Basics Windows Registry

What is Registries?

The registry is the database where windows store its configuration information. Registry came into existence in windows 95 as pre-windows 96 initialization files were used to store configuration data. Concept of registry is better than initialization files as windows registry is capable of storing multiple level hierarchy and can use various data types for storing data accurately and efficiently. Where as data in initialization file in ASCII format and could be easily corrupted.

Basic structure of registries.

Structure of registries is nested and hierarchical at top level windows there are various hives, which can be thought as folders. A hive is can be described as collection keys Then under the hives there are several keys those keys can have some more keys under them called sub keys. Sub key can be defined as a key which under some other key. These keys have several values, which can be of various type. And at the bottom of this hierarchy is value's data.

Structure of Registries can be compared with windows files system for the sake of understanding. Registries have hives at the top as windows file system have folders in the root directory. Folders in the file system can have folders under them same is the case with windows where key can have keys under them. Folders have files with in them, similarly there are values which are under keys. And at the very bottom there in the file system there is actual data stored in a file which really matter and on the other hand in registry there is data as well which correspond to a value.

From image above we can visualize registry. There are some keys in the registry which are under one of the hive. And the key as AppManagement in the figure has value called ShowUpdates. Values have different data types, explained in details later in this artcle. But in the figure above it is REG_DWORD, This value has a data which is 0 in the above example.

Different hives in the registry

Hives are the folders in the root directory of the file System. In windows 2000 and onwards there are five hives, which are of different nature.

HKEY_CURRENT_CONFIG

The HKEY_CURRENT_CONFIG subtree (HKCC) stores configuration data for the current hardware profile.The HKEY_CURRENT_CONFIG subtree does not contain any data. It just stores a pointer to the content of the Current subkey of KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles. As such, the contents of the Current subkey appear in HKEY_CURRENT_CONFIG and can be viewed and changed in either location. This subtree provides easier access to this data.

HKEY_CLASSES_ROOT

Description

The HKEY_CLASSES_ROOT subtree contains two types of data:

• Data that associates file types with programs. The file type subkeys in HKEY_CLASSES_ROOT have the same name as the file name extension for the file type, such as .exe. File type associations are stored in the registry, but you should use Windows Explorer to change them. In Windows Explorer, from the Tools menu, click Folder Options, and then click the File Types tab.
  
  
• Configuration data for COM objects.

In Windows NT 4.0 and earlier, HKEY_CLASSES_ROOT displayed the data in HKEY_LOCAL_MACHINE\SOFTWARE\Classes only. The current merged configuration lets the system register program classes independently for each user. This feature is known as per-user class registration.

Per-user registration has several benefits:

• Multiple users can customize a single computer. For example, User A can install an application which uses a particular file type, and User B can install a different application which uses the same file type without affecting User A.
• Roaming class registration. Because class registrations are stored in the user profile, the class registrations are loaded on each computer through the application management extension after the profile is loaded. When the user logs in to a different computer, the registration will travel with the user through the directory and be written to a local portion of the user profile during logon.
  
  Note: Roaming class registration is only available when using Intellimirror Software Management. For more information about Intellimirror, see Windows 2000 Help.
  
  
• Increased registry security. Previously, users could change or delete registry keys under HKLM\SOFTWARE\Classes, thus breaking an application or changing its behavior. However, with class information now written to the user profile, a system administrator can limit access to HKLM\SOFTWARE\Classes.

HKEY_CURRENT_USER

Description

The HKEY_CURRENT_USER subtree contains the user profile for the user who is currently logged on to the computer. The user profile includes environment variables, personal program groups, desktop settings, network connections, printers, and application preferences. The data in the user profile is similar to the data stored in the Win.ini file in Windows 3.x.

The HKEY_CURRENT USER subtree does not contain any data. It just stores a pointer to the content of HKEY_USERS\. As such, the data stored in this subkey of HKEY_USERS appears in HKEY_CURRENT_USER. The data can be viewed and changed directly and programmatically in either location.

A new HKEY_CURRENT_USER subtree is created each time a user logs on. The data for HKEY_CURRENT_USER comes from the profile of the current user. If no profile is available, HKEY_CURRENT_USER is built from the user profile settings established for a default user, stored on the System drive\Documents and Settings\Default User (WINNT)\Ntuser.dat.

HKEY_LOCAL_MACHINE

Description

The HKEY_LOCAL_MACHINE subtree contains information about the local computer system, including hardware and operating system data such as bus type, system memory, device drivers, and startup control parameters

HKEY_USERS

HKU

Description

The HKEY_USERS subtree contains all actively loaded user profiles. HKEY_USERS has at least three keys.

.DEFAULT, which stores the profile used when no users are logged on to the computer (such as when the CTRL+ALT+DELETE logon prompt is displayed).

A subkey named for the Security Identifier (SID) of the current local user. This subkey contains the current user's profile. If the user is logged on remotely, the data for their profile is stored in the registry of their local computer. The data in HKEY_USERS\ also appears in HKEY_CURRENT_USER. A subkey named for the Security Identifier (SID) of the current local user with the _Classes suffix. This subkey contains the current user's Classes. The data in HKEY_USERS\\_Classes is also contained in HKEY_CLASSES_ROOT. In Windows 2000 the default user profile is not stored in the registry. It is stored on the system drive in \Documents and Settings\Default User [WINNT]\Ntuser.dat.

Data Types in the Windows Registry

Data types define what kind of data an entry can store. The following data types are used by entries in the Windows 2000 registry:

REG_BINARY

Raw binary data. Most hardware component information is stored as binary data. It can be displayed in an easy-to-read format by using Windows 2000 Diagnostics. REG_BINARY data can be displayed and entered in binary or hexadecimal format in a registry editor.

REG_DWORD

Data represented by a number that is 4 bytes (32 bits) long. Boolean (0 or 1) values and many entries for device drivers and services take this data type. REG_DWORD data can be displayed in binary, hexadecimal, or decimal format in a registry editor.

REG_DWORD_LITTLE_ENDIAN

Same as REG_DWORD. A 32-bit number in which the most significant byte is displayed as the leftmost or high-order byte. This is the most common format for storing numbers in computers running Windows 2000 and Windows 98.

REG_DWORD_BIG_ENDIAN

A 32-bit number in which the most significant byte is displayed as the rightmost or low-order byte. This is opposite of the order in which bytes are stored in the REG_DWORD and REG_DWORD_LITTLE_ENDIAN data types.

REG_EXPAND_SZ

A variable-length text string. REG_EXPAND_SZ data can include variables that are resolved when an application or service uses the data. For example, the value of File includes the variable Systemroot.

REG_LINK

Indicates a symbolic link between system or application data and a registry value. You can use Unicode characters in a REG_LINK entry.

REG_MULTI_SZ

Multiple text strings formatted as an array of null-terminated strings, and terminated by two null characters. Values that contain lists or multiple values in a form that people can read usually take this data type. The values in a REG_MULTI_SZ entry can be separated by spaces, commas or other marks.

REG_SZ

A fixed-length text string. Boolean ("True" or "False") values and other short text values usually have this data type.

REG_FULL_RESOURCE_DESCRIPTOR

A series of nested arrays designed to store a resource list for a hardware component or driver. For example, in Regedt32, double-click ConfigurationData (in HKEY_LOCAL_MACHINE\Hardware\Description\System \MultifunctionAdapter\0\ControllerName\0).