Working With the Windows XP Registry

1

• Working With the Windows XP Registry

2
Objectives

• After completing this chapter, you will be able
  to
• Understand the function and structure of the
  Registry
• Describe the purpose of each of the five Registry
  keys and the hive files to which some of them map
• Use the Registry editor and other Registry tools
• Understand default Registry sizing techniques and
  limits on Registry size
• Understand fault-tolerance for the Registry
• Back up and restore the Registry

3
Windows Registry Overview
Valued Gateway Client

• Registry provides a hierarchical database of
  information about a systems configuration
• Stores information essential to XP itself, native
  applications, added services, and most add-on
  software products from Microsoft and third-party
  vendors.
• Comparable to information stored in
  initialization files in Windows 3.x or even
  Windows 95/98
• For 32-bit Windows applications, Registry
  database replaces .ini files
• Registry is a multifaceted branch-like grouping
  of data (not a .txt file)

4
Windows Registry Overview, contd.

• Value entries within the Registry are composed of
  three parts name, type, and data (value)
• A Registry value entrys name is typically a
  multiword phrase, without spaces, with title
  capitalization
• Data type informs the Registry how to store the
  value

5
Windows Registry Overview, contd.

• Most XP configurations can be performed using the
  Control Panel applets and the Administration
  Tools
• Some can be changed only by editing the Registry
  directly
• Microsoft warns that editing the Registry
  directly should only be performed when absolutely
  necessary
• Improper editing of the Registry can render the
  system completely inoperable

6
Windows Registry Overview, contd.

• Each Registry key is similar to a bracketed
  heading in an .ini file
• represents a top-level container in the hierarchy
  
• There are five root keys
• Their names start with HKEY
• Each may contain one or more subkeys

7
Windows Registry Overview, contd.

• Within each subkey, one or more values or subkeys
  can exist
• Value entries are named parameters or
  placeholders for control settings
• Value entries can hold a single binary digit, a
  long string of ASCII characters, or a hexadecimal
  value
• Hive is a discrete body of Registry keys,
  subkeys, and values stored in a file

8
Windows Registry Overview, contd.

• Value entries within the Registry are composed of
  three parts name, type, and data (value).
• The data types supported are
• Binary
• DWORD
• String
• Multiple String
• Expandable String

9
Important Registry Structures and Keys

• The HKEY_LOCAL_MACHINE key contains the values
  that control the local computer
• Configuration items include information about
  hardware devices, applications, device drivers,
  kernel services, and physical settings
• Content is not dependent on the logged-on user,
  or the applications in use
• Only on the physical composition of the hardware
  and software present
• Has five subkeys HARDWARE, SAM, SECURITY,
  SOFTWARE, and SYSTEM

10
Important Registry Structures and Keys, contd.

• HKEY_LOCAL_MACHINE\HARDWARE stores configuration
  data, device driver settings, mappings, linkages,
  relationships between kernel-mode and user-mode
  hardware calls, and IRQ hooks
• Re-created each time the system boots and is not
  saved when the system shuts down

11
Important Registry Structures and Keys, contd.

• HKEY_LOCAL_MACHINE\SAM is a hive that contains
  Security Accounts Manager (SAM) database
• The entire security structure of your Windows XP
  system is stored here
• These data are not accessible from a Registry
  editor
• reside in a file named SAM

12
Important Registry Structures and Keys, contd.

• HKEY_LOCAL_MACHINE\SECURITY is the container for
  the local security policy
• Defines control parameters, such as password
  policy, user rights, account lockout, audit
  policy, and general security options for the
  local machine

13
Important Registry Structures and Keys, contd.

• HKEY_LOCAL_MACHINE\SOFTWARE contains data about
  installed software and mapped file extensions
• Apply to all local users

14
Important Registry Structures and Keys, contd.

• HKEY_LOCAL_MACHINE\SYSTEM contains information
  required to boot
• Stores data about startup parameters, loading
  order for device drivers, service startup
  credentials, and basic operating system behavior
• Also contains additional subkeys with settings
  for storage devices and control set boot status,
  and others

15
Important Registry Structures and Keys, contd.

• HKEY_CLASSES_ROOT contains information on
  application associations
• Copied from the HKEY_LOCAL_MACHINE\SOFTWARE\Classe
  s subkey
• Maintained for backward compatibility
• Not strictly required by Windows XP

16
Important Registry Structures and Keys, contd.

• HKEY_CURRENT_CONFIG contains data that for
  whatever hardware profile is currently in use
• Is a link to the HKEY_LOCAL_MACHINE\SYSTEM\
  CurrentControlSet\HardwareProfiles\Current subkey
• Maintained for backward compatibility
• Not strictly required by Windows XP

17
Important Registry Structures and Keys, contd.

• HKEY_CURRENT_USER contains the profile for
  whichever user is currently logged on
• Contents are built each time a user logs on
• Copies the appropriate subkey from HKEY_USERS
• Should not be edited directly

18
Important Registry Structures and Keys, contd.

• HKEY_USERS contains profiles for all users who
  have ever logged onto this system plus the
  default user profile
• Contents are built each time the system boots
• Loads the default file and the locally stored
  copies of Ntuser.dat or Ntuser.man from user
  profiles
• Subkeys herein use Windows Security IDs (SIDs) to
  identify users, rather than account names

19
Registry Editors

• Special tools are required to operate on the
  Registry directly
• Regedit has a graphical user interface, offers
• global searching
• security manipulation
• combines all of the keys into a single display

20
Registry Editors, contd.

• Reg is the Console Registry Tool for Windows
• a command-line utility
• permits users, batch files, or programs to
  operate on the Registry
• supports no attractive graphical user interface

21
Registry Editors, contd.
22
Registry Storage Files

• Registry files reside in the systemroot\WINDOWS\
  system32\config and systemroot\WINDOWS\repair
  directories of the boot partition
• Registry files do not match one-to-one with the
  top-level keys
• There is Registry data mapped into files for
  safekeeping (for backup and rollback)

23
Registry Storage Files, contd.

• Four extensions are used by the Registry to
  identify the function of the file
• No extension - storage file for the subkey,
  a.k.a. hive file
• .alt - backup file for the subkey. Only the
  HKEY_LOCAL_ MACHINE\SYSTEM subkey has a backup
• .log - contains all changes made to a key. Used
  to verify that all modifications are properly
  applied
• .sav - Copies of keys in their original state as
  created at the end of the text portion of Windows
  XP installation

24
Registry Fault Tolerance

• If the Registry becomes corrupted or destroyed,
  Windows XP cannot function or even boot
• Fault tolerance is sustained by structure, memory
  residence, and transaction logs
• ensure that all changes either succeed or fail
  completely
• When a value entry is altered in the Registry,
  that change applies to the copy stored in active
  memory
• Affects the system immediately in most cases
• Change is only made permanent when key files are
  copied back to the hard drive
• Occurs during a flush
• A flush occurs at shutdown, when forced
• by an application, or just after a Registry
  alteration

25
Registry Fault Tolerance, contd.

• Change is only made permanent when key files are
  copied back to the hard drive
• During a flush
• A flush occurs
• At shutdown
• When forced by an application
• Just after a Registry alteration
• When a flush occurs, the transaction log is
  updated

26
Registry Fault Tolerance, contd.

• A flush includes the following sequence of steps
• All alterations to a key are appended to that
  keys transaction log file (.log)
• The key file is marked as being in transition
• The key file is updated with the new data from
  memory
• The key file is marked as complete
• If a failure occurs before the transaction is
  complete, the original state of the key is
  recovered

27
Registry Fault Tolerance, contd.

• SYSTEM subkey contains system-critical data and
  is a major ingredient in a successful bootup
• Recovery cannot rely upon transaction logs
• Uses a dual-file process, with its primary and
  backup copies of the SYSTEM subkey file,
• Ensures that no matter at which stage the update
  process might be interrupted, a functional copy
  of the SYSTEM subkey file is available

28
Registry Fault Tolerance, contd.

• It is important to back up the Registry. There
  are several ways to create reliable Registry
  backups
• Most Windows XP backup applications include
  support for full Registry backup
• Regedit can save all or part of the Registry
• Make a copy of the systemroot\WINDOWS\system32\c
  onfig and systemroot\WINDOWS\repair directories
  manually
• Use the Microsoft Windows XP Professional
  Resource Kit tools

29
Restoring the Registry

• If the automatic restoration process fails,
  attempt to restore the Last Known Good
  Configuration.
• State of the Registry stored when the last
  successful user logon occurred
• The LKGC option can restore the system to its
  prior working state
• Press F8 during the initial bootup of Windows XP

30
Protecting the Registry

• Permissions can be assigned to the hives and keys
  within the Registry
• Applying the permissions is similar to assigning
  permissions and protecting files and folders on
  NTFS

31
Windows XP Professional Resource Kit Registry
Tools

• Microsoft Windows XP Professional Resource Kit
  includes several tools for manipulating the
  Registry
• Regdump.exe - A command-line tool used to dump
  all or part of the Registry to Stdout
• Regfind.exe - A command-line tool used to search
  the Registry based on keywords
• Compreg.exe - A GUI tool used to compare two
  local or remote Registry keys
• Regini.exe - A command-line scripting tool used
  to add keys into the Registry

32
Windows XP Professional Resource Kit Registry
Tools, contd.

• Regback.exe - A command-line scripting tool used
  to back up keys from the Registry
• Regrest.exe - Another command-line scripting tool
  used to restore keys to the Registry
• Scanreg.exe - A GUI tool used to search the
  Registry based on keywords

33
Summary

• Windows XP Registry is a complex structure of
  keys, subkeys, values, and value entries
• Registry should be edited with extreme caution
• XP maintains a functional Registry through
  fault-tolerant measures transaction logs and
  backups
• The Registry is divided into five main keys. Some
  are written to files called hives
• Windows XP includes two Registry editors
  Regedit.exe and Reg.exe
• Backing up the Registry often is the only way to
  ensure you have a functional Registry to restore
  in the event of a failure