If you come from the Unix world, the registry will
feel a lot like the /proc filesystem. The corresponding
C:/windows/system32/config folder would be the /etc/inittab and the /etc/sysctl.conf files. This
correspondence is only in terms of functionality, as we will see in this article the information storage method, structure and access differ a lot.
The windows registry is a tree (hierarchical) structure in memory,
which is used to store
Unlike it's Unix counterpart the registry is not accessible through the filesystem meaning it can not be reached using the windows filesystem browser. It needs to be accessed using utilities built specifically for the task of accessing the registry.
Many windows components depend on the windows registry starting from the kernel itself to the following subsystems:
Unlike it's Unix counterpart the registry is not accessible through the filesystem meaning it can not be reached using the windows filesystem browser. It needs to be accessed using utilities built specifically for the task of accessing the registry.
Many windows components depend on the windows registry starting from the kernel itself to the following subsystems:
- User Rights Assignment
- Security Administration Manager Permissions and Access Control
- Group Policy and Local Security Settings
- Services
- User Rights Assignment
- Device drivers
- User interfaces
- Third party applications
- Background processes
The registry is populated at boot time and is maintained
dynamically and read continuously throughout the uptime of a windows system.
Definition
How the registry is defined by MSDN: The registry is a
system-defined database in which applications and system components store and
retrieve configuration data. The data stored in the registry varies according
to the version of Microsoft Windows. Applications use the registry API to
retrieve, modify, or delete registry data. You should not edit registry data
that does not belong to your application unless it is absolutely necessary. If
there is an error in the registry, your system may not function properly. If
this happens, you can restore the registry to the state it was in when you last
started the computer successfully.
In simplest terms, the system (and user) configuration information is stored in a central hierarchical database called the ’registry’.
In simplest terms, the system (and user) configuration information is stored in a central hierarchical database called the ’registry’.
History
The registry was first introduced in Windows 3.1
Before the windows registry information was stored in .ini
files. With the implementation of the windows registry the information started
moving into a more organized format instead of the haphazard method of putting
everything in files. The current focus is moving away from .ini files and .ini
files are being used lesser and lesser. For example boot.ini is replaced by the
boot configuration database which too is in registry format or hierarchical
folders and entries.
Advantage
The meaning of registry is always taken as a central place
of storage. Whether an operating system or whether in java RMI repository is
used for a centralized storage method. This characteristic of a registry being
a ‘central’ place of storage is paramount and is one of the main reason for the
success of the registry.
Structure
Earlier complete pathnames of .ini files needed to be
memorized. In order to access them, but with the advent of the registry
information has become more and more organized and just by knowing the purpose
of registry entry (explained below) the administrator can determine the type of
sub-entries.
The registry consists, on a higher level, of ‘hives’. Hives
are further broken down into ‘root keys’, ‘keys’ and ‘subkeys’. The keys
contains the data (values) stored in the registry.
At run time the entire registry is created from the files on
the hard disk, during the entire time windows is operational is keeps the
registry remains in memory and is read continuously.
A hive is a logical
group of keys, subkeys, and values in the registry that has a set of supporting
files containing backups of its data. Hives are located inside root keys.
There are five root keys in windows vista, windows 7 and
windows 8. The behavior of the root keys and sub keys is very similar to the
filesystem. The keys behave like folders as they have subkeys in side of them,
and the subkeys contain values and variables in them.
The rootkeys in windows 8 are explained below, in the list
below some hives have supporting files while others may not have supporting
files:
1- HKEY_CLASSES_ROOT: The primary purpose
of this key is to provide compatibility with 16 bit window . This key contains
extensions and their associated programs. For example a .docx file will be
opened using Microsoft windows. The user does not need to tell the system each
time he/she double clicks on a word document. This is because Windows uses the
information in this key to determine which application is used to handle a file
with a particular extension.
2- HKEY_CURRENT_USER (HK_CU): This key is
constructed at run time, when a user logs on, from the HKEY_USERS key and
contains the preferences and settings for the currently logged on user. HK_CU
actually points to the HKEY_USERS/<Current_logged_on_users_SID_Key>
3- HKEY_LOCAL_MACHINE: The largest and
most intricate of all the root keys is the hkey_local_machine root key. It is
one of the most important hive collections in the registry and supported by the
following files:
HKEY_LOCAL_MACHINE Hive Subkey
|
Supporting File in C:\Windows\System32\config
|
HKEY_LOCAL_MACHINE\SAM
|
SAM
|
HKEY_LOCAL_MACHINE\Security
|
SECURITY.LOG, SECURITY
|
HKEY_LOCAL_MACHINE\Software
|
SOFTWARE, SOFT WARE.LOG
|
HKEY_LOCAL_MACHINE\SYSTEM
|
SYSTEM, SYSTEM.LOG
|
Note: In the table above the files with no extension is the one
containing the actual registry data. The one with the .log file extension are
the ones that contain logs of key and value changes to that particular hive.
|
The hardware hive is populated the
first from the Hardware abstraction
layer.
