Windows
Registry FAQ
Welcome to the Windows Registry Frequently Asked Questions (FAQ) list. This list is
written for System Administrators, Information Systems Support Professionals, and Power
Users who want to know more about the Windows Registry.
The first part of this document covers the formalities that
are common to most FAQs. The second part of this FAQ answers, among other things,
questions about the purpose, structure, and function of the Registry. The third section
answers questions about about NT/XP/2000/2003 customization and tuning, while the fourth and last
part of this document answers questions about the many resources that are available to
you.
Table of contents
1.4 What is the SAM?
1.5 What is a hive?
1.8 What is the Registry Editor?
1.8.1 What improvements were made in the Windows 2000 Registry Editor?
1.8.2 What improvements were made in the Windows XP and 2003 Registry Editors?
2.7 How can I disable displaying the last logged on user in the Logon dialog box?
2.11 How can I enable or disable the CD autorun feature?
2.12 How is the boot-time version of Chkdsk controlled?
2.13 How can I use Notepad to open files with unknown extensions?
2.14 How can I disable the Most Recently Used (MRU) Files list?
3.1.1 What utilities ship with the Windows NT operating system?
Section 0: General Information
0.1 Legal notice (copyrights and disclaimers)
This FAQ is copyrighted material. Copyright © 1997-2008 Bennett Scharf. All rights reserved. You are free to copy and redistribute this document in its entirety with no additions, deletions, or revisions.
Microsoft, Windows, Windows 2000, Windows NT, Windows XP and Windows Server 2003 are copyright Microsoft corporation.
This document is provided as-is, without any express or implied warranties. The information presented in this document was gathered from a variety of sources including Usenet newsgroups, e-mail, and Internet Web sites. As such, some or all of the information in this document may be dead wrong . You are strongly encouraged to personally verify this information prior to attempting any work on the NT Registry. You have been warned.
I do not receive payment or compensation from any of the organizations or individuals mentioned in this FAQ. Any opinions or endorsements contained in this FAQ are purely personal, and do not represent the views of my employer.
0.2 Document version information
This is document version 1.3 which was revised Thursday, January 08, 2009 . The most current version of this FAQ can be found at http://www.bennett-scharf.com/Technology/NTRegFAQ.htm.
Please submit any questions, comments, corrections, or updates to the current FAQ maintainer, Bennett Scharf -- e-mail address below . All contributions will be acknowledged as the are incorporated into future revisions.
1.1 What is the purpose of the Registry?
The Registry is a centralized, hierarchical database of configuration information that is part of the Windows NT operating system. It contains:
The Registry is the successor of the earlier system of .ini files used with Windows 3.1. Instead of having configuration files spread out across the file system, everything is merged into one centralized, easily-accessible database. Unlike .ini files, the Registry allows programmers and users to store and access a rich variety of data types. Also unlike .ini files, the Registry allows you to set access permissions for each entry.
The registry is a particularly cool way for storing small amounts of configuration data, particularly numeric data as well as arrays of strings. For example, say you need to monitor 10 different servers. The reg_multi_sz data type is a nice way make it particularly easy to store and retrieve such a list.
1.2 What is the basic structure of the Registry?
At its uppermost level, the Registry contains five root keys that are described in table 1.1.
Table 1.1: The top-level Registry keys.
| HKEY_LOCAL_MACHINE | Contains hardware and software information that is not user specific. It includes settings for the operating system, device drivers, and services. |
| HKEY_USERS | Contains profile information for the currently logged on user, the default user, and other users that have previously logged on to the machine locally. Users that have logged on remotely do not have profiles stored under this key. |
| HKEY_CLASSES_ROOT | Associates specific file types with specific applications. This is also where the OLE information is stored. |
| HKEY_CURRENT_USER | Contains user profile information for the currently logged on user including desktop settings, environment variables, printers, application preferences and network connections. |
| HKEY_CURRENT_CONFIG | Contains configuration information for the hardware profile currently in use on the computer. |
1.3 What are some common
abbreviations?
Texts, technical notes, and troubleshooting documents often abbreviate Registry entries as follows:
Table 1.2: Common Registry key abbreviations.
| CurrentControlSet | |
| HKEY_LOCAL_MACHINE | HKLM |
| HKEY_USERS | HKU |
| HKEY_CLASSES_ROOT | HKCR |
| HKEY_CURRENT_USER | HKCU |
| HKEY_CURRENT_CONFIG | HKCC |
The SAM or Security Account Manager Database is also called the Directory Database. It contains security and user account information. In an NT domain, the SAM is stored and updated on the Primary Domain Controller and is replicated to read-only copies on one or more Backup Domain Controllers.
