Windows Registry Tutorial

Windows Registry Tutorial

This article explains how to use the Windows Registry.
The Registry is the central storehouse for all settings for the Windows operating systems.
This includes hardware configuration, file associations, and control panel settings.
Many other programs will also store settings in the registry.

Accessing the Registry

To examine and modify the registry, use the regedit.exe program that is located in the operating system directory.

To open regedit.exe, follow this procedure:

1. Open the Start Menu.

2. Choose "Run".

3. Enter "regedit" and press Enter.

Structure

The registry is made up of "Keys".
Each key is like the branch of a tree.
Each key has one parent key, and zero or more child keys.
Each key can contain zero or more "Values", each of which contains a single piece of data.

To make navigating the registry a bit easier, you can think of the registry's construction like your hard drives.

Hard drive <-> Registry

Folders <-> Keys

Files <-> Values

The registry contains 6 main keys:

HKEY_CLASSES_ROOT ---- Contains information on file types, including which programs are used to open a particular file type.

HKEY_CURRENT_USER ---- Contains user-specific settings that
are built from information in the HKEY_USERS key during the logon
process.

HKEY_LOCAL_MACHINE ---- Contains computer specific
information including installed hardware and software. This is the one
users tend to spend the most time in.

HKEY_USERS ---- Contains information (generic and
user-specific) about all the users who log on to the computer. The
generic settings are available to all users who log on to the computer.
The information is made up of default settings for programs, desktop
configurations, and so on. This key contains subkeys for each user that
logs on to the computer.

HKEY_CURRENT_CONFIG ---- Contains information about the computer's hardware configuration .

HKEY_DYN_DATA ---- Contains real-time performance statistics on the computer's hardware.

HKEY_LOCAL_MACHINE (HKLM)

Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are specific to the local computer.[11]

The key located by HKLM is actually not stored on disk, but
maintained in memory by the system kernel in order to map there all
other subkeys. Applications cannot create any additional subkeys. On
NT-based versions of Windows, this key contains four subkeys, "SAM",
"SECURITY", "SYSTEM", and "SOFTWARE", that are loaded at boot time
within their respective files located in
the %SystemRoot%/System32/config folder. A fifth subkey, "HARDWARE", is
volatile and is created dynamically, and as such is not stored in a file
(it exposes a view of all the currently detected Plug-n-Play devices).
On Windows Vista, Windows Server 2008, Windows Server 2008 R2, and
Windows 7, a sixth subkey is mapped in memory by the kernel and
populated from boot configuration data (BCD).

The "HKLM/SAM" key usually appears as empty for most users (unless
they are granted access by administrators of the local system or
administrators of domains managing the local system). It is used to
reference all "Security and Accounts Management" (SAM) databases for all
domains into which the local system has been administratively
authorized or configured (including the local domain of the running
system, whose SAM database is stored a subkey also named "SAM": other
subkeys will be created as needed, one for each supplementary domain).
Each SAM database contains all builtin accounts (mostly group aliases)
and configured accounts (users, groups and their aliases, including
guest accounts and administrator accounts) created and configured on the
respective domain, for each account in that domain, it notably contains
the user name which can be used to log on that domain, the internal
unique user identifier in the domain, their cryptographically hashed
password on that domain, the location of storage of their user registry
hive, various status flags (for example if the account can be enumerated
and be visible in the logon prompt screen), and the list of domains
(including the local domain) into which the account was configured.

The "HKLM/SECURITY" key usually appears empty for most users (unless
they are granted access by users with administrative privileges) and is
linked to the Security database of the domain into which the current
user is logged on (if the user is logged on the local system domain,
this key will be linked to the registry hive stored by the local machine
and managed by local system administrators or by the builtin "System"
account and Windows installers). The kernel will access it to read and
enforce the security policy applicable to the current user and all
applications or operations executed by this user. It also contains a
"SAM" subkey which is dynamically linked to the SAM database of the
domain onto which the current user is logged on.

The "HKLM/SYSTEM" key is normally only writable by users with
administrative privileges on the local system. It contains information
about the Windows system setup, data for the secure random number
generator (RNG), the list of currently mounted devices containing a
filesystem, several numbered "HKLM/SYSTEM/Control Sets" containing
alternative configurations for system hardware drivers and services
running on the local system (including the currently used one and a
backup), a "HKLM/SYSTEM/Select" subkey containing the status of these
Control Sets, and a "HKLM/SYSTEM/CurrentControlSet" which is dynamically
linked at boot time to the Control Set which is currently used on the
local system. Each configured Control Set contains:

a "Enum" subkey enumerating all known Plug-and-Play devices and
associating them with installed system drivers (and storing the
device-specific configurations of these drivers),

a "Services" subkey listing all installed system drivers (with non
device-specific configuration, and the enumeration of devices for which
they are instanciated) and all programs running as services (how and
when they can be automatically started),

a "Control" subkey organizing the various hardware drivers and
programs running as services and all other system-wide configuration,

a "Hardware Profiles" subkey enumerating the various profiles that
have been tuned (each one with "System" or "Software" settings used to
modify the default profile, either in system drivers and services or in
the applications) as well as the "Hardware Profiles/Current" subkey
which is dynamically linked to one of these profiles.

The "HKLM/SOFTWARE" subkey contains software and Windows settings
(in the default hardware profile). It is mostly modified by application
and system installers. It is organized by software vendor (with a subkey
for each), but also contains a "Windows" subkey for some settings of
the Windows user interface, a "Classes" subkey containing all registered
associations from file extensions, MIME types, Object Classes IDs and
interfaces IDs (for OLE, COM/DCOM and ActiveX), to the installed
applications or DLLs that may be handling these types on the local
machine (however these associations are configurable for each user, see
below), and a "Policies" subkey (also organized by vendor) for enforcing
general usage policies on applications and system services (including
the central certificates store used for authentifying, authorizing or
disallowing remote systems or services running outside of the local
network domain).