During population of the HKLM takes
input from the SAM, System, Security and software hives.
4- HKEY_USERS: Information about all users
that log on to the system is placed in this root. The most prominent component
of HKEY_USERS\.DEFAULT which is C:\Windows\System32\config\DEFAULT and
C:\Windows\System32\config\DEFAULT.LOG
The supporting files are Ntuser.dat
and Ntuser.dat.log.
5- HKEY_CURRENT_CONFIG (HKEY_CC): It is
basically the same as and is simply a pointer to: the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware
Profiles\Current. By same it does
not mean that it is a copy or another instance of that information. It is just
a pointer to that location. So when you view HKEY_CC you are actually viewing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware
Profiles\Current.
Having HK_CC makes it easier to access the location in
HKEY_LOCAL_MACHINE.
Values
All the root keys contain branches of subkeys, but the leaf node of this entire hierarchy are the “values”. These values are variables/data sets that hold the actual information of the registry. The information is regarding users, software etc.
All the root keys contain branches of subkeys, but the leaf node of this entire hierarchy are the “values”. These values are variables/data sets that hold the actual information of the registry. The information is regarding users, software etc.
As per MSDN the
winnt.h defines the following data types
REG_BINARY
|
Binary data in any form.
|
REG_DWORD
|
A 32-bit number.
|
REG_DWORD_LITTLE_ENDIAN
|
A 32-bit number in little-endian
format.Windows is designed to run on little-endian computer architectures.
Therefore, this value is defined as REG_DWORD in the Windows header files.
|
REG_DWORD_BIG_ENDIAN
|
A 32-bit number in big-endian
format.
Some UNIX systems support big-endian architectures. |
REG_EXPAND_SZ
|
A null-terminated string that
contains unexpanded references to environment variables (for example,
"%PATH%"). It will be a Unicode or ANSI string depending on whether
you use the Unicode or ANSI functions. To expand the environment variable references,
use the ExpandEnvironmentStrings
function.
|
REG_LINK
|
A null-terminated Unicode string
that contains the target path of a symbolic link that was created by calling
the RegCreateKeyEx function with
REG_OPTION_CREATE_LINK.
|
REG_MULTI_SZ
|
A sequence of null-terminated
strings, terminated by an empty string (\0).
The following is an example: String1\0String2\0String3\0LastString\0\0
The first \0 terminates the first
string, the second to the last \0 terminates the last string and the final
\0 terminates the sequence. Note that the final terminator must be factored into the length of the string.
|
REG_NONE
|
No defined value type.
|
REG_QWORD
|
A 64-bit number.
|
REG_QWORD_LITTLE_ENDIAN
|
A 64-bit number in little-endian
format.
Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files. |
REG_SZ
|
A null-terminated string. This
will be either a Unicode or an ANSI string, depending on whether you use the
Unicode or ANSI functions.
|
Security of Windows Registry keys:
The Windows Access Control Model enables access control on
the registry keys. This allows us to control the access of the processes to the
registry keys. Just like access is controlled for files and folders a registry
can be assigned permissions that dictate which processes can access the key
and how.
A permissions box will show up similar to the ones used for
assigning permissions on that particular key as shown below:
Backing up the Windows registry:
The following methods can be used to back up the windows registry:
1 – Simply copy the contents of the
C:\windows\system32\config folder.
3 – Export the registry to a .reg file. This can be done
using regedit.exe.
C:\>
Regedit /e registryoutputfile.reg
This will write the entire registry to a file, a sort of
complete registry backup.
To write a particular hive or root key use the following
command
C:\>
Regedit / e outputfile.reg HKEY_LOCAL_MACHINE\Software
This will only write the Software key to the
outputfile.reg. Similarly any key can be written to a file using the above
syntax.
Most frequently used keys
1-
Software Uninstall data key
The key that contains a list of all the installed applications:
The key that contains a list of all the installed applications:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Appwiz.cpl the software uninstall wizard in control panel
uses this key to load data.
2-
Autorun keys
An exhaustive list of such location can be acquired using 'autoruns' - part of SysIntenarals suite by Mark Russinovich. A list of the ones which are easier to understand (and explain) is given below:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
An exhaustive list of such location can be acquired using 'autoruns' - part of SysIntenarals suite by Mark Russinovich. A list of the ones which are easier to understand (and explain) is given below:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Active
Setup\Installed Components
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active
Setup\Installed Components
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\System\CurrentControlSet\Services
3-
Keys that auto-load apps once
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
And
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Need to find out if these are
runonce or autorun locations each time the system starts. Need to get a list of
autorruns from autoruns.
4-
Find the registry keys to start services.
Registry keys that control group policy,
security and and user rights.
HKLM\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\software\Microsoft\Windows\CurrentVersion\Policies
5-
Registry keys that load automatically load
.dlls
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
6-
The key that causes chkdsk and autochk to run
automatically
HKLM\System\CurrentControlSet\Control\Session Manager
- The key that holds paths to knowdlls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.
Playing with the Registry – changing windows configuration directly using Regedit.exe
1- Icon-free desktop
Go to: HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies
o
Here create a new key named Explorer, we name is
explorer because we are going to create a policy related to the Windows
Explorer, inside this key create a new 32 bit (DWORD) value and name is
“NoDesktop”.
o
Assigning this a value of 0 (default=false) will
let the icons be displayed, but if the value is changed to 1 (true), it will
not display any icons on the desktop after a logout/login. Keep in mind that
this will also disable the ability to get a menu on the screen by right
clicking on the desktop.
2-
Hiding
icons in the notification tray
Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
o
If the explorer key does not exist, then it needs
to be created Create another DWORD entry called ‘NoTrayItemsDisplay” It will
have a default value of 0 (false), change it to 1 (true) and restart the
computer.
Note: the
notification tray is on the lower right of the screen.
3- Increasing the limit for simultaneous
http downloads
The HTTP 1.0 maximum download is limited to 4 connections, whereas the HTTP 1.1 are limited to 2.
In the key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings
o
Create a new 32 bit (DWORD) value named “MaxConnectionsPerServer”
o
Set its values to 10 (decimal) also create
another DWORD value “MaxConnectionPer1_0Server”
The number of simultaneous downloads can be
used to decrease or increase the limit.
4- Paranoid Security – Locking a drive
Now here is a really cool example of what you can do with the registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
o If the explorer key does not exist,
then it needs to be created.
o Create a new DWORD value named
“NoViewOnDrive”.
o Then give the a value from the
following table to lock that particular drive:
Sr. No
|
Drive letter
|
Calculation of value
2^Sr. No
|
Value to
be assigned |
0
|
A:
|
2^0 = 1
|
1
|
1
|
B:
|
2^1 = 2
|
2
|
2
|
C:
|
2^2 = 4
|
4
|
3
|
D:
|
2^3 = 8
|
8
|
4
|
E:
|
2^4 = 16
|
16
|
5
|
F:
|
2^5 = 32
|
32
|
6
|
G:
|
2^6 = 64
|
64
|
7
|
H:
|
2^7 = 128
|
128
|
8
|
I:
|
2^8 = 256
|
256
|
9
|
J:
|
2^9 = 512
|
512
|
10
|
K:
|
2^10 = 1024
|
1024
|
All Drives
|
2^26=67108864
|
67108863 (yes! the
last digit is 3)
|
Doing this will
lock the drive rendering it inaccessible through Windows Explorer.
5- In order to lock the wallpaper
Go to the the registry key
HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
o
Create a 32 bit value named NoChangingWallPaper
and give it the value 1.
6-
32 bit
programs on a 64 bit machine
If you are using a 32 bit machine
then the registry explanation above will suffice. But if you have a 64 bit
machine there is one more key that may interest you.
The HKLM\Software\Wow6432node or
the ‘Wow6432node’ for short, contains entries for 32 bit applications that need
to run during start up.
Hint: In order to find 32 bit software on your 64 bit machine browse
your C:\Program File(x86) folder.
|
Editing the Registry
1- Using .reg files to enter data in the registry
A .reg file is usually an exported
registry or a component of a registry.
C:/>
Regedit.exe /s filename.reg
/s parameter means silent, no output on the console.
If filename.reg contains the
contents of the entire registry, then the
entire registry will be written on the system, if it contains only a
component of the registry like HKLM\Software or the HKCU root key, then only
that particular root key will be effected. The is possible because the .reg
contains the complete path of the key it is entering and populating. An example
.reg file can be downloaded from http://www.computerperformance.co.uk/Registry/ComputerName.zip
2- Using the reg command
Using the reg command is another way to modify the registry
c:\> Reg /?
at the command prompt will display the usage and applicable parameters.
To add a key
Reg add <key_name> /v
<value_name> /t <data type> /d <data>
To delete a key
C:\>
Reg delete <key_name> /v <value_name> /f
/f will cause a forced delete without a prompt. An
exhaustive list of parameters can be seen by typing
Example of reg.exe usage
As an example let’s change the wall paper for the current
user.
Step 1 – We first remove the registry entry for the
desktop wallpaper
c:\> Reg delete HKEY_CURRENT_USER\Control Panel\Desktop /v Wallpaper
c:\> Reg delete HKEY_CURRENT_USER\Control Panel\Desktop /v Wallpaper
The above line will delete the value Wallpaper in the
“HKET_CURRENT_USER\Control Panel\Desktop” Key.
We then add the new value for the
key:
C:\>
Reg add HKEY_CURRENT_USER\Control Panel\Desktop /v Wallpaper /t Reg_SZ /d
C:\test.jpg
After the above command the wall
paper for the current user will change to C:\test.jpg.
Writing the registry to a file
C:\>
Regedit /e registryoutputfile.reg
This will write the entire registry to a file, a sort of
complete registry backup.
To write a particular hive or root key use the following
command
C:\>
Regedit / e outputfile.reg HKEY_LOCAL_MACHINE\Software
This will only write the Software key to the
outputfile.reg. Similarly any key can be written to a file using the above
syntax.