character but the first) which would lead to ambiguities were they referred to this way. The win32 functions that query and manipulate registry values take value names separately from the key path and/or handle that identifies the parent key.

The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a similar structure to each other; applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found looking instead in the same location under the HKEY_LOCAL_MACHINE key. When writing settings back, the reverse approach is used — HKEY_LOCAL_MACHINE is written first, but if that cannot be written to (which is usually the case if the logged in user is not an administrator), the setting is stored in HKEY_CURRENT_USER instead.

[edit] HKEY_CLASSES_ROOT

Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, including associations from file extensions and OLE object class ids to the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes is used.

[edit] HKEY_CURRENT_USER

Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged in user. HKCU mirrors the current user's subkey of HKEY_USERS.

[edit] HKEY_LOCAL_MACHINE

Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are general to all users on the computer. This key is found within the file %SystemRoot%\System32\Config\system on NT-based versions of Windows. Information about system hardware is located under the SYSTEM key.

[edit] HKEY_USERS

Abbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.

[edit] HKEY_CURRENT_CONFIG

Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.

[edit] Editing the Registry

[edit] Manual editing

The registry can be edited manually in Microsoft Windows by running regedit.exe or regedt32.exe in the Windows directory. However, careless registry editing can cause irreversible damage. Many optimization and "hacking" tools are available to modify this portion of the Windows operating system. It is preferable to use one of the many registry tools available, unless you have a knowledge of registry workings or wish to learn more about the registry, in which case it is recommended that you back up your hard drive before playing with it.

A simple implementation of the current registry tool appeared in Windows 3.x, called the "Registration Info Editor" or "Registration Editor". This was basically just a database of applications used to edit embedded OLE objects in documents.

Windows NT introduced permissions for Registry editing. Windows NT 4 and Windows 2000 were distributed with both the Windows 9x REGEDIT.EXE program and Windows NT 3.x's REGEDT32.EXE program. There are several differences between the two editors on these platforms:

• REGEDIT.EXE had a left-side tree view that began at "My Computer" and listed all loaded hives. REGEDT32.EXE had a left-side tree view, but each hive had its own window, so the tree displayed only keys.
• REGEDIT.EXE represented the three components of a value (its name, type, and data) as separate columns of a table. REGEDT32.EXE represented them as a list of strings.
• REGEDIT.EXE supported right-clicking of entries in a tree view to adjust properties and other settings. REGEDT32.EXE required all actions to be performed from the top menu bar.
• Because REGEDIT.EXE was directly ported from Windows 95, it did not support permission editing (permissions do not exist on Windows 9x). Therefore, the only way to access the full functionality of an NT registry was with REGEDT32.EXE.
• REGEDIT.EXE only supported string (REG_SZ), binary (REG_BINARY), and DWORD (REG_DWORD) values. REGEDT32.EXE supports those, plus expandable string (REG_EXPAND_SZ) and multi-string (REG_MULTI_SZ). Attempting to edit unsupported key types with REGEDIT.EXE on Windows 2000 or Windows NT 4 will result in conversion to a supported type that cannot be reversed.^[1]

Windows XP was the first system to integrate these two programs into one, adopting the old REGEDIT.EXE interface and adding the REGEDT32.EXE functionality. The differences listed above are not applicable on Windows XP and newer systems; REGEDIT.EXE is the improved editor, and REGEDT32.EXE simply invokes REGEDIT.EXE.

[edit] Command line editing

On NT-based systems the registry can be manipulated from the command line with the reg.exe utility. It is included in Windows XP and can be downloaded separately for previous versions.

reg.exe Operation [Parameter List]

Operation [QUERY|ADD|DELETE|COPY|SAVE|LOAD|UNLOAD|RESTORE|COMPARE|EXPORT|IMPORT]

Also, a .reg file (a text-based human-readable file format for storing portions of the registry) can be imported from the command line with the following command:

regedit.exe /s file

The /s means the file will be silent merged to the Registry. If the /s parameter is omitted the user will be asked to confirm the operation. In Windows 98 and Windows 95 the /s switch also caused regedit.exe to ignore the setting in the registry that allows administrators to disable it. When using the /s switch Regedit does not return an appropriate return code if the operation fails, unlike reg.exe which does. This makes it hard to script, however a possible workaround is to add the following lines into your batch file:

regedit /s file.reg
regedit /e test.reg "key"
if not exist test.reg goto REGERROR
del test.reg

The default association for .reg files in many versions of Microsoft Windows, starting with Windows 98 does require the user to confirm the merging to avoid user mistake.

[edit] Editing by programs or scripts

You can edit the registry through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll) [1], [2].

This is a list of the Registry API Functions:

     RegCloseKey                   RegOpenKey
     RegConnectRegistry            RegOpenKeyEx
     RegCreateKey                  RegQueryInfoKey
     RegCreateKeyEx                RegQueryMultipleValues
     RegDeleteKey                  RegQueryValue
     RegDeleteValue                RegQueryValueEx
     RegEnumKey                    RegReplaceKey
     RegEnumKeyEx                  RegRestoreKey
     RegEnumValue                  RegSaveKey
     RegFlushKey                   RegSetKeySecurity
     RegGetKeySecurity             RegSetValue
     RegLoadKey                    RegSetValueEx
     RegNotifyChangeKeyValue       RegUnLoadKey

Another way is to use the Windows Support Tool Reg.exe by executing it from your code [3].

Many scripting languages such as Perl and Visual Basic also enable registry editing from scripts.

[edit] Registry locations

The Registry is stored in several files; depending upon the version of Windows, there will be different files and different locations for these files, but they are all on the local machine, except for the NTuser or user file which may be placed on another computer to allow for roaming profiles.

[edit] Windows NT, 2000, XP, and Server 2003

The following Registry files are stored in %SystemRoot%\System32\Config\:

• Sam - HKEY_LOCAL_MACHINE\SAM
• Security - HKEY_LOCAL_MACHINE\SECURITY
• Software - HKEY_LOCAL_MACHINE\SOFTWARE
• System - HKEY_LOCAL_MACHINE\SYSTEM
• Default - HKEY_USERS\.DEFAULT
• Userdiff

The following file is stored in each user's profile folder:

• NTUSER.DAT

[edit] Windows 95, 98, and Me

The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows ME Classes.dat was added.

[edit] Windows 3.11

The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

[edit] Policy files

Since Windows 95, administrators can use a special file to be merged into the registry, a policy file. The policy file allows administrators to prevent non-administrator users from changing registry settings like, for instance, the security level of IE and the desktop background wallpaper. The policy file is primarily used in a business with a large number of computers where the business needs to be protected from the users and the users need to be protected from themselves.

The default extension for the policy file is .pol. The policy file filters the settings it enforces by user and by group (a "group" is a defined set of users). To do that the policy file merges into the registry, preventing users from circumventing it by simply changing back the settings. The policy file is usually distributed through a LAN, but can be placed on the local computer.

[edit] Policy file editor

The policy file is created by a free tool by Microsoft that goes by the filename poledit.exe for Windows 95/Windows 98 and with a computer management module for NT-based systems. The module will not work in Windows XP Home Edition, but it does work in the Professional edition. The editor requires administrative permissions to be run on systems that uses permissions. The editor can also directly change the current registry settings of the local computer and if the remote registry service is installed and started on another computer it can also change the registry on that computer. The policy editor loads the settings it can change from .adm files, of which one is included, that contains the settings the Windows shell provides. The .adm file is plain text and supports easy localisation by allowing all the strings to be stored in one place. The policy editor has been replaced by Group Policies in newer versions of Windows.

[edit] Useful Registry keys

The following registry keys may be of interest to users attempting to customize their Windows systems.

• HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate Creating this (as a DWORD) and setting it to 1 will prevent Windows (NT, 2000 or XP) from tracking the last access time of files, which speeds up a lot of operations (especially opening folders of items with previews).
• HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\SizReqBuf Specifies the size of buffers used for storing requests to the file/print server. Increasing this from the default of 4356 bytes can improve network performance: a figure of 14596 is frequently recommended.
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run (and the HKCU equivalent) specifies applications to run whenever a user logs in. These can include desirable programs, such as printer monitoring programs or frequently-used tools, but a lot of malware uses this registry key to ensure it is automatically run. This key is a common place to start looking for evidence of malware if a computer has been infected.

[edit] Advantages of the Registry concept

Changing from having one or more INI files per program to one centralised registry has its good points:

• The registry keeps machine configuration separate from user configuration. When a user logs into a Windows NT/2000/XP/Server 2003 computer, his or her user-based registry settings are loaded from a different path than the system wide settings. This allows programs to more easily keep per-user configuration, as they can just work with the "current user" key, whereas in the past they tended to just keep system-wide per-program settings.

• Group Policy allows administrators on a Windows-based computer network to centrally manage program and policy settings. Part of this involves being able to set what an entry in the registry will be for all the computers on the network, and affect nearly any installed program — something almost impossible with per-program configuration files each with custom layouts, stored in dispersed locations.

• Because the registry is accessed through a special API it is available to scripts and remote management using WMI. Each script does not have to be customised for every application's unique configuration file layouts and restrictions.

• The registry can be accessed as one item over a network connection for remote management/support, including from scripts, using the standard API.

• It can be backed up more easily, in that it is just a small number of files in specific locations.

• Portions of settings like any subset of an application configuration can be saved in a text-based .REG file, which can be edited with any text editor later. .REG files can easily be merged back into the registry both by unattended batch file or by the user using just a double-click on the file without harming any setting that is not explicitely stated in the .REG file. This is very useful for administrators and support personel which want to preset or preconfigure only a few options like approving the EULA of Acrobat Reader.

• Since accessing the registry does not require parsing it can be read from and written to more quickly than a text file can be.

• Registry changes and readings can be tracked via a tool like SysInternals RegMon on value level. This is a big advantage for generating scripts in networks as well as debugging problems.

• Registry keys are independent of the Windows language, the Windows installation drive and path and even the Windows versions as such. So support personel can easily give out one set of instructions, without having to handle these things, unlike for example files in the user profile which can be on different paths on each installation.

[edit] Criticisms of the Registry concept

However, the centralized Registry introduces some problems as well:

• The HKEY_LOCAL_MACHINE part is a single point of failure — damage to the Registry can render a Windows system unbootable, in extreme cases to a point that can not be fixed, and requires a full reinstall of Windows. There is an automated backup mechanism however, these secondary files which will be loaded, if the primary files fail to load.

• Any program which wants to manipulate the registry must use special Windows API functions, rather than a simple text configuration file. This is an issue when writing applications designed for use on several platforms.

• The registry does not document itself in the same way a configuration file can.

• Restoring parts of the registry is hard because you cannot easily extract data from backed up registry files. Offline reading and manipulation of the registry (for example from a parallel installed Windows or a boot cd) is not trivial (but not impossible).

• Any application that doesn't uninstall properly, or doesn't have an uninstaller, can leave entries in the registry. In most cases this leads to performance or even stability problems, but only if the application registers itself as a class in HKEY_CLASSES_ROOT. (Note that user settings usually remain in the registry, which is done by design for two reasons: first, the user might be on a Windows domain with server-based profiles, where the settings move with the user to other computers. Uninstalling the application on one computer does not mean the user does not want to use the program on some other computer on the domain. Second, the uninstall process would only be able to modify the current user's settings anyway. In any case, unused keys in HKCU have negligible impact on system performance.)

• Since at least 1998 [4], pages on Microsoft's support website relating to editing the registry include the disclaimer "Use Registry Editor at your own risk." (see, for example, [5]).

[edit] Registry alternatives in other operating systems

Other systems preserve the concept of separate configuration files for separate application subsystems, but group them together in a single filesystem directory for ease of management, such as /etc/ and hidden directories (directories that start with a period) within the home directory in Unix-like systems.

Applications running on Apple Computer's Mac OS X operating system typically store settings in property list files which are usually stored in each user's Library folder. An advantage of this is that is that corruption to one of these files will normally only affect a single application, whereas corruption of one of the Registry hives can have wide-reaching effects. However, Mac OS X also has a system database called NetInfo that stores system-wide settings such as user account details and network configuration.

RISC OS also allows applications to be copied into directories easily without the need to install the application as one would in Windows, if one wishes to remove the application, simply delete the folder belonging to the application [6]. This is possible, since RISC OS does not support multi-user environments with different settings for each user.

[edit] Problems with Windows 9x OS

On Windows 9x computers, an older installation can have a very large registry that slows down the computer's startup and can make the computer unstable. This has led to frequent criticisms that the registry leads to instability. However, these problems occur far less often on the Windows NT family of systems, including Windows XP.

[edit] See also

• Elektra Initiative: A Windows Registry-like back-end for configuration of the GNU/Linux operating system.
• GConf: The GNOME settings database.

[edit] References

1. ^ Microsoft's Windows 2000 Security Hardening Guide version 1.3, published May 15, 2003, says "It is highly recommended to use regedt32.exe (a.k.a. the Windows NT registry editor) and not regedit.exe (a.k.a. the Windows 95 registry editor) to modify registry settings. Both editors ship with Windows 2000 and regedit.exe is generally perceived as easier to use. However, regedit.exe does not support all the registry data types and will convert certain types it does not understand. Certain values will not be read properly if they are converted and this can cause serious problems with the system, including failure to boot."

• Russinovich, Mark E., Solomon, David A. (2005). Microsoft Windows Internals, Fourth Edition, Washington, USA: Microsoft Press, 183-236. ISBN 0-7356-1917-4.

[edit] External links

• Microsoft Knowledge Base article : "Description of the Microsoft Windows registry"
• MSDN Win32 Registry Reference
• Win32 Registry Activity Monitor (Utility and Source code)
• Registry Cleaner/Drive Cleaner, need one NOW Forum discussion on registry cleaners.
• Information on the Windows registry

• Low-level Registry and SAM Information.
• Basic Clean-Up Guide - Guide to clean-up and tweak the Windows registry.
• Reading and Writing Registry Values with Visual Basic.
• System Rescue CD free Linux recovery CD including open-source registry tools as well as many other recovery tools (see SystemRescueCd)
• Offline NT Password and Registry Editor free Linux boot CD with open-source registry tools (change passwords, modify values, etc).
• Hivetools Offline GPL registry manipulation tools and API.
• REGLN - Create symbolic links in Windows Registry.