Windows NT Registry

  One of the most mysterious parts of Windows NT is the Registry. Often, even experienced NT users and administrators have only a vague notion of what it stores and how it organizes data. That users must view the Registry's contents through NT's Registry editors (Regedt32 and Regedit) supplied with NT does not make the Registry's mysteriousness any less surprising. The Registry is large, and its organization often seems to verge on the haphazard.

Knowing where the Registry displays different types of information makes the Registry less intimidating. Let's start with an overview of its structure and then look at the specific values each of its major data branches contains.

Before making registry changes, you should back up the registry. The tools to do this that are part of NT are:

• RDISK.EXE - The program that creates Emergency Recovery Disks
• NTBACKUP.EXE - NT’s Tape Backup Software
• REGEDIT & REGEDT32 - Allow you to export and import the registry

The NT Server 4.0 Resource Kit also includes CFGBACK.EXE and CFGREST.EXE that you can use to back up the registry prior to making changes.

Windows NT Server 4.0 includes two different registry editors, REGEDIT and REGEDT32, neither of which are installed on the Administrative Tools menu. REGEDIT presents an Explorer-like, hierarchical view of the registry, while REGEDT32 gives you a view similar to the old Sysedit where each major subtree is in a separate window.

The other major difference is that REGEDT32 allows you set permissions (ACL) for the registry itself, while REGEDIT does not.

The registry consists of machine-specific data and user-specific data. The machine-specific components are found in your \%systemroot%\SYSTEM32\CONFIG directory. The registry files are:

• DEFAULT
• SAM
• SECURITY
• SOFTWARE
• SYSTEM

The user-specific component is called NTUSER.DAT and is found in each user’s profile directory as specified in the User Properties with User Manager For Domains.

You should note that each component of the NT registry has a log file. Whenever you make changes to the registry, the current data is written into a log file prior to the change. The NT boot-up message:

restores the prior entries from the log files – All of them, regardless of the age of the log file! Be very careful about using this option, it can make your system unstable because it can restore entries that might be months old!

You can remotely edit another user’s registry if you are an administrator. To edit another computer’s registry, you use the Connect option of the Registry menu. You will get an error message saying that you could not connect to all of the roots of the remote computer’s registry, and that is normal. You cannot edit HKEY_DYN_DATA or HKEY_CURRENT_CONFIG.

To edit a remote computer’s registry you must be running the same basic platform. If you want to edit the registry on a Windows 95 computer, you have to be running Windows 95 on your workstation. If you want to edit a Windows NT Server or Windows NT Workstation’s remote registry, you have to be running either Windows NT Workstation or Windows NT Server.

The other way to edit a remote computer’s registry is to use the System Policy Editor in Registry mode.

This section introduces the Registry. Because the Registry is a database, its structure is much like that of a logical disk volume. The Registry contains keys, which are similar to a disk's directories, and values, which compare to files on a disk. A key is a container that can consist of other keys (subkeys) or values. Values, on the other hand, store data. Top-level keys are root keys. Throughout this chapter, I'll use subkey and key interchangeably (only the root keys are not subkeys).

Both keys and values borrow their naming convention from the file system. Thus, you can uniquely identify a value with the name mark; which is stored in a key called trade, with the name trade\mark One exception to this naming scheme is each key's unnamed value. Regedit displays the unnamed value as Default; Regedt52 uses <No Name>.

Reg_None – No Value Type

Reg_Sz – Unicode Null Terminated String

Reg_Expand_Sz – Unicode Null Terminated String w/ Variables

Reg_Binary – Arbitrary Length Binary Data

Reg_Dword – 32-bit number

Reg_Dword_Big_Endian – 32-bit number, high byte first

Reg_Link – Unicode Symbolic Link

Reg_Multi_Sz – Array of Unicode Strings

Reg_Resource_List – Hardware Resource Description

Reg_Full_Resource_Descriptor – Hardware Resource Description

Reg_Resource_Requirements_List – Resource Requirements

The majority of Registry values are either REG_DWORD, REG_ BINARY, or REG_SZ. Values of type REG_DWORD can store numbers or Boolean (on/off values); REG_ BINARY values can store numbers larger than 52 bits, or raw data such as encrypted passwords; REG_SZ values store strings (Unicode, of course) that can represent names, filenames, paths, and types.

