Windows Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Use Registry Editor at your own risk.

The above message is a common warning Microsoft gives its clients before providing information on editing the registry. The Windows system registry is a hidden, hierarchical database/index of configuration data for the Windows operating system, applications and their components. It is the central storage area of information that has virtually replaced the use of INI files in earlier versions of Windows. For more detailed information about the Windows Registry file, see this Microsoft Knowledge Base article.

The registry consists of records called "keys" (like folders). They can either contain a value (information like files) or are broken into sub-records called "subkeys."

To view the registry, you can run Regedit.EXE or Regedt32.EXE. These two utilities are very similar. They allow you to view registry information, change values, and add and delete values. Windows XP has combined the two; however, in previous versions Regedt32 provides the ability to set user and group permissions on keys and values.

All of this information is stored in two files. When Windows boots, it retrieves the information from these files. While Windows is running it modifies these files. When Windows shuts down, any changes are written to these same files.

When the registry is opened there are five or six visible sections called "hives;" however, three or four of these hives are simply subkeys of the two main hives. The two main hives HKEY_USERS and HK_LOCAL_ MACHINE:

  • HKEY_USERS stores its information in the file USER.DAT. This file is stored in different locations on different operating systems and has a slightly different name for each: Windows 95/98-C:\Windows\User.DAT or C:\Windows\profiles\User.DAT; Windows NT4-C:\WINNT\Profiles\Ntuser.dat; Windows 2000-C:\Documents and Settings\%username%\NTUSER.DAT.
    • This part of the registry holds user preferences and settings. When a user logs in, the USER.DAT that belongs to that user is loaded into the registry. Because there is a USER.DAT file that corresponds to each user account on the workstation, there are different preferences and settings for each user.
    • An important key under HKEY_USERS is the .default (dot default) key. When a new user account is created, the settings from the .default key are used to create the new users key.
  • HKEY_LOCAL_MACHINE applies to the computer regardless of who is logged in. This section holds hardware and application specific information and affects all users who log on.

All other keys are subkeys of HKEY_LOCAL_MACHINE and HKEY_USERS:

  • HKEY_CURRENT_UESR contains information on the user that is currently logged in. It is a subkey of HKEY_USERS. The other user accounts (including HKEY_CURRENT_USER) are all stored under HKEY_USERS; however, they are stored in a GUID format making it difficult to determine what user the key belongs to. When a user logs in, their respective key is loaded to the HKEY_CURRENT_USER hive.
  • HKEY_CURRENT_CONFIG is just a shortcut to HKEY_LOCAL_MACHINE\CurrentControlSet\Hardware Profiles\Current. It is used for application compatibility between Window 95/98 and Windows NT.
  • HKEY_CLASSES_ROOT is just a shortcut to HKEY_LOCAL_MACHINE\Software\Classes. It holds information about file extension association and OLE information.

The Software Key

There are many different keys in the registry. Discussing all of them is beyond the scope of this article. An entire class could be dedicated to learning it. However, one of the most commonly referenced keys is the Software key. There is a Software key under HKEY_CURRENT_USER as well as HKEY_LOCAL_MACHINE. It is logically organized by Company\Company Product\Version\Settings. For example a very commonly referenced key under HKEY_LOCAL_MACHINE\Software is:

Microsoft (Company)\Windows (Product)\CurrentVersion (Version)\Run

The values under this key are commands the Windows OS runs when it starts up or a user logs on. This is a common place to check for unauthorized commands that may have been inserted by a virus allowing it to run on startup.

If a third party writes software for the Windows operating system, they will create registry entries in HKEY_LOCAL_MACHINE\Software for settings that apply to the program regardless of what user is logged in. They will create settings under HKEY_CURRENT_USER that define settings and preferences for a specific user.

Permissions

Windows NT, Windows 2000, and Windows XP provide the ability to set permissions on keys in the registry but not actual values. Under normal use, there should be no need to change permissions in the registry. The Windows operating system or the programs installed should be designed to assign the appropriate permission to registry keys. However, sometimes it is necessary to tighten up permissions on certain keys for security reasons. For example, instead of installing cleanup software, it is possible to deny write permissions to the file history key for a particular program. Denying read rights to such a key prevents a history of recently accessed files from being created.

Values

A registry value can store data in various formats. See Registry Value Types for a complete listing. The majority of Registry values are either REG_DWORD, REG_BINARY, or REG_SZ. Values of type REG_DWORD can store numbers or Booleans (on/off values); REG_BINARY values can store numbers larger than 32 bits, or raw data such as encrypted passwords; REG_SZ values store strings (Unicode, of course) that can represent names, filenames, paths, and types.

Next: Workstation Security