Windows Registry

The Windows registry is a database which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or installed software, the changes are reflected and stored in the registry.

The Windows registry was introduced to tidy up the profusion of per-program INI files that had previously been used to store configuration settings for Windows programs.^[1] These files tended to be scattered all over the system, which made them difficult to track.

The Registry is split into a number of logical sections, or "hives".^[2] These are generally known by the names of the definitions used to access them in the Windows API, which all begin "HKEY" (an abbreviation for "Hive Key"); often, they are abbreviated to a three- or four-letter short name starting with "HK" (e.g. HKCU and HKLM).

Each of these keys is divided into subkeys, which may contain further subkeys, and so on. Any key may contain entries with various types of values. The values of these entries can be:

• String Value
• Binary Value (any arbitrary data)
• DWORD Value, a 32 bit unsigned integer (numbers between 0 and 4,294,967,295 [2³² – 1])
• Multi-String Value
• Expandable String Value

Registry keys are specified with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE key. Values are not referenced via this syntax. Value names can contain backslashes which would lead to ambiguities were they referred to this way. The win32 functions that query and manipulate registry values take value names separately from the key path and/or handle that identifies the parent key.

The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a similar structure to each other; applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found looking instead in the same location under the HKEY_LOCAL_MACHINE key. When writing settings back, the reverse approach is used — HKEY_LOCAL_MACHINE is written first, but if that cannot be written to (which is usually the case if the logged in user is not an administrator), the setting is stored in HKEY_CURRENT_USER instead.

Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, including associations from file extensions and OLE object class ids to the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes is used.^[3]

Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged in user. HKCU mirrors the current user's subkey of HKEY_USERS.

Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are general to all users on the computer. This key is found within the file %SystemRoot%\System32\Config\system on NT-based versions of Windows. Information about system hardware is located under the SYSTEM key.

Abbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.

Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.

File:Registry Editor Vista.png

File:Registration Editor.png

The registry can be edited manually in Microsoft Windows by running regedit.exe or regedt32.exe in the Windows directory. However, careless registry editing can cause irreversible damage. Thus, performing back-up for registry is highly recommended. Many optimization and "hacking" tools are available to modify this portion of the Windows operating system; it is preferable not to use them unless one has a knowledge of registry workings or wishes to learn more about the registry.

A simple implementation of the current registry tool appeared in Windows 3.x, called the "Registration Info Editor" or "Registration Editor". This was basically just a database of applications used to edit embedded OLE objects in documents.

Windows NT introduced permissions for Registry editing. Windows NT 4 and Windows 2000 were distributed with both the Windows 9x REGEDIT.EXE program and Windows NT 3.x's REGEDT32.EXE program. There are several differences between the two editors on these platforms:

• REGEDIT.EXE had a left-side tree view that began at "My Computer" and listed all loaded hives. REGEDT32.EXE had a left-side tree view, but each hive had its own window, so the tree displayed only keys.
• REGEDIT.EXE represented the three components of a value (its name, type, and data) as separate columns of a table. REGEDT32.EXE represented them as a list of strings.
• REGEDIT.EXE supported right-clicking of entries in a tree view to adjust properties and other settings. REGEDT32.EXE required all actions to be performed from the top menu bar.
• REGEDIT.EXE supported searching for key names, values, or data throughout the entire registry, whereas REGEDT32.EXE only supported searching for key names in one hive at a time.
• Because REGEDIT.EXE was directly ported from Windows 95, it did not support permission editing (permissions do not exist on Windows 9x). Therefore, the only way to access the full functionality of an NT registry was with REGEDT32.EXE.
• REGEDIT.EXE only supported string (REG_SZ), binary (REG_BINARY), and DWORD (REG_DWORD) values. REGEDT32.EXE supports those, plus expandable string (REG_EXPAND_SZ) and multi-string (REG_MULTI_SZ). Attempting to edit unsupported key types with REGEDIT.EXE on Windows 2000 or Windows NT 4 will result in conversion to a supported type that cannot be reversed.^[4]

Windows XP was the first system to integrate these two programs into one, adopting the old REGEDIT.EXE interface and adding the REGEDT32.EXE functionality. The differences listed above are not applicable on Windows XP and newer systems; REGEDIT.EXE is the improved editor, and REGEDT32.EXE is simply a stub that invokes REGEDIT.EXE.

The registry can be manipulated from the command line with the reg.exe utility. It is included in Windows XP and Windows Vista and can be downloaded separately for previous versions. An alternative location are the Resource Kit CD's or the original Installation CD of Windows.

reg.exe Operation [Parameter List]

Operation [QUERY|ADD|DELETE|COPY|SAVE|LOAD|UNLOAD|RESTORE|COMPARE|EXPORT|IMPORT]

Also, a .reg file (a text-based human-readable file format for storing portions of the registry) can be imported from the command line with the following command:

regedit.exe /s file

The /s means the file will be silent merged to the Registry. If the /s parameter is omitted the user will be asked to confirm the operation. In Windows 98 and Windows 95 the /s switch also caused regedit.exe to ignore the setting in the registry that allows administrators to disable it. When using the /s switch Regedit does not return an appropriate return code if the operation fails, unlike reg.exe which does. This makes it hard to script, however a possible workaround is to add the following lines into your batch file:

regedit /s file.reg
regedit /e test.reg "key"
if not exist test.reg goto REGERROR
del test.reg

The default association for .reg files in many versions of Microsoft Windows, starting with Windows 98 does require the user to confirm the merging to avoid user mistake.

Registry permissions can be manipulated through the command line using the SubInACL.exe tool. The permissions on the HKEY_LOCAL_MACHINE\SOFTWARE key can be displayed using:

subinacl /keyreg HKEY_LOCAL_MACHINE\software /display

To set the owner of the key HKEY_LOCAL_MACHINE\software and all of its subkeys to Administrator:

subinacl /keyreg HKEY_LOCAL_MACHINE\software /setowner=Administrator
subinacl /subkeyreg HKEY_LOCAL_MACHINE\software /setowner=Administrator

To grant full access rights to the HKEY_LOCAL_MACHINE\software key to Administrator:

subinacl /keyreg HKEY_LOCAL_MACHINE\software /grant=Administrator=F

The registry can be edited through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll).^[5]

List of Registry API functions
RegCloseKey	RegOpenKey	RegConnectRegistry	RegOpenKeyEx
RegCreateKey	RegQueryInfoKey	RegCreateKeyEx	RegQueryMultipleValues
RegDeleteKey	RegQueryValue	RegDeleteValue	RegQueryValueEx
RegEnumKey	RegReplaceKey	RegEnumKeyEx	RegRestoreKey
RegEnumValue	RegSaveKey	RegFlushKey	RegSetKeySecurity
RegGetKeySecurity	RegSetValue	RegLoadKey	RegSetValueEx
	RegNotifyChangeKeyValue	RegUnLoadKey

Some programming languages, like Visual Basic, offer built-in runtime library functions that enable programs to store settings in the registry. Another way is to use the Windows Support Tool Reg.exe by executing it from code.^[6]

Many scripting languages such as Perl (with Win32::TieRegistry) and VBScript also enable registry editing from scripts.

The Registry is stored in several files; depending upon the version of Windows, there will be different files and different locations for these files, but they are all on the local machine, except for the Ntuser.dat file, which may be placed on another computer to allow for roaming profiles and the policy file, which is usually stored on a server in the local network.

The following Registry files are stored in %SystemRoot%\System32\Config\:

• Sam – HKEY_LOCAL_MACHINE\SAM
• Security – HKEY_LOCAL_MACHINE\SECURITY
• Software – HKEY_LOCAL_MACHINE\SOFTWARE
• System – HKEY_LOCAL_MACHINE\SYSTEM
• Default – HKEY_USERS\.DEFAULT
• Userdiff

The following files are stored in each user's profile folder:

• %UserProfile%\Ntuser.dat – HKEY_USERS\<User SID> (HKEY_CURRENT_USER)
• %UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes)

The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS directory. In Windows ME, Classes.dat was added.

The registry file is called Reg.dat and is stored in the C:\WINDOWS directory.

Since Windows 95, administrators can use a special file to be merged into the registry, a policy file. The policy file allows administrators to prevent non-administrator users from changing registry settings like, for instance, the security level of IE and the desktop background wallpaper. The policy file is primarily used in a business with a large number of computers where the business needs to be protected from the users and the users need to be protected from themselves.

The default extension for the policy file is .pol. The policy file filters the settings it enforces by user and by group (a "group" is a defined set of users). To do that the policy file merges into the registry, preventing users from circumventing it by simply changing back the settings. The policy file is usually distributed through a LAN, but can be placed on the local computer.

The policy file is created by a free tool by Microsoft that goes by the filename poledit.exe for Windows 95/Windows 98 and with a computer management module for NT-based systems. The module will not work in Windows XP Home Edition, but it does work in the Professional edition. The editor requires administrative permissions to be run on systems that uses permissions. The editor can also directly change the current registry settings of the local computer and if the remote registry service is installed and started on another computer it can also change the registry on that computer. The policy editor loads the settings it can change from .adm files, of which one is included, that contains the settings the Windows shell provides. The .adm file is plain text and supports easy localisation by allowing all the strings to be stored in one place. The policy editor has been renamed to Group Policies in newer versions of Windows.

Changing from having one or more INI files per program to one centralised registry has its good points:

• The registry keeps machine configuration separate from user configuration. When a user logs into a Windows NT/2000/XP/Server 2003 computer, the user-based registry settings are loaded from a different path than the system wide settings. This allows programs to more easily keep per-user configuration, as they can just work with the "current user" key, whereas in the past they tended to just keep system-wide per-program settings.
• Group Policy allows administrators on a Windows-based computer network to centrally manage program and policy settings. Part of this involves being able to set what an entry in the registry will be for all the computers on the network, and affect nearly any installed program — something almost impossible with per-program configuration files each with custom layouts, stored in dispersed locations.
• Because the registry is accessed through a special API, it is available to scripts and remote management using WMI. Each script does not have to be customised for every application's unique configuration file layouts and restrictions.
• The registry can be accessed as one item over a network connection for remote management/support, including from scripts, using the standard API.
• It can be backed up more easily, in that it is just a small number of files in specific locations.
• Portions of settings like any subset of an application configuration can be saved in a text-based .REG file, which can be edited with any text editor later. .REG files can easily be merged back into the registry both by unattended batch file or by the user just double-clicking on the file without harming any setting that is not explicitly stated in the .REG file. This is very useful for administrators and support personnel who want to preset or preconfigure only a few options like approving the EULA of a certain application.
• Since accessing the registry does not require parsing, it can be read from and written to more quickly than a text file can be.
• Registry changes and readings can be tracked via a tool like Winternals' RegMon on value level. This is a big advantage for generating scripts in networks as well as debugging problems.
• Registry keys are independent of the Windows language, the Windows installation drive and path and even the Windows versions as such. So support personnel can easily give out one set of instructions, without having to handle these things, unlike ,for example, files in the user profile, which can be on different paths on each installation.

However, the centralized Registry introduces some problems as well:

• The HKEY_LOCAL_MACHINE part is a single point of failure — damage to the Registry can render a Windows system unbootable, in extreme cases to a point that cannot be fixed, and requires a full reinstall of Windows. There is an automated backup mechanism, and these secondary/backup files will be loaded, if the primary files fail to load.
• The registry does not document itself in the same way a configuration file can.
• Restoring parts of the registry is hard because the user cannot easily extract data from backed up registry files. Offline reading and manipulation of the registry (for example from a parallel installed Windows or a boot CD) is not trivial (but not impossible).
• Any application that doesn't uninstall properly, or doesn't have an uninstaller, can leave entries in the registry. In most cases this leads to performance or even stability problems, but only if the application registers itself as a class in HKEY_CLASSES_ROOT. (Note that user settings usually remain in the registry, which is done by design for two reasons: first, the user might be on a Windows domain with server-based profiles, where the settings move with the user to other computers. Uninstalling the application on one computer does not mean the user does not want to use the program on some other computer on the domain. Second, the uninstall process would only be able to modify the current user's settings anyway. In any case, unused keys in HKCU have negligible impact on system performance.)
• Since at least 1998,^[7] pages at Microsoft Support relating to editing the registry include the disclaimer that the Registry Editor should be at own risk.
• Applications that make use of the registry to store and retrieve their settings are not conducive for use on portable devices used to carry applications from one system to another. Since the settings are in the registry, and the registry is not on the portable device along with the application, any setting changes are lost and must be re-entered for each new system.

On Windows 9x computers, an older installation can have a very large registry that slows down the computer's startup and can make the computer unstable. This has led to frequent criticisms that the registry leads to instability. However, as the on-disc structure of the registry is entirely different than Windows 9x series OS,^[1] slowdown due to registry occurs much less frequently on the NT line of Operating Systems (including Windows XP and Vista).

Other systems preserve the concept of separate configuration files for separate application subsystems, but group them together in a single filesystem directory for ease of management, such as /etc/ and hidden directories (directories that start with a period) within the home directory in Unix-like systems.

Applications running on Apple Inc.'s Mac OS X operating system typically store settings in property list files which are usually stored in each user's Library folder. An advantage of this is that corruption to one of these files will normally only affect a single application, whereas corruption of one of the Registry hives can have wide-reaching effects. However, Mac OS X also has a system database called NetInfo that stores system-wide settings such as user account details and network configuration.

RISC OS also allows applications to be copied into directories easily, without the need to install the application as one would in Windows. If one wishes to remove the application, simply delete the folder belonging to the application.^[8] This is possible because RISC OS does not support multi-user environments with different settings for each user.

IBM AIX (a Unix derivant) uses a registry component called Object Data Manager (ODM). The ODM is used to store information about system and device configuration. An extensive set of tools and utilities provides users with means of extending, checking, correcting the ODM database. The ODM stores its information in several files, default location is /etc/objrepos.

The GNOME desktop environment uses a registry-like interface called GConf for storing configuration settings for the desktop and applications. However, in GConf, all application settings are stored in separate files, thereby eliminating a single point of failure.

The Elektra Initiative provides an alternative back-end for text configuration files for the Linux operating system, similar to the registry.

• Registry cleaner

• Windows Registry info & reference in the MSDN Library
• Security Accounts Manager - low-level registry and SAM information
• RegMon - Microsoft/Sysinternals real-time registry monitoring tool (superseded by Process Monitor on newer versions of Windows)
• SpyStudio API Spy Monitor registry activity in user mode.
• Chntpw - Offline NT Password & Registry Editor by Petter Nordahl-Hagen (open source, non-GPL)
• Hivetools - Offline registry editor (GPL)