The REG_LINK type is particularly interesting because it lets a value transparently point at another key or value. When you traverse the Registry through a link, the path searching continues at the target of the link. For example, if \Root1\Link has a REG_LINK value of \Root2\RegKey and RegKey contains the value RegValue, two paths identify RegValue \Rootl\Link \RegValue and \Root2\RegKey \RegValue. NT prominently uses Registry links: Three of the six Registry root keys, listed in Table 2, are links to subkeys within the three non-link root keys.

You can chart the organization of the Registry via the data stored within it The six root keys divide the Registry data into categories. (You cannot add new root keys or delete existing ones.) Data associated with the currently logged-on user (HKEY_CURRENT_ USER), information about all the accounts on the machine (HKEY_USERS), file association and Object Linking and Embedding (OLE) registration information (HKEY CLASSES_ROOT), system-related information (HKEY_LOCAL_ MACHINE), performance data (HKEY DYN_DATA), and some information about the current hardware profile (11KEY_CURRENT CONFIG) comprise the six data categories.

Why do root key names begin with an H? The root key names represent Win32 handles (H) to keys (KEY). We'll abbreviate the root key names. For example, HKLM represents HKEY_LOCAL_MACHINE.

Hkey_Current_User – Information about the currently logged-on user

Hkey_Users – Subkeys for all local user accounts

Hkey_Classes_Root – File associations, OLE Registrations and SID's for Directories and Files

Hkey_Local_Machine – All static and dynamic system configuration data

Hkey_Dyn_Data – Performance Counters

Hkey_Current_Config – Information about hardware configuration

The HKCU root key contains data regarding the preferences and software configuration of the locally logged-on user. Within HKCU, you find the 10 subkeys shown below. Whenever a user logs on, HKCU is created as a link to the user's key under HKEY_USERS.

AppEvents – Sound and Event Associations

Console – Command window shortcut settings

Control Panel – Screen saver, desktop scheme, keyboard and mouse settings

Environment – Environment variable definitions

Keyboard Layout – Keyboard layout settings

Network – Network drive mappings and settings

Printers – Printer connection settings

Software – User-specific software settings

Unicode Program Groups – User-specific Start Menu group definitions

Windows 3.1 Migration Status – File status data for systems that upgrade from Windows 3.1 to NT 4.0

HKCU\AppEvents contains two sub-keys: EventLabels, where you find event names (e.g., mail arrival, window minimize), and Schemes, where you find sound and event associations. Under Schemes\Apps you find groups of event keys whose values can point at wave files. You can easily change these settings via the Control Panel Sounds applet.

HKCU\Console contains a subkey for each Command Prompt shortcut in the user's account Under these subkeys, you find all the properties (e.g., foreground and background text colors, window size, edit mode) for the command window that's created when you execute a particular shortcut. You can access all these values through the Properties memi item on the individual command prompt windows.

HKCU\Control Panel contains GUI settings such as desktop and screen-saver parameters, cursor file associations, and window attributes such as colors and geometry settings. As the key's name suggests, you can edit most of these values through Control Panel applets; however, you must edit some values via a Registry editor. For example, to make the window focus follow the mouse, you must set the value of HKCU\Control Panel\Mouse \ActiveWindowTracking to 1 (and reboot for the change to take effect). To tell Windows how long (in milliseconds) to pause before it displays the cascading menus of the Start menu, you must edit HKCU\Control Panel\ Desktop\MenuShowDelay.

You find environment variable definitions in HKCU\Environment You can change these definitions with the Control Panel System applet under the Environment tab.

HKCU\Network and HKCU\Printers contain network drive4etter mapping information and printer connection data, respectively. You can set these values through Explorer, File Manager, and the Control Panel Printers applet

The heftiest subkey under HKCU is Software. Most applications create subkeys under HKCU\Software that consist of the vendor's name (e.g., Microsoft) and contain subkeys for the vendor's applications (e.g., Windows NT). Subkeys and values within the application keys are where programs locate user-dependent information, such as most recently used (MRU) menu items, appearance characteristics, and usage preferences.

HKU contains a subkey for each user who has a local account on the system, as I alluded to in the description of HKCU. The .DEFAULT subkey contains the HKCU settings that the system account uses. They are in effect when the logon box appears. The other user subkeys are named with the Security Identifier (SID) of the user's account that they serve.

The HKCR root key first appeared in the Windows 3.1 Registry; Microsoft migrated HKCR to the NT 4.0 Registry for compatibility purposes. HKCR consists of two types of information: file extension associations and OLE class registrations. A key exists for every registered filename extension. Most keys contain a REG_SZ value that points at another key in HKCR containing the association information for the class of files that extension represents. For example, if you install Microsoft Word, the .doc subkey has an unnamed value, "Word.Document.6". if you look at the Word.Document.6 subkey, you find an unnamed value that describes the file type (which Explorer's file-association window uses) and keys that associate that type of files to icons (DefaultIcon); other keys specify dynamic data exchange ([)DE) commands created whenever you open, create, or print Word.Document.6 files. Keys without defined unnamed values have DDE command information stored in subkeys.

HKCR keys such as Word.Document.6 also contain OLE registration information. That way, OLE client applications can look up and establish communication with OLE server applications to support functionality such as inserting an Excel spreadsheet into a Word document. CLSID subkeys store registration numbers as very long representations of OLE registration identifiers.

Hkey_Local_Machine is the most interesting but often least understood root key of the Registry. Hkey_Local_Machine contains an incredible amount of unrelated information grouped under five subkeys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM.

The Hkey_Local_Machine \HARDWARE subkey maintains descriptions of the system's hardware and all hardware device-to-driver mappings. NTDETECT on x86 machines, or ARC firmware on RISC machines, collects information on the system's hardware characteristics as the machine boots. NTDETECT or ARC passes this information on to NT once NT's image has been started. NT then stores this information in the Hkey_Local_Machine \ HARDWARE \DESCRIPTION subkey. As device drivers start up and claim devices, they inform NT so that it can associate devices with the drivers that control them. NT places this mapping data in the Hkey_Local_Machine \HARDWARE \DEVICE MAP subkey. Serving a similar purpose, Hkey_Local_Machine \HARDWARE\OWNERMAP associates the system's buses (e.g., PCI and ISA) to drivers that control them. Finally, device drivers inform NT of system resources that they claim for their system successfully booted with. You can look at the value Current under Hkey_Local_Machine \SYSTEM \Select to find out which ControlSet subkey CurrentControlSet maps to. Other values under Select point at control sets associated with Last Known Good Configuration, and the control set that last resulted in a failed boot attempt.

Within Hkey_Local_Machine \SYSTEM\CurrentControlSet are the four subkeys listed in the table below. NT keeps its static configuration information in the Control subkey, which contains about 30 different sub-keys of its own. One of Control's noteworthy subkeys is ComputerName, which displays the system's name under ActiveComputerName. Control\CrashControl is a handy subkey for device driver developers and systems administrators. It contains values that give NT directions for what to do when the machine goes down, including whether to produce a crash dump and whether to immediately reboot.

Hkey_Local_Machine\System\CurrentControlSet Subkeys:

Control – Static NT Tuning and Configuration Parameters

Enum – Information collected when drivers and services are started

Hardware Profiles – Video-related Configuration Information

Services – Startup and Error Control for Device Drivers and Services

Control\hivelist contains the paths to files where NT stores Registry information. Control\hivelist values point at the files for HKLM\SAM, HKLM\ SECURITY, HKLM\SOFUWARE, HKLM\ SYSTEM, HKU\.DEFAULT, and individual user accounts.

Control\ProductOptions deserves mention: It's the subkey that contains the ProductType value, which identifies whether the system is a workstation ("WinNT") or a server ("ServerNT"). Microsoft applications check the ProductType value and adjust their behavior according to its setting.

