The Windows Registry – Minimal Guide

The Windows Registry is a database where all the information about a computer is stored. The Registry is used to store:

  • Operating system configuration
  • Application configuration information
  • Hardware configuration information
  • User security information
  • Current user information

Everything from installed applications and Control Panel options to the colors displayed on the screen is stored in the Registry database. With Windows 9.x, the Registry is contained in two files (system.dat and user.dat) located in the Windows directory. Also located in the Windows directory are backup copies of the Registry called System.da0 and User.da0.

With Windows NT/2000, the Registry files are referred to as hives and are stored in various directories within the NT operating system. Before the advent of Windows 95, Registry functions were performed by WIN.INI, SYSTEM.INI, and other .INI files that are associated with applications.

Registry Structure

The Registry has a hierarchical structure similar to the directory structure on the hard disk. Each main branch, denoted by a folder icon in the Registry Editor is called a hive. Located within those hives are keys. Each key may contain other keys called subkeys along with their values. It is the values that contain the actual information that is stored within the Registry.

What follows is an overview of the six main Registry branches. Note that each branch contains a specific portion of the information stored in the Registry:

  • HKEY_CLASSES_ROOT. This branch of the Registry contains file-association types, Object Linking and Embedding (OLE) information, and shortcut data. This key, along with the pointer to the \Classes subkey, provides backwards compatibility with Windows 3.X for OLE and DDE support.
  • HKEY_CURRENT_USER. This branch points to the section of HKEY_USERS appropriate for the user currently logged into the PC.
  • HKEY_LOCAL_MACHINE. This branch contains specific information about computer hardware, software, and other preferences for the local PC. This information is used for all users who log onto this computer.
  • HKEY_USERS. This branch contains individual preferences for each user of the computer. Each user is represented by a security identifier (SID) subkey located under the main branch.
  • HKEY_CURRENT_CONFIG. This branch links to HKEY_LOCAL_MACHINE\Config for machine-specific information.
  • HKEY_DYN_DATA. This branch contains information that must be kept in RAM. Windows occasionally swaps information out to the hard drive, which updates system.dat or user.dat, but the information in HKEY_DYN_DATA remains in RAM. This branch does not appear in Windows XP or Windows 2000.

Within the Registry keys, there are five types of values. Following is a list of values along with a brief explanation of their functions:

  • String or REG_SZ. This type is a standard string, used to represent human-readable text values.
  • Binary or REG_BINARY. This type stores the value as raw binary data. Most hardware component information is stored as binary data and is displayed in the Registry Editor in hexadecimal format.
  • DWORD or REG_DWORD. This type represents the data as a four-byte number and is commonly used for Boolean values, such as when 0 is disabled and 1 is enabled. Additionally, many parameters for device drivers and services are this type and can be displayed in binary, hexadecimal, and decimal format.
  • Multistring value or REG_MULTI_SZ. This type is a multiple string used to represent values that contain lists or multiple values; each entry is separated by a NULL character.
  • Expandable string value or REG_EXPAND_SZ. This type is an expandable data string, that is, a string containing a variable to be replaced when called by an application. For example, the string “%SystemRoot%” is replaced by the actual location of the directory containing the Windows NT system files.

Viewing and Editing the Registry

Before making any changes to the Registry, you should always back up the Registry first. Any mistakes or erroneous entries made when using the Registry Editor can cause Windows to behave erratically – or worse, you may find that Windows will not load at all. The Registry cannot be viewed or edited with a standard text editor. Because Registry data is stored in binary files, to view or edit the Registry, you must either use a program included with Windows called REGEDIT or a third-party program specifically designed for editing the Registry.

Since REGEDIT is not listed on the Windows Start Menu, you must access it via a command (DOS) prompt or use the Run menu. To run this program, just click on Start, then Run, and then type regedit in the input field or type regedit at the command prompt when the Registry Editor starts.


You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts