Windows Server 2003 provides several tools for working with the Registry. The main tool, of course, is Registry Editor, which is started by typing regedit or regedt32 at the command line or in the Run dialog box. Another tool for working with the Registry is the REG command.
Both tools can be used to view and manage the Registry. Keep in mind that although both tools are considered editors, any changes you make are applied immediately. Thus, any change you make is applied automatically to the Registry without you having to save the change.
Caution
As an administrator, you have permission to make changes to most areas of the Registry. This allows you to make additions, changes, and deletions as necessary. However, before you do this, you should always make a backup of the system state along with the Registry first, as discussed in the section "Choosing a Backup Method for the Registry" later in this chapter. This will help ensure that you can recover the Registry in case something goes wrong when you are making your modifications.
One of the common tasks you'll want to perform in Registry Editor is to search for a particular key. You can search for keys, values, and data entries using the FIND command on the Edit menu (see the following screen).
Don't let the simplicity of the Find interface fool you—there is a bit more to searching the Registry than you might think. So, if you want to find what you're looking for, do the following:
The Find function in the Registry searches from the current node forward to the last value in the final root key branch. So, if you want to search the complete Registry, you must select the My Computer node in the left pane before you select Find on the Edit menu or press Ctrl+F.
Type the text you want to find in the Find What box. You can search only for standard American Standard Code for Information Interchange (ASCII) text. So, if you're searching for data entries, Registry Editor will search only string values (REG_SZ, REG_EXPAND_SZ, and REG_MULTI_SZ) for the specified text.
Use the Look At options to control where Registry Editor looks for the text you want to find. You can search on key names, value names, and text within data entries. If you want to match only whole strings instead of searching for text within longer strings, select Match Whole Strings Only.
After you make your selections, click Find Next to begin the search. If Registry Editor finds a match before reaching the end of the Registry, it selects and displays the matching item. If the match isn't what you're looking for, press F3 to search again from the current position in the Registry.
When you want to work with keys and values in the Registry, you typically are working with subkeys of a particular key. This allows you to add a subkey and define its values and to remove subkeys and their values. You cannot, however, add or remove root keys or insert keys at the root node of the Registry. Default security settings within some subkeys might also prohibit you from working with their keys and values. For example, by default you cannot create, modify, or remove keys or values within HKLMSAM and HKLMSECURITY.
The most common change you'll make to the Registry is to modify an existing value. For example, a Knowledge Base article might recommend that you change a value from 0 to 1 to enable a certain feature in Windows Server 2003 or from 1 to 0 to disable it. To change a value, locate the value in Registry Editor, and then in the right pane double-click the value name. This opens an Edit dialog box, the style of which depends on the type of data you are modifying.
The most common values you'll modify are REG_SZ, REG_MULTI_SZ, and REG_DWORD. Figure 14-5 shows the Edit String dialog box, which is displayed when you modify REG_SZ values. In the dialog box, you would typically replace the existing value with the value you need to enter.
Figure 14-6 shows the Edit Multi-String dialog box, which is displayed when you modify REG_MULTI_SZ values. In this example, there are four separate string values. In the dialog box, each value is separated by a new line to make the values easier to work with. If directed to change a value, you would typically need to replace an existing value, making sure you don't accidentally modify the entry before or after the entry you are working with. If directed to add a value, you would begin typing on a new line following the last value.
Figure 14-7 shows the Edit DWORD Value dialog box, which is displayed when you modify REG_DWORD values. In this example, the value is displayed in hexadecimal format. Typically, you won't need to worry about the data format. You will simply enter a new value as you've been directed. For example, if the Count value entry represented a flag, the data entry of 1 would indicate the flag is on (or true). To turn off the flag (switch it to false), you would replace the 1 with a 0.
Tip
Copy and paste using the Clipboard to get values right
The Windows Clipboard is available when you are working with Registry Editor. This means you can use copy, cut, and paste just as you do with other Windows programs. If there is a value in a Knowledge Base article that's difficult to type, you might want to copy it to the Clipboard and then paste it into the Value Data box of the Edit dialog box.
As noted previously, you can add or remove keys in most areas of the Registry. The exceptions pertain to the root node, the root keys, and areas of the Registry where permissions prohibit modifications.
You add new keys as subkeys of a selected key. Access the key with which you want to work, and then add the subkey by right-clicking the key and selecting New, Key. Registry Editor creates a new key and selects its name so that you can set it as appropriate. The default name is New Key #1.