Control\Session Manager contains a variety of interesting parameters. Values for this key include BootExecute, which can point at a program that will automatically execute early in the system boot, and LicensedProcessors, which is the number of processors that the system's license supports (two for NT Workstation and four for NT Server). NT uses only the number of licensed processors, even if the system has more devices. Such resources include port addresses, physical memory ranges, and interrupt numbers. NT keeps track of this information in the Hkey_Local_Machine \ HARDWARE\RESOURCEMAP subkey to prevent conflicts. Windows NT Diagnostics (Winmsdp.exe) lets you view Registry hardware information that it obtains by simply reading values out of the HARDWARE key.

Hkey_Local_Machine \SAM holds local and domain account information, such as user passwords, group definitions, and domain associations. By default, this key is unreadable by even the system administrator account. Looking inside Hkey_Local_Machine \SAM is not very revealing because the data is undocumented and the passwords are encrypted with a one-way mapping (e.g., you cannot determine a password from its encrypted form).

HKLM\SECURITY stores user and group policies. Examples of policies include whether a particular user is allowed to reboot the machine, load device drivers, back up files, or access the system remotely. SECURITY's information is also encrypted. Hkey_Local_Machine \SAM is linked into the SECURITY subkey under HKLM\SECURITY\SAM.

Like HKCU\Software, applications use Hkey_Local_Machine \SOFTWARE to store private settings. Hkey_Local_Machine \SOFTWARE uses the same naming convention I described for HKCU\Software, but the type of data stored is usually different. Because the HKLM root key is the same for all users who log on, it serves as a repository for system-wide program settings. The information usually includes paths to application files and directories and licensing, and expiration date information.

One particularly interesting subkey is HKLM\SOFTWARE\Microsoft\Windows NT\Current Version. Here you can find the NT build number, whether the version is uniprocessor or multiprocessor, and the system root directory path. If you installed a service pack, its name appears in CSDVersion. Current Version has a useful subkey: Winlogon. By modifying entries in Winlogon, you can set up the system to automatically log on a user whenever the system boots.

Another HKLM\SOFTWARE subkey is Windows\Current Version. This key is a Windows 95-compatability key that contains system software parameters. For example, the Explorer key includes information about desktop name-space extensions such as Network Neighborhood and My Computer. Applications put pointers to their uninstall programs in the Uninstall key. And AppPaths is where NT stores the paths of applications it knows about. Executing an AppPaths program from the Start menu's Run dialog box launches the program by looking at its hard-wired location.

NT's command central is under HKLM\SYSTEM. NT Setup creates the HKLM\SYSTEM\Setup subkey, which points subsequent invocations of Setup at the System's root partition. NT uses the Setup\SystemSetuplnProgress value to determine whether to be in Setup or regular operation mode.

Another subkey under HKLM\ SYSTEM is DISK. It is present on only systems that have run NT's Disk Administrator program. HKLM\SYSTEM\ DISK is where Disk Administrator stores information about drive letter mappings, volume sets, mirrored volumes, and striped sets.

HKLM\SYSTEM also contains two or more subkeys with the prefix ControlSet and another subkey called Current-ControlSet. NT links CurrentControlSet to the ControlSet subkey that corresponds to the profile the system used in the boot of the current session. The other ControlSet subkeys represent configurations such as Last Known Good Configuration, a copy of the last profile the

system successfully booted with. You can look at the value Current under HKLM\SYSTEM\Select to find out which ControlSet subkey CurrentControlSet maps to. Other values under Select point at control sets associated with Last Known Good Configuration, and the control set that last resulted in a failed boot attempt.

Within HKLM\SYSTEM\CurrentControlSet are the four subkeys listed in Table 5. NT keeps its static configuration information in the Control subkey, which contains about 30 different sub-keys of its own. One of Control's noteworthy subkeys is ComputerName, which displays the system's name under ActiveComputerName. Control\CrashControl is a handy subkey for device driver developers and systems administrators. It contains values that give NT directions for what to do when the machine goes down, including whether to produce a crash dump and whether to immediately reboot.

Control\hivelist contains the paths to files where NT stores Registry information. Control\hivelist values point at the files for HKLM\SAM, HKLM\ SECURITY, HKLM\SOFTWARE, HKLM\ SYSTEM, HKU\.DEFAULT, and individual user accounts.

