HKEY_LOCAL_MACHINE, abbreviated as HKLM, contains all the settings that pertain to the hardware currently installed on a system. It includes settings for memory, device drivers, installed hardware, and startup. Applications are supposed to store settings in HKLM only if the related data pertains to everyone who uses the computer.

As Figure 8-2 shows, HKLM contains the following major subkeys:

These subkeys are discussed in the sections that follow.

Figure 8-2. Access HKEY_LOCAL_MACHINE in the registry.

HKLMSOFTWARE

HKLMSOFTWARE stores machine-wide settings for every application and system component installed on the system. This includes setup information, executable paths, default configuration settings, and registration information. Because this subkey resides under HKLM, the information here is applied globally. This is different from the HKCUSOFTWARE configuration settings, which are applied on a per-user basis.

As Figure 8-3 shows, you’ll find many important subkeys within HKLMSOFTWARE, including the following:

• Classes. Contains all file associations and OLE class identifiers. This is also the key from which HKEY_CLASSES_ROOT is built.

• Clients. Stores information about protocols and shells used by every client application installed on the system. This includes the calendar, contacts, mail, media, and news clients.

• Microsoft. Contains information about every Microsoft application and component installed on the system. This includes their complete configuration settings, defaults, registration information, and much more. You’ll find most of the graphical user interface (GUI) preferences under HKLMSOFTWAREMicrosoftWindowsCurrentVersion. You’ll find the configuration settings for most system components, language packs, hot fixes, and more under HKLMSOFTWAREMicrosoftWindows NTCurrentVersion.

• ODBC. Contains information about the Open Database Connectivity (ODBC) configuration on the system. It includes information about all ODBC drives and ODBC file Data Source Names (DSNs).

• Policies. Contains information about local policies for applications and components installed on the system.

Figure 8-3. Access HKEY_LOCAL_MACHINESOFTWARE in the registry.

HKLMSYSTEM

HKLMSYSTEM stores information about device drivers, services, startup parameters, and other machine-wide settings. You’ll find several important subkeys within HKLMSYSTEM. One of the most important is HKLMSYSTEMCurrentControlSet, as shown in Figure 8-4.

Figure 8-4. Access HKEY_LOCAL_MACHINESYSTEMCurrentControlSet in the registry.

CurrentControlSet contains information about the set of controls and services used for the last successful boot of the system. This subkey always contains information on the set of controls actually in use and represents the most recent successful boot. The operating system writes the control set as the final part of the boot process so that it updates the registry as appropriate to reflect which set of controls and services was last used for a successful boot. This is, in fact, how you can boot a system to the Last Known Good Configuration after it crashes or experiences a Stop error.

HKLMSYSTEM also contains previously created control sets. These are saved under the subkeys named ControlSet001, ControlSet002, and so forth. Within the control sets, you’ll find four important subkeys:

• Control. Contains control information about key operating system settings, tools, and subcomponents, including the HAL, keyboard layouts, system devices, interfaces, and device classes. Under BackupRestore, you’ll find the saved settings for Backup, which include lists of Automated System Recovery (ASR) keys, files, and registry settings not to restore. Under the SafeBoot subkey, you’ll find the control sets used for minimal and network-only boots of the system.

• Enum. Contains the complete enumeration of devices found on the computer when the operating system scans the system buses and searches for specific classes of devices. This represents the complete list of devices present during startup of the operating system.

• Hardware Profiles. Contains a subkey for each hardware profile available on the system. The first hardware profile, 0000, is an empty profile. The other numbered profiles, beginning with 0001, represent profiles that are available for use on the system. The profile named Current always points to the profile the operating system is currently using.

• Services. Contains a subkey for each service installed on the system. These subkeys store the necessary configuration information for their related services, which can include startup parameters and security and performance settings.

Another interesting subkey is HKLMSYSTEMMountedDevices. The operating system creates this key and uses it to store the list of mounted and available disk devices. Disk devices are listed according to logical volume configuration and drive-letter designator.