The new key has a default value entry associated with it automatically. The data type for this default value is REG_SZ. Just about every key in the Registry has a similarly named and typed value entry, so don't delete this value entry. Either set its value by double-clicking it to display the Edit String dialog box, or create additional value entries under the selected key.
To create additional value entries under a key, right-click the key, then select one of these values:
String Value Used to enter a fixed-length string of Unicode characters; type REG_SZ
Binary Value Used to enter raw binary data without any formatting or parsing; type REG_BINARY
DWORD Value Used to enter binary data type in which 4-byte integer values are stored; type REG_DWORD
Multi-String Value Used to enter a multiple-parameter string; type REG_MULTI_SZ
Expandable String Value Used to enter a variable-length string that can include environment variables that are to be expanded when the data is read; type REG_EXPAND_SZ
Creating a new value adds it to the selected key and gives it a default name of New Value #1, New Value #2, and so on. The name of the value is selected for editing so that you can change it immediately. After you change the value name, double-click the value name to edit the value data.
Removing keys and values from the Registry is easy but should never be done without careful forethought to the possible consequences. That said, you delete a key or value by selecting it, and then pressing the Delete key. Registry Editor will ask you to confirm the deletion. Once you do this, the key or value is permanently removed from the Registry.
You can modify the Registry of remote computers without having to log on locally. To do this, select Connect Network Registry on the File menu in Registry Editor, then use the Select Computer dialog box to specify the computer with which you want to work. In most cases, all you must do is type the name of the remote computer and then click OK. If prompted, you might need to enter the user name and password of a user account that is authorized to access the remote computer.
Once you connect, you get a new icon for the remote computer under your My Computer icon. Double-click this icon to access the physical root keys on the remote computer (HKEY_ LOCAL_MACHINE and HKEY_USERS). The logical root keys aren't available because they are either dynamically created or simply pointers to subsets of information from HKEY_LOCAL_MACHINE and HKEY_USERS. You can then edit the computer's Registry as necessary. When you are done, you can select Disconnect Network Registry on the File menu and then choose the computer from which you want to disconnect. Registry Editor will then close the Registry on the remote computer and break the connection.
When working with remote computers, you can also load or unload hives as discussed in the section "Loading and Unloading Hives" later in this chapter. If you're wondering why you would do this, the primary reason is to work with a specific hive, such as the hive that points to Jo Brown's user profile because she inadvertently changed the display mode to an invalid setting and can no longer access the computer locally. With her user profile data loaded, you could then edit the Registry to correct the problem and then save the changes so that she can once again log on to the system.
Sometimes you might find that it is necessary or useful to copy all or part of the Registry to a file. For example, if you've installed a service or component that requires extensive configuration, you might want to use it on another computer without having to go through the whole configuration process again. So, instead, you would install the service or component baseline on the new computer, then export the application's Registry settings from the previous computer, copy them over to the other computer, and then import the Registry settings so that the service or component is properly configured. Of course, this technique works only if the complete configuration of the service or component is stored in the Registry, but you can probably see how useful being able to import and export Registry data can be.
By using Registry Editor, it is fairly easy to import and export Registry data. This includes the entire Registry, branches of data stemming from a particular root key, and individual subkeys and the values they contain. When you export data, you create a .reg file that contains the designated Registry data. This Registry file is a script that can then be loaded back into the Registry of this or any other computer by importing it.
Note
Because the Registry script is written as standard text, you could view it and, if necessary, modify it in any standard text editor as well. Be aware, however, that double-clicking the .reg file launches Registry Editor, which prompts you as to whether you want to import the data into the Registry. If you are concerned about this, save the data to a file with the .hiv extension because double-clicking files with this extension won't start Registry Editor. Files with the .hiv extension must be manually imported (or you could simply change the file extension to .reg when it is time to use the data).
To export Registry data, right-click the branch or key you want to export, and then select Export. You can also right-click the root node for the computer you are working with, such as My Computer for a local computer, to export the entire Registry. Either way, you'll see the Export Registry File dialog box as shown in Figure 14-8. Use the Save In selection list to choose a save location for the .reg file, and then type a file name. The Export Range panel shows you the select branch within the Registry that will be exported. You can change this as necessary or select All to export the entire Registry. Then click Save to create the .reg file.
Figure 14-8. Exporting Registry data to a .reg file so that it can be saved and, if necessary, imported on this or another computer
Tip
Want to export the entire Registry quickly?
You can export the entire Registry at the command line by typing regedit /e SaveFile, where SaveFile is the complete file path to the location where you want to save the copy of the Registry. For example, if you wanted to save a copy of the Registry to C:Corpsvr06regdata.reg, you would type regedit /e C:corpsvr06-regdata.reg.
Importing Registry data adds the contents of the Registry script file to the Registry of the computer you are working with, either creating new keys and values if they didn't previously exist or overwriting keys and values if they did previously exist. You can import Registry data in one of two ways. You can double-click the .reg file, which starts Registry Editor and prompts you as to whether you want to import the data. Or you can select Import on the File menu, then use the Import Registry File dialog box to select and open the Registry data file you want to import.
Inside Out: Using export and import processes to distribute Registry changes
The export and import processes provide a convenient way to distribute Registry changes to users. You could, for example, export a subkey with an important configuration change and then mail the associated .reg file to users so they could import it simply by double-clicking it. Alternately, you could copy the .reg file to a network share where users could access and load it. Either way, you have a quick and easy way to distribute Registry changes. Officially, however, distributing Registry changes in this manner is frowned upon because of the potential security problems associated with doing so. The preferred technique is to distribute Registry changes through Group Policy as discussed in Part 7.
Just as you sometimes must import or export Registry data, you'll sometimes need to work with individual hive files. The most common reason for doing this, as discussed previously, is when you must modify a user's profile to correct an issue that prevents the user from accessing or using a system. Here, you would load the user's Ntuser.dat file into Registry Editor and then make the necessary changes. Another reason for doing this would be to change a particular part of the Registry on a remote system. For example, if you needed to repair an area of the Registry, you could load the related hive file into the Registry of another machine and then repair the problem on the remote machine.
Loading and unloading hives affects only HKEY_LOCAL_MACHINE and HKEY_USERS, and you can perform these actions only when one of these root keys is selected. Rather than replacing the selected root key, the hive you are loading then becomes a subkey of that root key. HKEY_LOCAL_MACHINE and HKEY_USERS are of course used to build all the logical root keys used on a system, so you could in fact work with any area of the Registry.
After you select either HKEY_LOCAL_MACHINE or HKEY_USERS in Registry Editor, you can load a hive for the current machine or another machine by selecting Load Hive on the File menu. Registry Editor then prompts you for the location and name of the previously saved hive file. Select the file, and then click Open. Afterward, enter a name for the key under which the hive will reside while it is loaded into the current system's Registry, and then click OK.
Note
You can't work with hive files that are already being used by the operating system or another process. You could, however, make a copy of the hive and then work with it. At the command line, type reg save followed by the abbreviated name of the root key to save and the file name to use for the hive file. For example, you could type reg save hkcu c:curr-hkcu.hiv to save HKEY_LOCAL_MACHINE to a file called Curr-hkcu.hiv on drive C. Although you can save the logical root keys (HKCC, HKCR, HKCU) in this manner, you can save only subkeys of HKLM and HKU using this technique.
When you are finished working with a hive, you should unload it to clear it out of memory. Unloading the hive doesn't save the changes you've made—as with any modifications to the Registry, your changes are applied automatically without the need to save them. To unload a hive, select it, and choose Unload Hive on the File menu. When prompted to confirm, click Yes.
If you want to work with the Registry from the command line, you can do so using the REG command. REG is run using the permissions of the current user and can be used to access the Registry on both local and remote systems. As with Registry Editor, you can work only with HKEY_LOCAL_MACHINE and HKEY_USERS on remote computers. These keys are, of course, used to build all the logical root keys used on a system, so you can in fact work with any area of the Registry on a remote computer.
REG has different subcommands for performing various Registry tasks. These commands include the following:
REG ADD Adds a new subkey or value entry to the Registry
REG COMPARE Compares Registry subkeys or value entries
REG COPY Copies a Registry entry to a specified key path on a local or remote system
REG DELETE Deletes a subkey or value entries from the Registry
REG EXPORT Exports Registry data and writes it to a file
REG IMPORT Imports Registry data and either creates new keys and value entries or overwrites existing keys and value entries
REG LOAD Loads a Registry hive file
REG QUERY Lists the value entries under a key and the names of subkeys (if any)
REG RESTORE Writes saved subkeys and entries back to the Registry
REG SAVE Saves a copy of specified subkeys and value entries to a file
REG UNLOAD Unloads a Registry hive file
You can learn the syntax for using each of these commands by typing reg followed by the name of the subcommand you want to learn about and then /?. For example, if you wanted to learn more about REG ADD, you would type reg add /? at the command line.