Control\ProductOptions deserves mention: It's the subkey that contains the ProductType value, which identifies whether the system is a workstation ("WinNT") or a server ("ServerNT"). Microsoft applications check the ProductType value and adjust their behavior according to its setting.

Control\Session Manager contains a variety of interesting parameters. Values for this key include BootExecute, which can point at a program that will automatically execute early in the system boot, and LicensedProcessors, which is the number of processors that the system's license supports (two for NT Workstation and four for NT Server). NT uses only the number of licensed processors, even if the system has more.

The Control\Session Manager\Environment subkey contains system-level environment variables. The Control\Session Manager \SubSystems subkey keeps pointers to the files that the NT environment subsystems (Win32, WOW, OS/2, and Posix) use.

Control\Session Manager's Executive and Memory Management subkeys contain values for advanced system tuning. For instance, Executive holds values that can direct NT to create additional operating system worker threads. Another value stored there, Priority-QuantumMatrix, has an enticing name that implies the ability to fine4une NT's scheduling algorithm, but the value actually stores encrypted NT beta and release candidate expiration dates. Memory Management holds memory subsystem tuning parameters. One setting, PagingFiles, directs the system to the location of the paging files; you can use other settings to override internal defaults that specify the amounts of memory set aside for various internal operations.

HKLM\SYSTEM\CurrentControlSet\ Services is the control center for NT OS's dynamically added parts: Win32 services and kernel-mode device drivers. Every service and device driver that NT ships with support for and any service or driver that you install later has a key under Services. A Services subkey typically contains several values from the list shown in the table below. A few Services subkeys allow a driver or service to control when it will be loaded in the NT boot sequence. The required Start value is the primary order controller. NT loads services and drivers in three phases, each of which corresponds to a particular Start definition.

The first phase, Boot, occurs just after NTOSKRNL starts. At this time, the system loads only those drivers essential to NT's boot. The second phase, System, is when the system loads the majority of device drivers. The system is still in its text mode (blue screen) during this phase. The system initiates the third phase, Auto, about the time the Win32 subsystem starts. You can identity approximately when the Win32 services start by the appearance of the system logon dialog box.

DisplayName – Name shown in Control Panel's Services or Devices applet

ImagePath – Pathname for the service or driver file if it's not in %systemroot%\System32\Drivers

ErrorControl – Indicates action NT will take if the service or device reports an error when it starts up

Start – When the service or device starts:

0 = Boot Start (Used with core drivers)

1 = System Start

2 = Automatic Start

3 = Manual Start

4 = Disabled

Type – Kernel-mode driver, File system, Win32 service, etc.

Group, Tag – Controls load ordering for Boot and System start devices

DependOnService, DependOnGroup – Controls load ordering for Automatic drivers and services

Parameters – Stores driver/service dependent private settings

Developers use other Services subkey values (Group, Tag, DependOnService, DependonGroup) to fine-tune the start location of a driver or service within a boot phase. They need these values when dependencies exist between drivers or services.

Drivers and services often have a Parameters subkey that contains private settings. For example, the Browser service's Parameters subkey is a value that denotes whether the browser is the domain master browser. The Parameters subkey of the Busmouse driver stores the number of buttons and its sample rate.

HKEY_DYN_DATA is a fake key-it doesn't really exist. It serves as a convenient doorway to device driver, Win52 application, and native NT performance counters via ffie Registry API. when a Win52 program queries a value or key in HKEY_DYN_DATA, the request gets routed as an I/O request to the appropriate driver or Win52 program, which returns information that looks like the result of an authentic Registry access. The Performance Monitor (Perfmon) program accesses this root key to provide the intricate performance information it displays.

HKEY_CURRENT_CONFIG, a new root key in NT 4.0, is a link to

HKEY_LOCAL_MACHINE

\SYSTEM

\CurrentControlSet

\Hardware Profiles

\Current

that contains the configuration data for the hardware profile in use on the system. Microsoft added HKEY_CURRENT_CONFIG to NT to let applications that access this key run on both Windows 95 and NT. To create, configure, and change hardware profiles, you can use Control Panel's System, Services, and Device applets.