HKEY_USERS, abbreviated as HKU, contains a default user profile and user-profile data for every user who has previously logged on to the computer locally. Each user’s profile is owned by that user unless you change permissions or move profiles. Profile settings include the user’s desktop configuration, environment variables, folder options, menu options, printers, and network connections.

User profiles are saved in subkeys of HKEY_USERS according to their security identifiers (SIDs). A SecurityID_Classes subkey represents file associations that are specific to a particular user. For example, if a user sets Adobe Photoshop as the default program for .jpeg and .jpg files and this is different from the system default, entries within this subkey show this association.

When you use Group Policy, the policy settings are applied to the individual user profiles stored in this key. The default profile specifies how the machine behaves when no one is logged on and is used as the base profile for new users who log on to the computer. For example, if you want to ensure that the computer uses a password-protected screen saver when no one is logged on, you modify the default profile accordingly. The subkey for the default user profile is easy to pick out because it is named HKEY_USERS.DEFAULT.

HKEY_CLASSES_ROOT, abbreviated as HKCR, stores all file associations that tell the computer which document file types are associated with which applications and which action to take for various tasks—such as open, edit, close, or play—based on a specified document type. For example, if you double-tap or double-click a .doc file, the document typically is opened for editing in Microsoft Word. This file association is added to HKCR when you install Microsoft Office or Word. If Microsoft Office or Word isn’t installed, a .doc file is opened instead in WordPad because of a default file association created when the operating system is installed.

HKCR is built from HKEY_LOCAL_MACHINESOFTWAREClasses and HKEY_CURRENT_USERSOFTWAREClasses. The former provides computer-specific class registration, and the latter provides user-specific class registration. Because the user-specific class registrations have precedence, this allows for different class registrations for each user of the machine. This is different from previous versions of the Windows operating system, in which the same class registration information was provided for all users of a particular machine.

HKEY_CURRENT_CONFIG, abbreviated as HKCC, contains information about the hardware configuration with which you started the system, which is also referred to as the machine’s boot configuration. This key contains information about the current device assignments, device drivers, and system services that were present at boot time.

HKCC is built from HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetHardware ProfilesCurrent, which in turn is a pointer to a numbered subkey that contains the current hardware profile. If a system has multiple hardware profiles, the key points to a different hardware profile, depending on the boot state or the hardware profile selection made at startup.

HKEY_CURRENT_USER, abbreviated as HKCU, contains information about the user currently logged on. This key has a pointer to HKEY_USERSUserSID, where UserSID is the security identifier for the current user and for the default profile discussed previously. Microsoft requires applications to store user-specific preferences under this key. For example, Microsoft Office settings for individual users are stored under this key. In addition, as discussed previously, HKEY_CURRENT_USERSOFTWAREClasses stores the user-specific settings for file associations.

As mentioned previously, some registry data is created dynamically during the startup of the operating system, and some is stored on disk so that it can be used each time you boot a computer. The dynamically created data is volatile, meaning that when you shut down the system, it is gone. For example, as part of the startup process, the operating system scans for system devices and uses the results to build the HKEY_LOCAL_MACHINEHARDWARE subkey. The information stored in this key exists only in memory and isn’t stored anywhere on disk.

However, registry data stored on disk is persistent. When you shut down a system, this registry data remains on disk and is available the next time you boot the system. Some of this stored information is very important, especially when it comes to recovering from boot failure. For example, by using the information stored in HKEY_LOCAL_MACHINESYSTEMCurrentControlSet, you can boot by using the Last Known Good Configuration. If the registry data was corrupted, however, this information might not be available, and the only way to recover the system is to try repairing the installation or reinstalling the operating system.

To help safeguard the system and ensure that one section of bad data doesn’t cause the whole registry to fail to load, Windows Server 2012 R2 has several built-in redundancies and fail-safe processes. For starters, the registry isn’t written to a single file. Instead, it is written to a set of files called hives. There are six main types of hives, each representing a group of keys and values. Most of the hives are written to disk in the %SystemRoot%System32Config directory. Within this directory, you’ll find these hive files:

The remaining hive files are stored in individual user-profile directories with the default name of Ntuser.dat. These files are, in fact, hive files that are loaded into the registry and used to set the pointer for the HKEY_CURRENT_USER root key. When no user is logged on to a system, the user profile for the default user is loaded into the registry. When an actual user logs on, this user’s profile is loaded into the registry.

Every hive file has associated log files—even Ntuser.dat. Windows Server 2012 R2 uses the log files to help protect the registry during updates. When a hive file is to be changed, the operating system writes the change to a log file and stores this log file on disk. The operating system then uses the change log to write the changes to the actual hive file. If the operating system were to crash while a change is being written to a hive file, the operating system could use the change log later to roll back the change, resetting the hive to its previous configuration.

When you work your way down to the lowest level of the registry, you see the actual value entries. Each value entry has a name, data type, and value associated with it. Although value entries have a theoretical size limit of 1,024 KBs, most value entries are less than 1 KB in size. In fact, many value entries contain only a few bits of data. The type of information stored in these bits depends on the data type of the value entry.

The data types defined include the following:

The most common data types you’ll see in the registry are REG_SZ and REG_DWORD. The vast majority of value entries have these data types. The most important thing to know about these data types is that one is used with strings of characters, and the other is used with binary data that is normally represented in hexadecimal format. And don’t worry; if you have to create a value entry—typically, you do so because you are directed to by a Microsoft Knowledge Base article in an attempt to resolve an issue—you are usually told which data type to use. Again, more often than not, this data type is either REG_SZ or REG_DWORD.

One of the common tasks you’ll want to perform in Registry Editor is to search for a particular key. You can search for keys, values, and data entries by using Find on the Edit menu.

Don’t let the simplicity of the Find dialog box, shown in Figure 8-5, fool you—there is a bit more to searching the registry than you might think. So, if you want to find what you’re looking for, do the following:

Figure 8-5. Search the registry.

After you make your selections, tap or click Find Next to begin the search. If Registry Editor finds a match before reaching the end of the registry, it selects and displays the matching item. If the match isn’t what you’re looking for, press F3 to search again from the current position in the registry.

When you want to work with keys and values in the registry, you typically are working with subkeys of a particular key. This enables you to add a subkey and define its values and to remove subkeys and their values. You cannot, however, add or remove root keys or insert keys at the root node of the registry. Default security settings within some subkeys might also prohibit you from working with their keys and values. For example, by default you cannot create, modify, or remove keys or values within HKLMSAM and HKLMSECURITY.

Modifying values

The most common change you’ll make to the registry is to modify an existing value. For example, a Knowledge Base article might recommend changing a value from 0 to 1 to enable a certain feature in Windows Server 2012 R2 or from 1 to 0 to disable it. To change a value, locate the value in Registry Editor and then, in the right pane, double-tap or double-click the value name. This opens an Edit dialog box, the style of which depends on the type of data you are modifying.

The most common values you’ll modify are REG_SZ, REG_MULTI_SZ, and REG_DWORD. Figure 8-6 shows the Edit String dialog box, which opens when you modify REG_SZ values. In the dialog box, you typically replace the existing value shown in the Value Data box with the value you need to enter.

Figure 8-6. Use the Edit String dialog box.

Figure 8-7 shows the Edit Multi-String dialog box, which opens when you modify REG_MULTI_SZ values. In this example, there are three string values. In the dialog box, each value is separated by a new line to make the values easier to work with. If directed to change a value, you typically need to replace an existing value; make sure you don’t accidentally modify the entry before or after the entry you are working with. If directed to add a value, you begin typing on a new line following the last value.

Figure 8-7. Use the Edit Multi-String dialog box.

Figure 8-8 shows the Edit DWORD Value dialog box, which opens when you modify REG_DWORD values. In this example, the value is displayed in hexadecimal format. Typically, you won’t need to worry about the data format. You just enter a new value as you’ve been directed. For example, if the current value entry represents a flag, the data entry of 1 indicates the flag is on (or true). To turn off the flag (switch it to false), you replace the 1 with a 0.

Figure 8-8. Use the Edit DWORD Value dialog box.

Note

The Windows Clipboard is available when you are working with Registry Editor. This means you can use the Copy, Cut, and Paste commands just as you do with other Windows programs. If a value in a Knowledge Base article is difficult to type, you might want to copy it to the Clipboard and then paste it into the Value Data box of the Edit dialog box.

You can modify the registry of remote computers without having to log on locally. To do this, select Connect Network Registry on the File menu in Registry Editor and then use the Select Computer dialog box to specify the computer you want to work with. In most cases, all you must do is type the name of the remote computer and then tap or click OK. If prompted, you might need to enter the user name and password of a user account that is authorized to access the remote computer.

After you connect, you get a new icon for the remote computer under your Computer icon in the left pane of Registry Editor. Double-tap or double-click this icon to access the physical root keys on the remote computer (HKEY_LOCAL_MACHINE and HKEY_USERS). The logical root keys aren’t available because they are either dynamically created or are simply pointers to subsets of information from within HKEY_LOCAL_MACHINE and HKEY_USERS. You can then edit the computer’s registry as necessary. When you are done, you can select Disconnect Network Registry on the File menu and then choose the computer from which you want to disconnect. Registry Editor then closes the registry on the remote computer and breaks the connection.

When working with remote computers, you can also load or unload hives as discussed in “Loading and unloading hive files” later in this chapter. If you’re wondering why you would do this, the primary reason is to work with a specific hive, such as the hive that points to Diane Prescott’s user profile because she inadvertently changed the display mode to an invalid setting and can no longer access the computer locally. With her user profile data loaded, you could edit the registry to correct the problem and then save the changes so that she can once again log on to the system.

Sometimes you might find that it is necessary or useful to copy all or part of the registry to a file. For example, if you’ve installed a service or component that requires extensive configuration, you might want to use it on another computer without having to go through the whole configuration process again. Instead, you could install the service or component baseline on the new computer, export the application’s registry settings from the previous computer, copy them over to the other computer, and then import the registry settings so that the service or component is properly configured. Of course, this technique works only if the complete configuration of the service or component is stored in the registry, but you can probably see how useful being able to import and export registry data can be.

By using Registry Editor, it is easy to import and export registry data. This includes the entire registry, branches of data stemming from a particular root key, and individual subkeys and the values they contain. When you export data, you create a .reg file that contains the designated registry data. This registry file is a script that can then be loaded back into the registry of this or any other computer by importing it.

To export registry data, press and hold or right-click the branch or key you want to export and then select Export. You can also press and hold or right-click the root node for the computer you are working with, such as Computer for a local computer, to export the entire registry. Either way, you’ll see the Export Registry File dialog box as shown in Figure 8-9. Use the Save In selection list to choose a save location for the .reg file and then type a file name. The Export Range panel shows you the selected branch within the registry that will be exported. You can change this as necessary or select All to export the entire registry. Then tap or click Save to create the .reg file.

Figure 8-9. Export registry data to a .reg file so that it can be saved and, if necessary, imported on this or another computer.

Importing registry data adds the contents of the registry script file to the registry of the computer you are working with, either creating new keys and values if they don’t already exist or overwriting keys and values if they do exist. You can import registry data in one of two ways. You can double-tap or double-click the .reg file, which starts Registry Editor and asks you whether you want to import the data, or you can select Import on the File menu and then use the Import Registry File dialog box to select and open the registry data file you want to import.

Just as you sometimes must import or export registry data, you sometimes need to work with individual hive files. The most common reason for doing this, as discussed previously, is when you must modify a user’s profile to correct an issue that prevents the user from accessing or using a system. Here, you would load the user’s Ntuser.dat file into Registry Editor and then make the necessary changes. Another reason for doing this is to change a particular part of the registry on a remote system. For example, if you need to repair an area of the registry, you could load the related hive file into the registry of another machine and then repair the problem on the remote machine.

Loading and unloading hives affects only HKEY_LOCAL_MACHINE and HKEY_USERS, and you can perform these actions only when you select one of these root keys. Rather than replacing the selected root key, the hive you are loading then becomes a subkey of that root key. HKEY_LOCAL_MACHINE and HKEY_USERS are, of course, used to build all the logical root keys used on a system, so you could work with any area of the registry.

After you select either HKEY_LOCAL_MACHINE or HKEY_USERS in Registry Editor, you can load a hive for the current machine or another machine by selecting Load Hive on the File menu. Registry Editor then prompts you for the location and name of the previously saved hive file. Select the file and then tap or click Open. Afterward, enter a name for the key under which you want the hive to reside while it is loaded into the current system’s registry and then tap or click OK.

When you are finished working with a hive, you should unload it to clear it out of memory. Unloading the hive doesn’t save the changes you’ve made—as with any modifications to the registry, your changes are applied automatically without the need to save them. To unload a hive, select it and choose Unload Hive on the File menu. When prompted to confirm, tap or click Yes.

If you want to work with the registry from the command line, you can do so using the REG command. REG is run using the permissions of the current user and can be used to access the registry on both local and remote systems. As with Registry Editor, you can work only with HKEY_LOCAL_MACHINE and HKEY_USERS on remote computers. These keys are used, of course, to build all the logical root keys used on a system, so you can work with any area of the registry on a remote computer.

REG has different subcommands for performing various registry tasks. These commands include the following:

You can learn the syntax for using each of these commands by typing reg followed by the name of the subcommand you want to learn about and then /?. For example, if you want to learn more about REG ADD, you type reg add /? at the command line.

set-location hklm:

Fix It Portable can remove registry settings for applications that were installed using the Windows Installer. It is most useful for cleaning up registry remnants of applications that were partially uninstalled or for which uninstall failed. It is also useful for cleaning up applications that can’t be uninstalled or reinstalled because of partial or damaged settings in the registry. It isn’t, however, intended to be used as an uninstaller. Use it when the normal uninstallation process fails.

To use Microsoft Fix It to uninstall and clean up a program, complete the following steps:

Application installations can fail during installation or after installation. When applications are being installed, an InProgress key is created in the registry under the HKLMSOFTWAREMicrosoftWindowsCurrentVersionInstaller subkey. If installation fails, the system might not be able to edit or remove this key, which could cause the application’s setup program to fail the next time you try to run it. Running the Program Install And Uninstall Troubleshooter for Microsoft Fix It clears out the InProgress key, which should enable you to run the application’s setup program.

After installation, applications rely on their registry settings to configure themselves properly. If these settings become damaged or the installation becomes damaged, the application won’t run. Some programs have a repair utility that can be accessed just by rerunning the installation. During the repair process, the Windows Installer might attempt to write changes to the registry to repair the installation or roll it back to get back to the original state. If this process fails for any reason, the registry can contain unwanted settings for the application. Running the Program Install And Uninstall Troubleshooter for Microsoft Fix It also clears out the rollback data for the active installation. Rollback data is stored in the HKLMSOFTWAREMicrosoftWindowsCurrentVersionInstallerRollback key.

Any running installation also has rollback data.

When an application can’t be successfully uninstalled, you can attempt to clean up its settings from the registry by using the Program Install And Uninstall Troubleshooter for Microsoft Fix It. Because the current user’s profile is part of the registry, user-specific settings for the application will be removed from this profile.

One of the best ways to protect the registry from unauthorized access is to prevent user access to the registry in the first place. For a server, this means tightly controlling physical security and allowing only administrators the right to log on locally. For other systems or when it isn’t practical to prevent users from logging on locally to a server, you can configure the permissions on Regedit.exe and Reg.exe so that they are more secure. You could also remove Registry Editor and the REG command from a system, but this can introduce other problems and make managing the system more difficult, especially if you also prevent remote access to the registry.

To modify permissions on Registry Editor, access the %SystemRoot% folder, press and hold or right-click Regedit.exe, and then select Properties. In the Regedit Properties dialog box, tap or click the Security tab, as shown in Figure 8-10. Add and remove users and groups as necessary and then set permissions as appropriate. Permissions work the same as with other types of files. You select an object and then allow or deny specific permissions. See Chapter 19 for details.

Figure 8-10. Tighten controls on Registry Editor to limit access to it.

To modify permissions on the REG command, access the %SystemRoot%System32 folder, press and hold or right-click Reg.exe, and then select Properties. In the Reg Properties dialog box, tap or click the Security tab. As Figure 8-11 shows, users and administrators can use this command by default. Add and remove users and groups as necessary and then set permissions as appropriate.

Figure 8-11. Reg.exe is designed to be used by users and administrators and to be run from the command line; its permissions reflect this.

Keys within the registry also have access permissions. Rather than editing these permissions directly, I recommend you use an appropriate security template. Using the right security template locks down access to the registry for you, and you won’t have to worry about making inadvertent changes that will prevent systems from booting or applications from running.

That said, in some limited situations, you might want to or have to change permissions on individual keys in the registry. To do this, start Registry Editor and then navigate to the key you want to work with. When you find the key, press and hold or right-click it; select Permissions or select the key and then choose Permissions on the Edit menu. This opens a Permissions For dialog box similar to the one shown in Figure 8-12. Permissions work the same as for files. You can add and remove users and groups as necessary. You can select an object and then allow or deny specific permissions.

Figure 8-12. Use the Permissions For dialog box to set permissions on specific registry keys.

Many permissions are inherited from higher-level keys and are unavailable. To edit these permissions, you must open the Advanced Security Settings dialog box by tapping or clicking the Advanced button. As Figure 8-13 shows, the Advanced Security Settings For dialog box shows the current owner of the selected key and enables you to reassign ownership. By default, when you reassign ownership, only the selected key is affected, but if you want the change to apply to all subkeys of the currently selected key, choose Replace Owner On Subcontainers And Objects.

Figure 8-13. Use the Advanced Security Settings For dialog box to change the way permissions are inherited or set and to view auditing settings, ownership, and effective permissions.

The dialog box also has three tabs:

Hackers and unauthorized users can attempt to access a system’s registry remotely just as you do. If you want to be sure they are kept out of the registry, you can prevent remote registry access. One way that remote access to a system’s registry can be controlled is through the registry key, HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg. If you want to limit remote access to the registry, you can start by changing the permissions on this key.

If this key exists, the following occurs:

If this key doesn’t exist, Windows Server 2012 R2 allows all users to access the registry remotely and uses the permissions on the keys only to determine which keys can be accessed.

Windows Vista and later Windows versions disable remote access to all registry paths by default. As a result, the only registry paths remotely accessible are those explicitly permitted as part of the default configuration or by an administrator. In Local Security Policy, you can use Security Options to enable or disable remote registry access. With Windows Vista and later Windows versions, the following additional security settings are provided for this purpose:

These security settings determine which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the Winreg registry key. A number of default paths are set, and you should not modify these default paths without carefully considering the damage that changing this setting might cause.

You can follow these steps to access and modify these settings in the Local Security Settings console:

Access to the registry can be audited, as can access to files and other areas of the operating system. Auditing enables you to track which users access the registry and what they’re doing. All the permissions listed in Table 8-3 can be audited. However, you usually limit what you audit to only the essentials to reduce the amount of data that is written to the security logs and the resource burden on the affected server.

Before you can enable auditing of the registry, you must enable the auditing function on the system you are working with. You can do this either through the server’s local policy or through the appropriate Group Policy Object (GPO). The policy that controls auditing is Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy. For more information on auditing, see Chapter 19.

After auditing is enabled for a system, you can configure how you want auditing to work for the registry. This means configuring auditing for each key you want to track. Thanks to inheritance, this doesn’t mean you have to go through every key in the registry and enable auditing for it. Instead, you can select a root key or any subkey to designate the start of the branch for which you want to track access and then ensure that the auditing settings are inherited for all subkeys below it. (This is the default setting.)

Say, for example, you want to audit access to HKLMSAM and its subkeys. To do this, you follow these steps: