The Windows XP Registry

1
The Windows XP Registry

• 70-270 MCSE Guide to Microsoft Windows XP
  Professional

2
Windows Registry Overview (Page 1)

• The Registry is a hierarchical database of
  information about systems configuration
• Stores information essential to the functioning
  of Windows XP
• Information for Microsoft and third-party
  applications

To Registry Editor
3
Windows Registry Overview (Page 2)

• Information replaces initialization files, i.e.
• The WIN.INI (or other .ini files), or
  Autoexec.bat and Config.sys files of MS-DOS and
  Windows 3.x
• It is not a text file, but rather several files
  with data in binary or encrypted format

4
Windows Registry Overview (Page 3)

• Many changes are made to the system
  configurations through various Control Panel
  applets and applied to Registry
• It usually is better to use the appropriate
  Windows interface
• If the Registry Editor is used incorrectly,
  serious problems may result that require
  reinstalling the operating system

5
Windows Registry Overview (Page 4)

• Some settings can be established or changed only
  by editing Registry directly
• In that case run the Registry editor from the
  "Start" menu by entering command "regedit" at the
  Run command
• Either way, the Registry is designed for
  programming ease as well as speed of interaction
  for processes

6
Windows Registry Components (Page 1)

• Left pane shows a hierarchical structure
• Keystop-level containers in the hierarchy
• Each key starts with HKEY to indicate
  highest-level status) , i.e. HKEY_LOCAL_MACHINE
• Subkeyswithin each subkey exists
• One or more values
• Or additional subkey levels

To Registry Editor
7
Hierarchical Registry Structure
Return
8
Windows Registry Components (Page 2)

• Right pane displays the value entries
• Named parameters for control settings or
  configuration data
• Each value entry is composed of three elements
  (1) the entry name, (2) data type, and (3) data
  value

To Registry Editor
9
Registry Data Types (Page 1)

• Binarybinary format
• Most hardware component information is stored as
  binary data
• Actually displayed in hexadecimal format
• Referred to as REG_BINARY
• DWORDbinary, hex or decimal
• Hexadecimal numbers are displayed starting with
  characters "0x" as in 0xC (12)
• Referred to as REG_DWORD

10
Registry Data Types (Page 2)

• Stringfixed-length text string
• Referred to as REG_SZ
• Multiple Stringcontains multiple human-readable
  characters
• Entries are delimited by spaces, commas, or other
  marks (i.e. NULLs)
• Referred to as REG_MULTI_SZ

11
Registry Data Types (Page 3)

• Expandable Stringcontains variables that are
  resolved (replaced) when a program or service
  uses the data
• I.e. systemroot\File.exe
• Referred to as REG_EXPAND_SZ
• This list is not complete, but rather is a
  partial list of the most common data types

12
Registry Data Types (Page 4)

• Additionally there is a type "None" when the data
  has no particular type
• Written to registry by applications or the
  system, and is displayed in hexadecimal format as
  binary
• Referred to as REG_NONE

13
Windows Registry (Page 1)

• Not a complete collection of settings
• Holds only exceptions to defaults
• To alter a value that is a default, a new value
  entry must be added to Registry
• Administrator must know the exact syntax,
  spelling, location, and valid values
• Always edit with extreme care
• The Microsoft Windows XP Professional Resource
  Kit includes help file (Registry.chm) with all
  possible entries and valid values

14
Windows Registry (Page 2)

• Each time Windows XP starts, Registry is loaded
  into memory from files on the hard drive
• Changes become effective immediately
• Only on rare occasions is rebooting the system
  required
• Written from memory back to hard drive files on
  shutdown

15
Windows Registry (Page 3)

• The Registry is stored not in one file, but
  rather in several
• Each contains a discrete body of keys, subkeys
  and values known as a hive
• Complete listing of path and filenames are found
  in Registry at subkey
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
  l\hivelist

16
The Registry Keys

• The five highest-level keys (HKEY) in the
  Registry are
• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_USERS
• HKEY_CURRENT_CONFIG

17
Root Key Abbreviations

• The root keys have an abbreviated format
• For example the abbreviation for the
  HKEY_LOCAL_MACHINE key is HKLM
• (So subkeys can be rendered using a shorter
  format, i.e. HKLM\HARDWARE)
• Abbreviations for the other root keys are
• HKEY_CLASSES_ROOTHKCR
• HKEY_CURRENT_USERHKCU
• HKEY_USERSHKU
• HKEY_CURRENT_CONFIGHKCC

18
HKEY_LOCAL_MACHINE (Page 1)

• Controls the local computer, establishing
  configuration of hardware and operating system
  environment
• Includes information about the hardware devices,
  installed applications, device drivers, kernel
  services, physical settings
• Dependent on physical composition of the hardware
  and software present on machine
• Not dependent on logged-on user, or currently
  running processes or applications

19
HKEY_LOCAL_MACHINE (Page 2)

• The five subkeys are HARDWARE, SAM, SECURITY,
  SOFTWARE and SYSTEM
• All these subkeys except HARDWARE are saved to
  hive files in
• systemrootsystem32\config (usually
  c\windows\system32\config)
• The files cannot be opened manually

To Registry Editor HKLM
To HKLM files
20
HKEY_LOCAL_MACHINE
Return
21
HKEY_LOCAL_MACHINE Files
Return
22
HKEY_LOCAL_MACHINE\HARDWARE (Page 1)

• Sub key containing data related directly to
  physical devices installed on a computer
• Configuration data
• Device driver settings
• Mappings and linkages
• Relationships between kernel-mode and user-mode
  hardware calls
• IRQ hooks

23
HKEY_LOCAL_MACHINE\HARDWARE (Page 2)

• Re-created from data read from state of physical
  devices and associated device drivers each time
  system starts
• Does not save when system shuts down
• Does not map to a specific hive file
• Contents should not be manipulated
• Should be no need since settings always reflect
  current state of system
• Most data is encrypted in binary format

24
HKEY_LOCAL_MACHINE\HARDWARE (Page 3)

• Subkeys
• DESCRIPTIONdata extracted from device's firmware
  or BIOS
• DEVICEMAPinformation about device driver paths,
  locations and filenames
• RESOURCEMAPinformation about mappings between
  system resources (I/O ports, I/O memory address,
  interrupts, direct memory access) and device
  drivers

25
HKEY_LOCAL_MACHINE\HARDWARE (Page 4)

• Subkeys (con.)
• ACPI (not always present)when system supports
  Advanced Configuration and Power Interface
• OWNERMAP (only present when certain bus types are
  present in computer)
• Same information is viewable from Start menu ?
  Programs ? Accessories ? System Tools ? System
  Information

26
HKEY_LOCAL_MACHINE\SAM (Page 1)

• Subkey which is the Security Accounts Manager
  (SAM) database
• Contains data related to security
• Location where user accounts and group
  memberships are defined
• Stores the entire security structure of the
  Windows XP system

27
HKEY_LOCAL_MACHINE\SAM (Page 2)

• Do not attempt to modify this subkey
• Not viewable in the Registry Editor
• Most data is in binary or encrypted format
• Also has a security setting so only System (or
  the System utility) has read/write rights
• Use the Local Users and Groups applet in Control
  Panel to manipulate data
• Resides in a hive file named SAM in the
  \systemroot\System32\config directory

28
HKEY_LOCAL_MACHINE\SECURITY (Page 1)

• Subkey which serves as a container for security
  policy on the local machine
• Applies to all local users
• Defines control parameters, such as
• Password policy
• User rights
• Account lockout
• Audit policy
• General security options for local machine

29
HKEY_LOCAL_MACHINE\SECURITY (Page 2)

• Do not attempt to modify this subkey
• Not viewable in the Registry Editor
• Most data is in binary or encrypted format
• Also has a security setting so only System
  utility has read/write rights
• Use the Local Security Policy applet in
  "Adminstrative Tools" in " Control Panel" to
  manipulate data
• Resides in a hive file named SECURITY in
  \systemroot\System32\config directory

30
HKEY_LOCAL_MACHINE\SOFTWARE

• Subkey which serves as a container for data about
  installed software and mapped file extensions
• Applies to all local users
• HKLM\SOFTWARE\Classes subkey stores same data as
  HKEY_CLASSES_ROOT key
• In fact it is created by copying data from
  HKLM\SOFTWARE\Classes subkey
• Resides in a hive file named SOFTWARE in
  \systemroot\System32\config directory

To Registry Editor HKLM\SOFTWARE\Classes
To HKLM files
31
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
Return
32
HKEY_LOCAL_MACHINE\SYSTEM (Page 1)

• Subkey that stores data required to boot Windows
  XP
• Startup parameters
• Loading order for device drivers
• Service startup credentials (settings and
  parameters)
• Basic operating system behavior

33
HKEY_LOCAL_MACHINE\SYSTEM (Page 2)

• Essential to start process of Windows XP
• Contains subkeys called control sets that include
  complete information about start process for the
  system
• Resides in a hive file named SYSTEM in
  \systemroot\System32\config directory

To Registry Editor HKLM\SYSTEM
To HKLM files
34
HKEY_LOCAL_MACHINE\SYSTEM
Return
35
HKEY_LOCAL_MACHINE\SYSTEM (Page 3)
Update HKLM\System\LocalDevices by changing drive
letter for any partition using "Computer
Management" applet

• The MountedDevices subkey contains settings for
  storage devices including the control set boot
  status
• Additionally contains Control set subkeys called
  CurrentControlSet, ControlSet001, ControlSet002,
  etc
• CurrentControlSet is redirected from one of the
  numbered control sets as identified in the
  HKLM\SYSTEM\Select subkey (the Default value
  entry)

36
HKEY_LOCAL_MACHINE\SYSTEM (Page 4)

• Control set subkeys (con.)
• Each control set has four subkeys
• Controldata related to controlling system
  startup, boot parameters, computer name, and
  necessary subsystem to initiate
• Enumdata regarding required device drivers and
  their configurations
• Hardware Profilesthe one currently in use
• Servicesdata about drivers, services, file
  systems, and required components needed to load
  services during bootup, and order in which they
  are called

37
HKEY_LOCAL_MACHINE\SYSTEM\Select Subkey

• HKLM\SYSTEM\Select subkey values reference the
  Control sets
• Defaultwhich one will be used during the next
  bootup
• Currentwhich one was used to start current
  session
• LastKnownGoodwhich one was used to boot and
  successfully log on a user (more to
  follow)select ltF8gt when booting
• Failedwhich one was replaced from the
  LastKnownGood because of failure to start

38
The ltF8gt Selection Menu
39
HKEY_CLASSES_ROOT (Page 1)

• Container for information pertaining to
  application associations based on file extensions
  and COM object data
• Copied from HKLM\SOFTWARE\Classes subkey
• Maintained for backward compatibility and not
  strictly required by Windows XP

40
HKEY_CLASSES_ROOT (Page 2)

• Do not edit contents of this key directly in the
  Registry Editor
• To update use either
• "File Types" tab of Folder Options in "Control
  Panel", or
• Select Tools menu ? Folder Options command in
  "Windows Explorer"

41
HKEY_CURRENT_CONFIG (Page 1)

• Container for data that pertains to whatever
  hardware profile is currently in use
• Links to the
• HKLM\SYSTEM\CurrentControlSet\HardwareProfiles\Cur
  rent subkey
• Maintained for backward compatibility
• Not strictly required by Windows XP

42
HKEY_CURRENT_CONFIG (Page 2)

• Do not edit directly in the Registry Editor
• To update use Device Manager in "Control Panel"
  by selecting either
• The Device Manager interface on the "Hardware"
  tab of Systems applet, or
• The Device Manager node from "Computer
  Management" utility in Administrative Tools
• Use the Hardware Profiles interface on the
  "Hardware" tab of Systems applet in "Control
  Panel" to select a profile

43
HKEY_CURRENT_USER

• Container for profile for whichever user is
  currently logged on
• Contents are built each time a user logs on by
  copying appropriate subkey from the HKEY_USERS
  key
• Should not be edited directly
• Modify users profile through conventional
  profile management techniques
• Values stored in the \Documents and
  Settings\username folder

44
HKEY_USERS (Page 1)

• Contains profiles for all current users who have
  ever logged onto system
• Each time system boots builds the key
• Loads a default user profile file and locally
  stored copies of either "Ntuser.dat" or
  "Ntuser.man" from user's profile directory
  (\Documents and Settings\username)
• HKEY_USERS\.Default node is location for the
  default (new) user settings

To Ntuser.dat
45
Ntuser.dat
Return
46
HKEY_USERS (Page 2)