A hive is a group of keys, subkeys and values that starts at the top of the Registry hierarchy. Hives are different from other keys in that they are persistent. By contrast, HKLM\HARDWARE is not a hive since it is created at boot time and destroyed at system shutdown. The different hives and their associated files are listed in table 1.3. By default, the hives for each user are stored in SystemRoot \Profiles\username\NTUser.dat where username is the user's logon name. The remaining hives are stored in SystemRoot \System32\config.
Table 1.3: Registry Hives and support files
Hive Name |
Hive File |
Log File |
Backup file |
| HKEY_LOCAL_MACHINE\SAM | SAM | SAM.log | SAM.sav |
| HKEY_LOCAL_MACHINE\Security | SECURITY | Security.log | Security.sav |
| HKEY_LOCAL_MACHINE\Software | SOFTWARE | Software.log | Software.sav |
| HKEY_LOCAL_MACHINE\System | SYSTEM | System.log | System.sav |
| HKEY_CURRENT_CONFIG | SYSTEM | System.log | System.sav |
| HKEY_USERS\.DEFAULT | DEFAULT | Default.log | Default.sav |
| HKEY_CURRENT_USER | NTUser.dat | Ntuser.dat.log |
Hives can be backed up, restored, and moved from one machine to another.
1.6 What are Registry permissions?
Registry permissions control which users and groups can read, search, and modify Registry keys. The permissions are
Please refer to one of the texts listed in the resources section for more information.
A Reg file is a text file that contains Registry information and has the extension .Reg . Reg files can be created by exporting Registry data using Regedit.exe. Reg files can be edited with any standard text editor such as notepad. Finally, Reg files can be imported into the Registry using Regedit.exe.
Many texts recommend that you avoid making direct changes to the Registry. Instead, they recommend that you export the desired tree to a Reg file, make a backup copy of the Reg file, make changes to the Reg file with a text editor, then import the changed data into the Registry. If anything goes wrong, you can usually import the backup copy of the Reg file into the Registry to undo your changes.
| Caution : The default action associated with with this file type is to launch the Registry Editor and merge the file into the Registry. Consequently, you should never double-click on a Reg file to edit it! |
1.8 What is the Registry Editor?
The Registry Editor is a program that you can use to modify information stored in the Registry.
| Caution : Erroneous registry settings can render your machine totally unusable. Neither registry editor has an undo feature. As such, you should always make a backup of the Registry prior to using the Registry Editor. |
With Windows XP and Windows Server 2003, there is a single registry editor, regedit.exe. In Windows NT there are two registry editors as described below.
IMHO, you should have abandoned NT several years ago. If you have not already done so you should migrate your W2k systems to XP and 2003 ASAP.
The Windows NT Setup program installs two versions of Registry Editor: the Windows NT Registry Editor (Regedt32.exe) and, either the Windows version 3. x version of Registry Editor or the Windows 95 version, which are both named Regedit.exe. Figure 3.1 shows a screen snapshot of the Windows 95 Registry Editor.
Figure 2.1: Windows 95 Registry Editor, Regedit.exe
The Windows NT Registry Editor is installed in the %SystemRoot% \system32 directory. The Windows 3. x version (16-bit), or the Windows 95 version (32-bit) of Registry Editor is installed in the %SystemRoot% directory. Figure 2.2 shows a screen snapshot of the Windows NT Registry Editor.
Figure 2.2: Windows NT Registry Editor, Regedt32.exe
Setup installs the Windows 3. x version of Registry Editor if one of the following occurs:
If Setup detects that it is installing Windows NT version 4.0 in a directory that contains Windows version 3. x .
If Setup detects that it is upgrading Windows NT version 3. x that was originally installed in a directory that contained Windows version 3. x .
In all other cases, Setup installs the Windows 95 version of Registry Editor in the % SystemRoot% directory.
1.8.1 What improvements were made in the Windows 2000 Registry Editor?
Regedit.exe for Windows 2000 has several new features:
1.8.2 What improvements were made in the Windows XP and 2003 Registry Editors?
1.9 Where are device driver settings kept?
Device driver settings can be found under HKLM\SYSTEM\CurrentControlSet\Services.
