The Registry is organized into a hierarchy of keys, subkeys, and value entries. The root keys are at the top of the hierarchy and form the primary branches, or subtrees, of Registry information. There are two physical root keys, HKEY_LOCAL_MACHINE and HKEY_USER. These physical root keys are associated with actual files stored on the disk and are divided into additional logical groupings of Registry information. As shown in Table 14-1, the logical groupings are simply subsets of information gathered from HKEY_LOCAL_MACHINE and HKEY_USER.
Table 14-1. Registry Subtrees
Subtree | Description |
|---|---|
Physical Subtree | |
HKEY_LOCAL_MACHINE (HKLM) | Stores all the settings that pertain to the hardware currently installed on the machine. |
HKEY_USERS (HKU) | Stores user profile data for each user who has previously logged on to the computer locally as well as a default user profile. |
Logical Subtree | |
HKEY_CLASSES_ROOT (HKCR) | Stores all file associations and object linking and embedding (OLE) class identifiers. This subtree is built from HKEY_LOCAL_MACHINESOFTWARE Classes and HKEY_CURRENT_USERSOFTWARE Classes. |
HKEY_CURRENT_CONFIG (HKCC) | Stores information about the hardware configuration with which you started the system. This subtree is built from HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetHardware ProfilesCurrent, which in turn is a pointer to a numbered subkey that has the current hardware profile. |
HKEY_CURRENT_USER (HKCU) | Stores information about the user currently logged on. This key has a pointer to HKEY_USERUserSID, where UserSID is the security identifier for the current user as well as for the default profile discussed previously. |
Inside Out: The Registry on 64-bit Windows systems
The Registry on 64-bit Windows systems is divided into 32-bit and 64-bit keys. Many keys are created in both 32-bit and 64-bit versions, and although the keys belong to different branches of the Registry, they have the same name. On these systems, Registry Editor (Regedit.exe) is designed to work with both 32-bit and 64-bit keys. The 32-bit keys, however, are represented with the WOW64 Registry redirector and appear under the HKEY_LOCAL_MACHINESOFTWAREWOW6432Node key. If you want to work directly with the 32-bit keys, you can do so by using the 32-bit Registry editor located in the file path %SystemRoot%Syswow64Regedit.
To support both 32-bit and 64-bit interoperability through the Component Object Model (COM) and the use of 32-bit programs, the WOW64 redirector mirrors COM-related Registry keys and values between the 64-bit and 32-bit Registry views. In some cases, the keys and values are modified during the reflection process to adjust pathnames and other values that might be version-dependent. This, in turn, means that the 32-bit and 64-bit values might differ.
HKEY_LOCAL_MACHINE, abbreviated as HKLM, contains all the settings that pertain to the hardware currently installed on a system. It includes settings for memory, device drivers, installed hardware, and startup. Applications are supposed to store settings in HKLM only if the related data pertains to everyone who uses the computer.
As Figure 14-2 shows, HKLM contains the following major subkeys:
HARDWARE
SAM
SECURITY
SOFTWARE
SYSTEM
These subkeys are discussed in the sections that follow.
HKLMHARDWARE stores information about the hardware configuration for the computer. This key is re-created by Ntdetect.com each time you start Windows Server 2003, and it exists only in memory, not on disk. To build this key, Ntdetect.com enumerates every device it can find by scanning the system buses and by searching for specific classes of devices, such as serial ports, keyboards, and pointer devices.
Under HKLMHARDWARE, you'll find four standard subkeys that are dynamically created at startup and contain the information gathered by Ntdetect.com. These subkeys are as follows:
ACPI Contains information about the Advanced Configuration Power Interface (ACPI), which is a part of system BIOS that supports Plug and Play and advanced power management. This subkey doesn't exist on non-ACPI-compliant computers.
DESCRIPTION Contains hardware descriptions including those for the system's central processor, floating-point processor, and multifunction adapters. For portable computers, one of the multifunction devices lists information about the docking state. For any computer with multipurpose chip sets, one of the multifunction devices lists information about the controllers for disks, keyboards, parallel ports, serial ports, and pointer devices. There's also a catchall category for other controllers, such as when a computer has a PC Card controller.
DEVICEMAP Contains information that maps devices to device drivers. You'll find device mappings for keyboards, pointer devices, parallel ports, Small Computer System Interface (SCSI) ports, serial ports, and video devices. Of particular note is that within the VIDEO subkey is a value entry for the Video Graphics Adapter (VGA)– compatible video device installed on the computer. This device is used when the computer must start in VGA display mode.
RESOURCEMAP Contains mappings for the hardware abstraction layer (HAL), for the Plug and Play manager, and for available system resources. Of particular note is the Plug and Play manager. It uses this subkey to record information about devices it knows how to handle.
Additional nonstandard subkeys can exist under HKLMHARDWARE. The subkeys are specific to the hardware used by the computer.
HKLMSAM stores the Security Accounts Manager (SAM) database. When you create local users and groups on member servers and workstations, the accounts are stored in HKLM SAM as they were in Windows NT. This key is also used to store information about built-in user and group accounts, as well as group membership and aliases for accounts.
By default, the information stored in HKLMSAM is inaccessible through Registry Editor. This is a security feature designed to help protect the security and integrity of the system.
Inside Out: Browsing HKLMSAM and HKLMSECURITY
As an administrator, you, like me, probably hate getting locked out of an area of the operating system, especially when you might be curious to know just what information is stored within these secret keys. If you want to browse the information in these subkeys, you can do this by running Regedit in the LocalSystem security context. As the LocalSystem, you have full access to these subkeys. However, you should only browse these subkeys. You should never try to make changes because this could cause serious damage to the computer.
With that said, the easiest way to browse the Registry in the LocalSystem context is to start Regedit in interactive mode by using the scheduler service. Type the following:
at HH:MM /interactive regeditwhere HH:MM is a time slightly ahead of the current time. The at scheduler uses a 24-hour clock, so if it is currently 8:29 A.M., you could use a time of 08:30, or if it is 8:29 P.M., you could use a time of 20:30. Either way, you give the system just enough time to schedule and then run the task.
HKLMSECURITY stores security information for the local machine. It contains information about cached logon credentials, policy settings, service-related security settings, and default security values. It also has a copy of the HKLMSAM. As with the HKLMSAM subkey, this subkey is inaccessible through Registry Editor. This is a security feature designed to help protect the security and integrity of the system.
HKLMSOFTWARE stores machine-wide settings for every application and system component installed on the system. This includes setup information, executable paths, default configuration settings, and registration information. Because this subkey resides under HKLM, the information here is applied globally. This is different from the HKCU SOFTWARE configuration settings, which are applied on a per-user basis.
As Figure 14-3 shows, you'll find many important subkeys within HKLMSOFTWARE, including the following:
Classes Contains all file associations and OLE class identifiers. This is also the key from which HKEY_CLASSES_ROOT is built.
Clients Stores information about protocols and shells used by every client application installed on the system. This includes the calendar, contacts, mail, media, and news clients.
Microsoft Contains information about every Microsoft application and component installed on the system. This includes their complete configuration settings, defaults, registration information, and much more. You'll find most of the graphical user interface (GUI) preferences in HKLMSOFTWAREMicrosoftWindowsCurrentVersion. You'll find the configuration settings for most system components, language packs, hot fixes, and more under HKLMSOFTWAREMicrosoftWindows NTCurrentVersion.
ODBC Contains information about the Open Database Connectivity (ODBC) configuration on the system. It includes information about all ODBC drives and ODBC file Data Source Names (DSNs).
Policies Contains information about local policies for applications and components installed on the system.
HKLMSYSTEM stores information about device drivers, services, startup parameters, and other machine-wide settings. You'll find several important subkeys within HKLMSYSTEM. One of the most important is HKLMSYSTEMCurrentControlSet, as shown in Figure 14-4.
CurrentControlSet contains information about the set of controls and services used for the last successful boot of the system. This subkey always contains information on the set of controls actually in use and represents the most recent successful boot. The control set is written as the final part of the boot process so that the Registry is updated as appropriate to reflect which set of controls and services was last used for a successful boot. This is, in fact, how you can boot a system to the last known good configuration after it crashes or experiences a Stop error.
HKLMSYSTEM also contains previously created control sets. These are saved under the subkeys named ControlSet001, ControlSet002, and so forth. Within the control sets, you'll find four important subkeys:
Control Contains control information about key operating system settings, tools, and subcomponents, including the HAL, keyboard layouts, system devices, interfaces, and device classes. Under BackupRestore, you'll find the saved settings for Backup, which include lists of Automated System Recovery (ASR) keys, files, and Registry settings not to restore. Under the SafeBoot subkey, you'll find the control sets used for minimal and network-only boots of the system.
Enum Contains the complete enumeration of devices found on the system when Ntdetect.com scans the system buses and searches for specific classes of devices. This represents the complete list of devices present at boot time.
Hardware Profiles Contains a subkey for each hardware profile available on the system. The first hardware profile, 0000, is an empty profile. The other numbered profiles, beginning with 0001, represent profiles that are available for use on the system. The profile named Current always points to the profile selected at boot time.
Services Contains a subkey for each service installed on the system. These subkeys store the necessary configuration information for their related services, which can include startup parameters as well as security and performance settings.
Another interesting subkey is HKLMSYSTEMMountedDevices. This key is created by the Logical Volume Manager service and is used to store the list of mounted and available disk devices. Disk devices are listed according to logical volume configuration and drive letter designator.
HKEY_USERS, abbreviated as HKU, contains user profile data for every user who has previously logged on to the computer locally, as well as a default user profile. Each user's profile is owned by that user unless you change permissions or move profiles. Profile settings include the user's desktop configuration, environment variables, folder options, menu options, printers, and network connections.
User profiles are saved in subkeys of HKEY_USERS according to their security identifiers (SIDs). There is also a SecurityID_Classes subkey that represents file associations that are specific to a particular user. For example, if a user sets Adobe Photoshop as the default program for .jpeg and .jpg files and this is different from the system default, there are entries within this subkey that show this association.
When you use Group Policy as discussed in Part 7, the policy settings are applied to the individual user profiles stored in this key. The default profile specifies how the machine behaves when no one is logged on and is also used as the base profile for new users who log on to the computer. For example, if you wanted to ensure that the computer used a password-protected screen saver when no one was logged on, you would modify the default profile accordingly. The subkey for the default user profile is easy to pick out because it is named HKEY_USERS.DEFAULT.
HKEY_CLASSES_ROOT, abbreviated as HKCR, stores all file associations that tell the computer which document file types are associated with which applications, as well as which action to take for various tasks, such as open, edit, close, or play, based on a specified document type. For example, if you double-click a .doc file, the document typically is opened for editing in Microsoft Office Word. This file association is added to HKCR when you install Microsoft Office. If Microsoft Office isn't installed, a .doc file is opened instead in WordPad because of a default file association created when the operating system is installed.
HKCR is built from HKEY_LOCAL_MACHINESOFTWAREClasses and HKEY_ CURRENT_USERSOFTWAREClasses. The former provides computer-specific class registration, and the latter, user-specific class registration. Because the user-specific class registrations have precedence, this allows for different class registrations for each user of the machine. This is different from previous versions of the Windows operating system for which the same class registration information was provided for all users of a particular machine.
HKEY_CURRENT_CONFIG, abbreviated as HKCC, contains information about the hardware configuration with which you started the system, which is also referred to as the machine's boot configuration. This key contains information about the current device assignments, device drivers, and system services that were present at boot time.
HKCC is built from HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetHardware ProfilesCurrent, which in turn is a pointer to a numbered subkey that contains the current hardware profile. If a system has multiple hardware profiles, the key points to a different hardware profile, depending on the boot state or the hardware profile selection made at startup. For example, portable computers typically have docked and undocked hardware profiles. If a portable computer were started using the docked profile, it would use one hardware configuration, and if it were started using the undocked profile, it would use another hardware configuration.
HKEY_CURRENT_USER, abbreviated as HKCU, contains information about the user currently logged on. This key has a pointer to HKEY_USERUserSID, where UserSID is the security identifier for the current user as well as for the default profile discussed previously. Microsoft requires that applications store user-specific preferences under this key. For example, Microsoft Office settings for individual users are stored under this key. Additionally, as discussed previously, HKEY_CURRENT_USERSOFTWAREClasses stores the user-specific settings for file associations.
Tip
Restrict changes to global settings by using the Classes subkey
If you don't want users to be able to set their own file associations, you could change the permissions on HKLMSOFTWAREClasses so users can't alter the global settings you want them to have. For more information about Registry permissions, see the section entitled "Securing the Registry" later in this chapter.