The Registry

The Registry

DEFINITION: The Windows 9x/NT/2000/ME/XP Registry is a complex, unified, system wide, continually referenced during operation database, used for centrally storing, locating, editing and administering system, hardware, software and user configuration information, following a hierarchical structure.
It was introduced to replace the text/ASCII based MS -DOS configuration (.BAT, .SYS) and MS Windows initialization (.INI) files.

Structure of Registry in windows 9X is Different from that 545b111f of Windows NT,2000 and XP.

Windows 95/98/ME :In these operating systems Registry is stored in these 5 files, with the Hidden, Read-only attributes for write-protection purposes, usually located in the %WinDir% folder (default is C:\Windows) .

• SYSTEM.DAT = stores persistent hardware and software settings related to the system it resides on, contained in the (HKEY_CLASSES_ROOT = Windows 95 and 98 only) and HKEY_LOCAL_MACHINE Hive keys.
• USER.DAT = stores user specific and software settings contained in the HKEY_CURRENT_USER Hive key. If more than one user, then multiple user profiles enable each user to have their own separate USER.DAT file, located in %WinDir%\Profiles\%UserName%. When a user logs on, Windows OS (down)loads both USER.DAT files: the one from the local machine %WinDir% (global user settings), and the most recent one from the local machine %WinDir%\Profiles\%UserName%, or from the central (host) server if user profiles reside on a network (local user settings).
• CLASSES.DAT = stores persistent data contained in the HKEY_CLASSES_ROOT Hive key, found only on Windows ME.
• SYSTEM.DA0 and USER.DA0 = automatically created backups of SYSTEM.DAT and USER.DAT from the last successful Windows GUI startup, and found only on Windows 95

Windows NT/2000/XP :Registration Database is contained in these 5 files located in the %SystemRoot%\System32\Config folder (default is C:\Winnt\System32\Config for Windows NT/2000 or C:\Windows\System32\Config for Windows XP):

• DEFAULT = stores the HKEY_USERS\.Default key.
• SAM = stores the HKEY_LOCAL_MACHINE\Sam key.
• SECURITY = stores the HKEY_LOCAL_MACHINE\Security key.
• SOFTWARE = stores the HKEY_LOCAL_MACHINE\Software key.
• SYSTEM = stores the HKEY_LOCAL_MACHINE\System key and the HKEY_CURRENT_CONFIG Hive key,
  
  these files located in the %SystemRoot%\Profiles\%UserName% folder:
• NTUSER.DAT and USRCLASS.DAT (Windows XP only) = store the HKEY_CURRENT_USER Hive key,

Editing Registry

Always make sure that you know what you are doing when changing the registry or else just one little mistake can crash the whole system. That's why it's always good to back it up!

To view the registry (or to back it up), you need to use the Registry Editor tool. There are two versions of Registry Editor:

:To modify the Registry, you need to use a Registry Editor:

• Regedit.exe (Windows 95/98/ME/NT/2000/XP) = located in %WinBootDir% (%SystemRoot%) has the most menu items and more choices for the menu items. You can search for keys and subkeys in the registry.
• Regedt32.exe (Windows NT/2000/XP) = located in %SystemRoot%\System32,enables you to search for strings, values, keys, and subkeys. This feature is useful if you want to find specific data.

Registry Structure

For ease of use, the Registry is divided into five separate structures that represent the Registry database in its entirety. These five groups are known as Keys, and are discussed below:

HKEY_CURRENT_USER
This registry key contains the configuration information for the user that is currently logged in. The users folders, screen colors, and control panel settings are stored here. This information is known as a User Profile.

HKEY_USERS
In windowsNT 3.5x, user profiles were stored locally (by default) in the systemroot\system32\config directory. In NT4.0, they are stored in the systemroot\profiles directory. User-Specific information is kept there, as well as common, system wide user information.

HKEY_LOCAL_MACHINE
This key contains configuration information particular to the computer. This information is stored in the systemroot\system32\config directory as persistent operating system files, with the exception of the volatile hardware key.

HKEY_CLASSES_ROOT
The information stored here is used to open the correct application when a file is opened by using Explorer and for Object Linking and Embedding. It is actually a window that reflects information from the HKEY_LOCAL_MACHINE\Software subkey.

HKEY_CURRENT_CONFIG
The information contained in this key is to configure settings such as the software and device drivers to load or the display resolution to use. This key has a software and system subkeys, which keep track of configuration information.

REG Files

.REG file, which can be in:

• plain text/ASCII format in Windows 95/98/ME and NT/2000/XP or
• binary format in Windows 2000/XP.
  
  Text .REG files can be easily viewed/created/edited by hand using any text/ASCII editor, like Notepad

Their purpose is to add, modify or delete Registry (Sub)Keys and/or Values.

Writing .Reg Files

1.) Header line: this FIRST line is mandatory. MUST contain only these exact words (case sensitive = character capitalization required!):

• REGEDIT4 = for Windows 95/98/ME and NT 4.0 or
• Windows Registry Editor Version 5.00 = for Windows 2000/XP.
  This is the only way Windows OS can recognize, validate and run a .REG file.

2.) Empty (blank) line: this second line is optional. Similar to inserting a carriage return (CR).

3.) Remarked (comment) line(s): optional. MUST begin with a semicolon (;) which may be followed by a space (optional). May be inserted anywhere in the .REG file, but NOT before the header, which MUST be present as FIRST line.

4.)(Sub)Key line: MUST be preceded and terminated by square parenthesis ([]). (Sub)Key name MUST start with the Hive Key name (left end) and MUST contain entire Subkey pathway leading to the current Subkey name (right end). Consecutive (Sub)Key names MUST be separated by SINGLE backslash marks (\).
(Sub)Key names not present in the Registry will be automatically created when the REG file is merged into the Registry. Exception: new Hive (Root) Keys can be created ONLY in Windows NT4/2000/XP, but NOT in Windows 95/98/ME.

5.) Value line: MUST contain these elements in this exact order:

• Value name: MUST be preceded and terminated by quotation marks ("").
• Equal mark (=): separates Value name from Value type.
• Value type: MUST be specified (Dword [REG_DWORD], Binary [REG_BINARY], etc) if Value type other than String [REG_SZ].
• Colon mark (:): MUST exist if Value type other than String.
• Value data: MUST be in the same format as defined by Value type: text/ASCII, Unicode/ANSI, (alpha)numeric (decimal, hexadecimal or binary) etc. MUST be preceded and terminated by quotation marks ("") ONLY IF Value type is String.
  Value Data syntax
• String Value [REG_SZ] (API Code 1):

"ValueName"="ValueData"
Value Data is expressed here in Unicode or ANSI formats: simple text/ASCII, expanded or extended.

• Dword Value [REG_DWORD] (API Code 4):

"ValueName"=ValueType:ValueData
Value Data is expressed here in Double WORD (4 bytes = 32 bits) formats: decimal, hexadecimal or binary.

o        Large Binary (hex) Value (any Binary Value API Code):

"ValueName"=ValueType(API Code):ValueData,ValueData,\
ValueData,ValueData

Large Values can span onto more than one line. Each line (except the last one) is terminated by a comma (,) followed by a SINGLE backslash mark (\). Consecutive lines are separated by carriage returns (CR).

Separators and delimiters used in REG files on path name lines to separate drive letters, directory (folder) names and file names, or used on command line parameters lines etc... MUST be typed as DOUBLE backslash marks (\\).

6.) Empty (blank) line: this LAST line is mandatory for proper operation. Similar to inserting a carriage return (CR) at the end of file.

This is how a generic text/ASCII .REG file looks like:

-----Begin cut ∓ paste here-----
REGEDIT4
; Comment line:
[HKEY_KEY_NAME\SubkeyName1\SubKeyName2]
; String Value format:
"ValueName"="ValueData"
; Dword or Binary Value format:
"ValueName"=ValueType:ValueData

------End cut ∓ paste here------

Example of actual .REG file:

-----Begin cut ∓ paste here-----
REGEDIT4
; First Value below displays MS Windows version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
; String Value format:
"Version"="Windows ME"
; Dword Value format:
"CacheWriteDelay"=dword:00000320
; Binary Value format:
"OldWinVer"=hex:00

Data Type

The "Data Type" refers to the type of data - or data format - of the registry value. Data types are usually:

• REG_BINARY, in which the value is stored in raw binary code.
• REG_DWORD, which is typically used for boolean values in your registry and is a four-byte number. This registry data type might show in your REGEDIT tool as a decimal or hexadecimal format.
• REG_EXPAND_SZ, which is a string of variables that are replaced when this data type is called to action by software.
• REG_MULTI_SZ, which is used for registry values that are composed of multiple values or lists. In this data format, each of these values or lists are seperated by a null character type.
• REG_SZ, which is used for text values and strings.

System Key

"System Key" stands for the location of a Windows registry value. Usually your computer's system keys can be found under "HKEY_LOCAL_MACHINE", and because of this system keys will affect your entire system.

User Key

Your "User Key" in your registry stands for the location of a specific Windows registry value. Typically, your computer's user keys can be found under "HKEY_CURRENT_USER", and because of this, user keys only affect the settings of the current Windows system user or account.

Value Data

"Value Data" refers to what data is acceptable to be written to the registry value.

Value Name

The "Value Name" refers to what the name of a registry value that you'll be creating or editing. Typically, value names are not case sensitive.