1.10 What keys are used for automatic program startup?
Programs that are not services, or in other words, programs that are started within the user logon session, may be started under any of the following keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Data types define what kind of data an entry can store. The following data types are used by entries in the Windows 2000 registry:
Raw binary data. Most hardware component information is stored as binary data. It can be displayed in an easy-to-read format by using Windows 2000 Diagnostics. REG_BINARY data can be displayed and entered in binary or hexadecimal format in a registry editor.
Data represented by a number that is 4 bytes (32 bits) long. Boolean (0 or 1) values and many entries for device drivers and services take this data type. REG_DWORD data can be displayed in binary, hexadecimal, or decimal format in a registry editor.
Same as REG_DWORD. A 32-bit number in which the most significant byte is displayed as the leftmost or high-order byte. This is the most common format for storing numbers in computers running Windows 2000 and Windows 98.
A 32-bit number in which the most significant byte is displayed as the rightmost or low-order byte. This is opposite of the order in which bytes are stored in the REG_DWORD and REG_DWORD_LITTLE_ENDIAN data types.
A variable-length text string. REG_EXPAND_SZ data can include variables that are resolved when an application or service uses the data. For example, the value of File includes the variable Systemroot. When the Event Log service references the File entry, this variable is replaced by the name of the directory containing the Windows 2000 system files.
Indicates a symbolic link between system or application data and a registry value. You can use Unicode characters in a REG_LINK entry.
Multiple text strings formatted as an array of null-terminated strings, and terminated by two null characters. Values that contain lists or multiple values in a form that people can read usually take this data type. The values in a REG_MULTI_SZ entry can be separated by spaces, commas or other marks. For example, the value of Machine is a list of paths accessible by all remote users of Windows 2000.
A fixed-length text string. Boolean ("True" or "False") values and other short text values usually have this data type.
A series of nested arrays designed to store a resource list for a hardware component or driver. For example, in Regedt32, double-click ConfigurationData (in HKEY_LOCAL_MACHINE\Hardware\Description\System \MultifunctionAdapter\0\ControllerName\0).
The only real way to protect the Registry is to back it up to disk or tape daily . You should also perform a Registry backup prior to:
There is a second type of protection, that of securing the Registry against snooping, modification, and erasure by unauthorized users. In its default configuration, Windows NT is easy to use but very insecure. If you are in a network environment, you probably need better security than what NT's out-of-the-box configuration offers. At a minimum you should read and implement the recommendations in the article, Securing Windows NT 4.0 Installation which is available through the TechNet subscription service.
2.2 How can I back up the Registry?
There are plenty of different ways to back up the Registry:
*When using NTBackup on Windows 2000, select a System State backup.
2.3 How can I recover from a corrupted Registry?
2.4 How do you set Registry
permissions?
| Caution : Incorrect Registry permissions can render your system totally unusable. Always make a backup of the Registry prior to changing Registry permissions. |
Using the NT Registry Editor, Regedt32.Exe, select the key for which you want to change Registry permissions. From the main menu, select security and permissions . In the Registry Key Permissions dialog box,
2.5 How do I Automate Windows NT Logon?
In certain cases it may be desirable to bypass the security of the local NT/2000 user logon prompt. You may accomplish this by storing your logon credentials in the Registry as follows:
| Caution : Implementing this change on a networked system will expose a potentially dangerous security hole. You should fully understand the security consequences of implementing this change before proceeding. Please refer to Microsoft Technet article #Q97597 for additional information. |
2.6 How do I Display the Shutdown Command at
Logon?
The shutdown command is not normally displayed on the Windows NT Logon screen.
Method 1:
Method 2:
Use the REGKEY utility provided with the Windows NT Resource Kit.
2.7 How can I disable displaying the last
logged on user in the NT Logon dialog box?
You can gain improvements in directory enumeration performance by disabling short (8.3) filename support on NTFS partitions. Refer to Microsoft technote "Optimization and Tuning of Windows NT" for more information.
| Caution : this change will cause compatibility problems with 8-bit DOS and 16-bit Windows applications. |
You can display a legal notice that will be displayed during logon. When this change is implemented, users will be forced acknowledge the message by selecting ok prior to logging on.
By default, Windows NT has several hidden shares that can be only be accessed by an administrator. This includes C$,
There is no user interface option (e.g.: control panel) to enable or disable the CD autorun feature.
To disable autorun for a single CD, hold down one of the SHIFT keys while inserting the compact disc.
The boot-time version of chkdsk, autocheck.exe is controlled by the HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute data item. The default intry is autocheck autochk * The wildcard * causes an automatic check of each partition. Change the entry to autocheck autochk /p * to run the equivalent of chkdsk /f on each partion on every subsequent system restart. Note: the data type for this entry is REG_SZ; consequently you must use REGEDT32 .EXE to edit this data item.
2.13 How can I use Notepad to open files with unknown extensions?
The following steps will make Notepad the default program for
opening files with unknown or unregistered extensions:
1. Using the registry editor, locate the HKEY_CLASSES_ROOT\Unknown\shell key.
3. On the Edit menu, select New | Key and then create an "open" key.
4. In the open key, create a new "command" key.
5. Click the Default value in the command key and type notepad.exe %1.
2.14 How can I disable the Most Recently Used (MRU) Files list?
There are certain circumstances in which you may want to disable the list of most recently used files for privacy or security reasons. For example a loaner laptop or a public kiosk. To disable this list, follow these steps:
1. Using the registry editor, navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Comdlg32 key.
2. Create a REG_DWORD value named NoFileMru and set this value to 1.
3.1.1 What utilities ship with the Windows NT operating system?
3.1.2 What other utilities are available
from Microsoft?
Several useful Registry utilities ship with the Windows NT Resource Kit.
Figure 3.1 shows a screen snapshot of the RegKey Utility.
Figure 3.1: RegKey screen snapshot
REGCLEAN.EXE is a GUI utility that can be used to correct minor inconsistencies in the Windows 95 and NT Registries. This program is available on Microsoft's web and FTP sites. Refer to KnowledgeBase article Q147769 for the most current information.
3.1.3 What commercial utilities are available?
MWC, Inc. markets a product called Regadmin that allows administrators to add, remove or modify Registry permissions and propagate these permissions without affecting other account's permissions.
3.1.4 What shareware utilities are available?
The NT Internals Web Page contains some of the most powerful Windows NT and Windows 95 utilities to be found anywhere. Many of the utilities are free, while a few are low-cost shareware. Strongly recommended. One of their must-have utilities, NTRegMon , allows you to observe changes to the registry in real-time. Figure 3.2 shows a screen snapshot of the NTRegMon utility.
Figure 3.2: NTRegMon screen snapshot
The Coast to Coast Software Repository has a number of useful Registry utilities:
Table 3.1: Registry utilities from the Coast to Coast Software Repository
| dumpReg.zip | Somar DumpReg V1.0, Dump contents of Registry |
| greprg10.zip | Recursively search for a string in the Registry |
| regcl101.zip | Registry class browser for NT and 95 |
| regsrch.zip | Registry search and replace utility NT/Win95 |
| rgedit11.zip | Somar RegEdit V1.1, DLL-view Registry profiles |
| rsurf101.zip | Surf the Registry for keys,values, and data |
Somarsoft produces several useful utilities:
Table 3.2: Registry utilities from Somarsoft
| DumpACL | Dumps the permissions (ACLs) of the file system, printers, shares, and Registry to help uncover security problems |
| DumpReg | Dumps the Registry. Allows ascending and descending sorts by last modify time. |
Additionally, the Resource Kit contains a number of useful Registry utilities that are described in the previous section.
3.2.2 What periodicals are useful?
Windows NT Magazine has published a number of Registry tips and hacks, many of which are available online.
Windows Magazine same as above, but fewer articles on the registry.
3.3.2 What Usenet newsgroups are useful?
Microsoft has a public news server, msnews.microsoft.com. It currently hosts several Windows NT technical discussion groups. One group that you may find useful is microsoft.public.windowsnt.misc
There are several non-Microsoft-sponsored, general-purpose Windows NT technical discussion groups that you may find useful. Newsgroup availability will vary by Internet Service Provider.
comp.os.ms-windows.nt.misc |
comp.os.ms-windows.nt.setup |
|
comp.os.ms-windows.nt.admin.misc |
comp.os.ms-windows.nt.admin.networking |
3.3.3 What mailing lists are useful?
WINNT-L is an open, unmoderated discussion list for Windows NT. It is a high-volume list, so expect to receive sixty or more messages per day. For additional information click here . To subscribe, send a message to LISTSERV@PEACH.EASE.LSOFT.COM Leave the subject line blank. In the body of the message put "SUBSCRIBE WINNT-L". (Do not include the quotation marks.)
3.3.3 What other resources are there?
A great way to locate additional resources is to perform an Internet search using terms such as NT Registry , NT Registry Troubleshooting and NT Registry Utilities . Here are links to the author's favorite search engines:
