The "Registry"

The Core of Your Computer's Operating System

*** also see http://www.windowsitlibrary.com/Content/405/11/1.html

Except for the old, ancient Win 3.1  -  all versions of Windows have a Registry.  It is a core component of the Operating System.  The Windows microcode is the foundation of the OS, and the registry is a library (stored as a database) of information that the microcode references continuously. 

The Registry Editor - RegEdit.exe

Most Windows applications write data to the Registry, at least during installation. You can edit the Registry directly by using the Registry Editor (regedit.exe) provided with the operating system. However, you must take great care because errors in the Registry could disable your computer.

RegEdit Favorites

To save time, when you find a registry folder that you may want to revisit, add a favorite to it, in the way as you do with Internet Explorer (Favorites/Add to Favorites . . .).  For example, the "Run" folder in the HKLM structure is several levels down, but it contains programs that AutoStart with Windows, and if often a good area to manually edit, to stop certain programs and utilities from starting up (See the AutoStart section for details on this).

The Registry Structure - a hierarchy of keys and values

The registry is arranged like your hard drive is arranged.  In the registry editor, regedit, you will see what appears to be folders and files.  However, they are called by different names.  The folders are called "keys" and the files are called "values".  Here is a sample screenshot of a section of the registry:

 

The Five (actually 2) Subtrees

The Windows XP registry is typically depicted as five major subtrees in a hierarchical tree structure.

*** HOWEVER - the registry actually only has 2 Subtrees - HKEY_LOCAL_MACHINE and HKEY_USERS  !! All other subtrees are just shortcuts, or copies of a portion of HKLM or HKU, that are listed separately in RegEdit because they are important areas that Microsoft figured would be commonly accessed by administrators.

*** actually you can think of the arrows as pointing both ways, because if you edit anything in one area - the other area is updated as well.
For example, if you add a new Value to HKLM\SOFTWARE\CLASSES of "12" - then the same Value will show up in HKCR.  If you then
goto HKCR and change the value to 13, and go back and look in HKLM\SOFTWARE\CLASSES, you will see it has been changed to 13 as well.


5 Subtrees all are contained in 2 Subtrees
3 Subtrees in 1) 
Subtree HKLM with its two contained trees:  HKCR and HKCC
2 Subtrees in 1)  Subtree HKU with its one contained tree:  HKCU

 

HKEY_LOCAL_MACHINE (HKLM)

The HKEY_LOCAL_MACHINE subtree, which exists at the root of the database, contains all of the information about the hardware configuration of your computer, as well as applications and services running on it. Some of the hardware information is updated automatically each time you restart the operating system, as new hardware configurations are detected. The data stored in this part of the registry is common to all users of this computer. Of all the hours that you spend working directly with the registry, you’ll likely spend most of them inside this subtree.

HKLM and the 5 Hives - HKLM has its own subtrees, and all except HARDWARE are stored in separate files called "Hives", in the folder Windows\SYSTEM32\CONFIG folder.  There are 5 gives, and HKLM has 4 of them detailed - SAM, SECURITY, SOFTWARE, and SYSTEM.  There is one more Hive called DEFAULT that is not a subtreee of HKLM.  The hives are stored in two files each - one without an extension, and one with a "*.LOG" extension. The files without a file extension (SAM, SECURITY, SOFTWARE, and SYSTEM) are the actual registry database files. The files with extensions are used for fault tolerance and backup purposes. Each .LOG file is actually a journal of registry modifications, used to reconstruct the registry file if a power failure or other crash leaves it in an inconsistent state while it’s being changed. Because the SYSTEM registry file is vital to the boot process, SYSTEM.SAV is a complete backup copy of the SYSTEM file and is used to boot the computer if the SYSTEM file becomes corrupt.

HKLM Subtree Database File Names Description and Advice
HARDWARE None
(This is a volatile
key that’s never
stored on disk.)
Contains hardware configuration information,
regenerated by NTDETECT and the NT kernel
each time that the computer is restarted. This
subtree contains mostly binary information that you shouldn’t attempt to edit directly. Use Control Panel to make any changes, or you may render your computer unbootable.
SAM SAM
SAM.LOG
Contains the Security Account Manager (SAM)
database, including user accounts, group accounts, and domain security information. Utilize User Manager for Domains to make changes, or you might prevent users from logging on.
SECURITY SECURITY
SECURITY.LOG
Contains local computer security information,
including rights, account policies, and local group memberships. This subtree is used only by the NT security subsystem and can’t be edited using the Registry Editor.
SOFTWARE SOFTWARE
SOFTWARE.LOG
Contains information on the local computer’s software configuration, including applications, file associations, and OLE information. Use applications themselves to change application configuration and OLE information. Use Explorer to change file associations.
SYSTEM SYSTEM
SYSTEM.ALT
Contains the configuration information required
to start the operating system, beyond what is recognized and stored in the HARDWARE subtree. This is where most of your manual changes are likely to occur.