• Should not be edited directly
• Modify users profile through conventional
  profile management techniques
• To remove user profile from this key, delete the
  user account utilizing either User Accounts or
  Computer Management
• The latter from Administrative Tools
• Subkeys in HKEY_USERS use Windows Security IDs
  (SIDs) to identify users, and not usernames

47
HKEY_DYN_DATA

• Appears only on machines with Windows 95 or
  Windows 98 applications that use older versions
  of Plug and Play
• Maintained for backward compatibility

48
Registry Editors

• Two tools that can be used to operate on the
  Registry directly
• Regedit.exea GUI viewer and editor
• Reg.exea command-line utility

49
Regedit.exe (Page 1)

• Combines all of keys into a single display
• Can be executed from the Start menu ? Run
  command
• Type "regedit" and click ltOKgt button
• Double-click keys or click and - buttons to
  open and close nodes

50
Regedit.exe (Page 2)
Close all nodes to the five highest-level
keys then trying searching for the
DefaultUserName value entry

• Functions include
• Global searching
• Select Edit menu ? Find command
• Use ltF3gt function key to continue searching with
  same search value

51
Regedit.exe (Page 3)

• Functions include (con.)
• Security manipulation (more next slide)
• Select any key or subkey in Registry
• Select Edit menu ? Permissions command
• Set Full Control, Read and/or Special Permissions

52
Protecting the Registry

• The Registry should only be edited by a qualified
  person
• Permissions can be assigned to the hives and keys
  within the Registry
• Almost identical to assigning permissions and
  protecting files and folders on any NTFS
  partition
• Only privileged groups and users should be
  allowed to edit and view the Registry

53
Reg.exe (Page 1)

• Console Registry tool for Windows XP, executed as
  a command-line utility (not a GUI interface)
• Permits users, batch files, or programs (scripts)
  to operate on the Registry
• Update seems to have been eliminated from the
  Windows XP version
• Not as convenient or user-friendly as Regedit.exe

54
Reg.exe (Page 2)

• Launch the command prompt
• Start menu ? Programs ? Accessories ? Command
  Prompt, or
• Start menu ? Run command, then type "cmd" and
  click ltOKgt button
• Type "reg" and press ltEntergt key to view basic
  documentation
• Notice each major key can be abbreviated, i.e.
  HKLM is HKEY_LOCAL_MACHNE

55
Reg.exe (Page 3)

• Use the "reg query" command to view contents for
  a specific key or keys
• Type "reg query /?" for help on the query function

56
Reg.exe (Page 4)

• Format of the query function
• reg query SubKeyName /v ValueName
• Quotes may be needed around the SubKey structure
  if any elements are two or more words
• The "/v" parameter tells Reg.exe to search for
  the specific value entry
• Example to view your logon name
• reg query "HKLM\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogon" /v DefaultUserName

57
A Sample Batch File
Create this file and save it on Desktopthen
execute it from Command prompt
58
Changing the Registry (Page 1)

• Back up all important data on computer before
  editing Registry
• Make a distinct backup of all or the part of
  Registry that will be changed
• Saving each key or subkey individually is
  recommended
• Restart machine before editing Registry
• Writes any unsaved values to disk

59
Changing the Registry (Page 2)

• Perform only a single Registry modification at a
  time (test before going on)
• Restart immediately after each change
• Forces full system compliance with new settings
  in Registry
• Test changes on nonproduction system before
  deploying on critical production systems

60
Registry Storage Files (Page 1)

• Static images of the Registry are stored in
  \systemroot\System32\config and
  \systemroot\Repair of boot partition
• Files do not necessarily match one-to-one with
  top-level keys
• Large number of files are used for storing
  Registry data which are available for backup or
  for rollback versions
• Files categorized a subkey files, logging and
  backup files

61
Registry Storage Files
62
Registry Storage Files (Page 2)

• The Registry file extensions
• No extensionthe actual storage file itself (the
  hive file)
• .altthe backup file for the subkey
• Only HKLM\SYSTEM has a backup file
• .loglog files record all successful and failed
  changes to Registry
• Verifies all modifications are completed
• .savcopies of original key values after the text
  portion of Windows XP installation

63
Registry Storage Files (Page 3)

• Only two of HKEY_LOCAL_MACHINE subkeys are stored
  in files
• Default subkey of HKEY_USERS key
• HKEY_CURRENT_USER key
• Other subkeys built "on the fly" or copied from
  subkeys of HKEY_LOCAL_MACHINE

64
Registry Storage Files (Page 4)

• The ERD (Emergency Repair Disk) no longer exists
  in Windows XP
• Copy \systemroot\System32\Config and
  \systemroot\Repair directories to create a
  custom ERD (more to follow in section on backup
  and recovery)

65
Registry Fault Tolerance (Page 1)

• If the Registry becomes corrupted or is
  destroyed, Windows XP cannot function or even
  start
• Fault tolerance of Registry is sustained by its
  structure
• Uses an "all or nothing" approach
• If change is interrupted, desired change is not
  implemented and the Registry remains in it
  previous state
• Interrupted due to power failure, hardware
  failure, too little CPU time, etc.

66
Registry Fault Tolerance (Page 2)

• Memory residence also supports fault
  tolerance--changes to the registry are made in
  RAM
• Become permanent when key values are written to
  disk occurs
• During a process known as a flush,
• At system shutdown
• When forced by an application
• Occasionally just after a Registry alteration

67
Registry Fault Tolerance (Page 3)

• Fault tolerance also built-in through the use of
  Transaction logs
• Alterations are written first to appropriate log
• If the system fails before flush is complete,
  original state of the key can be recovered from
  log and stored to Registry in RAM
• The flush operation for the HKLM\SYSTEM key uses
  the backup file (System.alt) to store the changes
  until update is complete
• Then updates the backup as well

68
Backing Up the Registry (Page 1)

• Important to backup the Registry in one of
  several ways
• Use Windows XP Backup tool or some other third
  party backup utility
• Usually involves selecting a "Backup the
  Registry" or "System State" checkbox
• Manually make copies of the files in the
  \systemroot\System32\config and
  \systemroot\Repair folders
• For creating the custom ERD

69
Backing Up the Registry (Page 2)
Backup the HKLM\SOFTWARE subkey

• Use the tools in the "Microsoft Windows XP
  Professional Resource Kit"
• Launch Regedit.exe to backup all or part of the
  Registry
• Select a root key or subkey
• From File menu ? Export command
• Make sure the Selected Branch radio button in
  "Export Range" group is selected
• Enter filename and select path, then click the
  ltSavegt button

70
Restoring the Registry (Page 1)

• First Windows XP uses its automatic
  fault-tolerance mechanisms to maintain a
  functional Registry
• Otherwise access the boot option by pressing ltF8gt
  and select Last Known Good Configuration (LKGC)
• The most recent settings that worked
• Any changes made since the LKGC was stored will
  be lost

71
Restoring the Registry (Page 2)

• If the LKGC fails
• Use backup software such as UltraBac
  (www.ultrabac.com) to restore Registry files
• Reinstall Windows XP, either fully or as an
  upgrade, the latter of which may replace the part
  of the Registry causing problem
• If system boots but is not functioning the way is
  should, use your Registry backup
• Same tool used to create the backup

72
Restoring the Registry (Page 3)
Before beginning modify the "LegalNoticeText"
value entry in HKLM\SOFTWARE\Microsoft\Windows\Cu
rrentVersion\policies\system subkey

• Use the Import tool if Regedit.exe export command
  was used to create backup
• From File menu ? Import command
• Select the file
• Click the ltOpengt button
• Wait until message indicates the import was
  successful and click the ltOKgt button
• May be full Registry or subset of subkeys
• The backup .reg file can be executed directly
  without launching Regedit

73
Windows XP Professional Resource Kit Registry
Tools (Page 1)

• Tools that are separate from Windows XP
  Professional operating system that can be used to
  manipulate the Registry
• Purchased from Microsoft as well as most software
  or book vendors

74
Windows XP Professional Resource Kit Registry
Tools (Page 2)

• Key utilities
• Regdump.execommand-line tool used to dump all or
  part of Registry to a file
• Regfind.execommand-line tool used to search for
  keys, value names, or data values based on
  keywords
• Compreg.exeGUI tool used to compare Registry
  keys and highlight differences

75
Windows XP Professional Resource Kit Registry
Tools (Page 3)

• Key utilities (con.)
• Regini.execommand-line scripting tool to add
  keys to Registry
• Regback.execommand-line scripting tool to back
  up keys
• Regrest.execommand-line scripting tool to
  restore keys
• Scanreg.exeGUI tool used to search for keys,
  value names, or data values based on keywords

76
(No Transcript)