 

HKEY_CLASSES_ROOT (HKCR)

The HKEY_CLASSES_ROOT subtree contains file association information and the OLE registration database (REG.DAT, if you’re a Windows 3.x guru) to keep track of which applications to launch when you double-click on files, objects, and icons. For example, it maps video files ending in .AVI to the action of starting MPLAY32.EXE (NT’s Media Player utility) whenever you double-click the .AVI file.

This subtree is actually a pointer into the HKEY_LOCAL_MACHINE subtree—specifically, HKEY_LOCAL_MACHINE\SOFTWARE\Classes. Figure 11-4 shows the relationship between HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE. Changes made in HKEY_CLASSES_ROOT are immediately reflected in HKEY_LOCAL_MACHINE, since they occupy the same space.

HKEY_CURRENT_CONFIG (HKCC)

The HKEY_CURRENT_CONFIG subtree has been introduced for the first time in Windows NT 4.0. It contains information about the specific hardware profile used to start the computer. This subtree is actually a pointer into the HKEY_LOCAL_MACHINE subtree—specifically, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current. Figure 11-5 shows the relationship between HKEY_CURRENT_ CONFIG and HKEY_LOCAL_MACHINE. Changes made in HKEY_CURRENT_CONFIG are immediately reflected in HKEY_LOCAL_MACHINE, since they occupy the same space.

This subtree stores the profile information that you generated using Control Panel applications. In general, it’s best not to edit this portion of the registry directly, since Control Panel applications (specifically System, Services, and Devices) provide you with full control over hardware profile management.

HKEY_USERS (HKU)

The HKEY_USERS subtree, which exists at the database root, contains user profiles for all user accounts on the computer.

This subtree also contains a default user profile (appropriately called “.DEFAULT”) that’s summoned when a new user logs on for the first time. Then, when the first-time user logs off, his or her profile information is saved in HKEY_USERS under the SID (security ID) assigned to that user account.

HKEY_CURRENT_USER (HKCU)

The HKEY_CURRENT_USER subtree contains the user profile information associated with the user who’s currently logged on to the local computer. The contents of this subtree change, depending on which account is used to log on to the computer.

This subtree is actually a pointer into the HKEY_USERS subtree. As you can see in Figure 11-6, each user profile on the computer is stored under its own unique SID within the HKEY_USERS subtree. HKEY_CURRENT_USER points to the SID associated with the user who’s currently logged on. Notice that the SIDs under HKEY_USERS always start with an S and are very long, unique numbers. Since there are two SIDs listed, you can tell that only two accounts have logged on to this computer, so they’re the only ones with established profiles. Changes made in HKEY_CURRENT_USER are immediately reflected in HKEY_USERS, since they occupy the same space.

 

 

The Keys

With all recent Windows versions (95 through XP), the Registry is divided up into several major keys, with thousands of sub-keys below that.  Again, the structure is analogous to your hard drive, only with the registry it has keys and values instead of folders and files.  Here we list the top level keys, just below the root.  The "root" key is simply called "My Computer" :

  • HKEY_Classes_Root - file associations and OLE information
  • HKEY_Current_User - all preferences set for current user
  • HKEY_User - all the current user information for each user of the system
  • HKEY_Local_Machine - settings for hardware, operating system, and installed applications
  • HKEY_Current_Configuration - settings for the display and printers
  • HKEY_Dyn_Data - performance data
  • The Values

    Each line in RegEdit is one value, and the columns show the 3 components of each value.  Each value entry is defined by the 3 components:

    There are 5 types of values.  Here is a screenshot of a section of a registry key containing each of the values:

    Type Description
    REG_SZ A simple string of text characters.
    REG_EXPAND_SZ Same as REG_SZ but includes a variable that’s replaced by another string when the value is used. For example, in %SystemRoot%\SYSTEM32, %SystemRoot% is replaced by the path where Windows NT Server was installed.
    REG_MULTI_SZ A set of text strings (such as REG_SZ), typically used to express a list of text values.
    REG_DWORD Four bytes of binary data, which can be expressed in binary, hexadecimal, or decimal format.
    REG_BINARY Raw binary data, usually displayed in hexadecimal notation.

     

    Here we list each of them, along with their corresponding abbreviation (what you will see them listed as in RegEdit) :  

    Type of Value   

    RegEdit's
    Icon

    Abbreviation   

    Description

    Screenshot

    String Value   

    REG_SZ   

    A fixed-length text string.

    Binary Value   

    REG_BINARY   

    binary, in Hexadecimal format

    DWORD Value   

    REG_DWORD   

    A double-word is two words (one word is 16 bits).  Therefore a D-word is 32 bits (4 bytes).  It is often used to store a 1 or 0 (True or False), to be used as a Flag to tell Windows whether to do something - or not to do it.

    Multi-String Value   

    REG_MULTI_SZ   

    a basic text file that is stored and can be edited, just as you can edit any text file in Notepad.  The text is actually formatted as an array of null-terminated strings, and terminated by two null characters.  But to the user it just looks like any other text file.

    Expandable String Value   

    REG_EXPAND_SZ   

    The value is interpreted and stored as an expandable string.  This is a null-terminated string that contains references to environment variables (for example, “%PATH%”).  These variables can be expanded on (for our example, you can append additional paths to %PATH%)

    Understanding Control Sets

    The HKEY_LOCAL_MACHINE\SYSTEM subtree is intimately involved in the NT boot process. It contains all of the information required to start the operating system (other than the basic hardware data that’s provided automatically in the HKEY_LOCAL_MACHINE\HARDWARE subtree). Thus, most of the modifications that you make to troubleshoot the boot process will be made in the SYSTEM registry database file. 

    The Setup and DISK keys are used exclusively by the operating system, so I won’t discuss their contents. I discuss the roles of the Select, CurrentControlSet, ControlSet001, ControlSet002, and Clone keys in the boot process.

    Note: You may see a different combination of numbered control sets. Typically, only two control sets are stored in the SYSTEM subtree, but there can be up to four. The numbers may or may not be sequential. For example, on another computer in my office, the SYSTEM subtree contains ControlSet001 and ControlSet003.

    The ControlSet001, ControlSet002, and Clone keys all contain complete copies of the required boot information in what are called control sets. One of the numbered control sets is used by default to boot the computer (in this case, ControlSet001), and the other contains the Last Known Good configuration (in this case, ControlSet002).

    How does Windows XP know which control set is the current one and which is the Last Known Good configuration?  The Select key keeps track of this information.  The Current value (0x1) indicates that ControlSet001 was used to boot the computer this time and that CurrentControlSet points to it. The Default value (0x1) indicates that ControlSet001 is used by default to start the computer. The Failed value indicates which control set last failed to boot, requiring use of the Last Known Good configuration. A value of zero indicates that none of the configurations have failed. The LastKnownGood value (0x2) indicates that ControlSet002 contains the Last Known Good configuration, which you can select during the boot process.

    For administrative convenience, CurrentControlSet is a pointer to whichever control set was used to boot the computer. In this case, CurrentControlSet points to ControlSet001. So, by editing CurrentControlSet, you’re assured that the changes are made to whichever control set is currently in force. There’s no need to look under the Select key to figure out which control set is the current one.

    What about the Clone key, and why is it grayed out? Each time that the computer starts, the control set used to boot the system is copied to the Clone key. If the startup is successful, the Clone contents are copied to another control set key, which is used as the Last Known Good configuration during the next boot process. The previous Last Known Good configuration is discarded.

    Note: Conceptually, this is similar to saving multiple copies of CONFIG.SYS under DOS, including a backup copy that’s known to boot the computer correctly. The good news is that NT takes care of saving the latest working configuration and allows you to revert to it during the boot process.

     

    The Registry Files

    Win95-98 Registry - 2 Files

    The Windows 95 and 98 registry is competl;ey contained in two files in the Windows folder:

    You can back them up, but must first change their attributes (they are ReadOnly and System files by default).

    WinXP Registry - The 5 Hives Files

    Unlike Win95-98-ME where the registry is contained in two files (system.dat and user.dat), the Windows XP registry is contained in 5 hives :

    security
    system
    software
    sam
    default

    These are files without extensions, and they are located in the  windows\system32\config  folder.  

    Enhanced Registry Editors

    There are a slew of "new and improved" registry editors.  For the most part, just use regedit.  However, regedit has a major shortcoming - the search function will only find one instance at a time.  And when you want to completely remove all traces of an application that is causing you headaches - doing it with regedit takes forever !!

    I have tested many of these.  Registry First Aid (click to go to their website, and purchse) is excellent, as is "Regalyzer" (click to download for free).  But as expected the one that costs $$$ is the one you will need - read on . . .  

    Using an Enhanced Registry Editor for a Clean Un-Install of a Program

    Sometimes a program is giving you grief, and you just can't get rid of it - it may not appear in the Add/Remove programs list, or may be corrupted and no un-install properly.  The workaround is to delete EVERY folder and key in the registry that supports the bogus program.  You can do this with Regedit, by doing a search for the name of the program, and deleting the entries . . . one at a time.  But this takes forever.

    With both of the enhanced reg editors mentioned here, you can do a search for a text string, and it will stack up a list for you of every instance of that string that it found.  BUT Regalyzer it will only allow you to Replace that string - not delete the entire entry that contains it.  

    *** fortunately - Registry First Aid allows you to delete all entries with that string.  So Registry First Aid is the clear winner !!!  Buy it !!!

    Exporting/Importing portions of the Registry (Keys or Folders)

    When you make a change to the registry, instead of backing up the whole thing - you can export just the Folder or the Key that you are going to change.  If you export a folder, all subfolders and keys undere that will also be exported. 

    Export

    Import

    There are several reason that you may wish to import a ".reg" file.  You may have exported reg info, and then your registry change causes problems.  Also, some people post up reg fixes on the web and/or cracks for software.  In either case you will want to import the registry file - there are two ways of doing this:

    Backing up and Restoring the Entire Registry

    Once you become comfortable with editing the registry, you can do so without always backing it up first.  But if not - make sure to back it up.  A hosed registry means reinstalling Windows !!!

    Backup/Restore Win95-98 Registry

    Backup

     

    Start/Run . . . Command (takes you to a DOS box)

    c:

    cd\windows

    attrib *.dat -r -h -s

    copy user.dat user1.dat

    copy system.dat system1.dat

    attrib *.dat +r +h +s

    exit

     

    Restore

     

    Reboot

    hit F8 when you hear beep to get to the boot options screen

    type:  scanreg /restore

    follow prompts

     

    OR -  to restore your saved version from the previous steps:

     

    Start/Run . . . Command (takes you to a DOS box)

    c:

    cd\windows

    attrib *.dat -r -h -s

    copy user1.dat user.dat

    copy system1.dat system.dat

    attrib *.dat +r +h +s

    exit

     

    Backup/Restore WinXP Registry

    For both backup and Restore, do the following and follow the Prompts

    run NTbackup and create a file containing the registry - this is a bit complex and not recommended, and therefore will not be discussed (see the Windows Help for info on it)

    OR

    create a system restore point (recommended) - this will back up your registry and all your system settings

     

    Compacting the Registry

    You can purchase "Registry Compactor", which, like Norton's Speed Disk - gets rid of fragments and holes, and places the entire registry into successive sectors on your hard drive.  Be careful here - my sister's PC became unbootable after running this utility !!

    Cleaning the Registry

    Like the Windows folder grows and grows with orphaned DLL's  .  .  .  the registry grows and grows with text strings placed there by installations.  They should ALL be removed when you un-install the program, but they are not in many cases.  Your system has to comb through the registry constantly as it runs - so you will get better performance by cleaning it of all unused entries.  There are two popular ways of doing this - I recommend doing both:

     

    MRU (Most Recently Used) Lists

    The registry keeps track of the files you have opened and the places you have been, using lists contained in multiple registry values, called "MRU's".  These MRU lists contain information such as the names and/or locations of the last files you have accessed. They are located ALL OVER your registry, and for almost ANY file type.  The following is a list of the most common MRU lists that are kept in the Registry:

    In general it is safe to delete these - but don't think you are creating a lot of space - MRU's take up very little space, since they are just tiny text strings.  Anti Spyware programs such as SpyBot S&D have options to remove them.  Or you can use this free tool that will get rid of them for you:  Go to the MRU Blaster website and download it.

    NOTE: some of these lists you will want to keep.  For example, when you open Word, and want to open a file you were working on yesterday - it will show up at the bottom of the "File" menu, and you can instantly open it that way.  The same is true with Powerpoint, Photoshop, etc.  Some applications such as Winzip also keep MRU's, but you will probably never need them.  Internally, there is a registry Key called "MUICache" under the "ShellNoRoam key that is basically useless.  It lists everything that has been opened recently.