Section 1.3: The Registry

Microsoft Windows XP Professional stores hardware and software settings in the registry. The registry controls the Windows XP Professional operating system by providing the appropriate initialization information to boot Windows XP Professional, to start applications, and to load components, such as device drivers and network protocols.

Management of the registry is an important part of the administrator's job and includes viewing, editing, backing up, and restoring the registry. You use Registry Editor to view and change the registry configuration.

1.3.1: The Hierarchical Structure of the Registry

The registry is organized in a hierarchical structure that is displayed by the Registry Editor. This hierarchy is made up of:

  • Subtree To make the information in the registry easier to find and view, there are five predefined subtrees that can be seen in the editor. These subtrees are listed in Table 1.8
  • Keys correspond to hardware or software objects and groups of objects. Subkeys are keys within higher level keys
  • Entries Keys contain one or more entries. An entry has three parts: name, data type, and value (data or configuration parameter)
  • Hive A hive is a discrete body of keys, subkeys, and entries that has a corresponding registry file and .log file located in %systemroot% System32Config. Windows XP Professional uses the .log file to record changes and ensure the integrity of the registry
  • Data types Each entry's value is expressed as one of these data types:
    • REG_SZ (String value). Which is one value that Windows XP Professional interprets it as a string to store.
    • REG_BINARY (Binary value). Which is one value that must be a string of hexadecimal digits.
    • REG_DWORD (DWORD value). Which is one value that must be a string of 1-8 hexadecimal digits.
    • REG_MULTI_SZ (Multistring value). Can be multiple values that Windows XP Professional interprets each string as a component of multi_sz separate entries.
    • REG_EXPAND_SZ (Expandable string value). Similar to REG_SZ, except the text can contain a replaceable variable.
    • REG_FULL_RESOURCE_DESCRIPTOR. Stores a resource list for hardware components or drivers. You cannot add or modify an entry with this data type.

Table 1.8: The Registry Subtrees

Subtree Description
HKEY_LOCAL_MACHINE Contains all configuration data for the local computer, including hardware and operating system data such as bus type, system memory, device drivers, and startup control data. Applications, device drivers, and the operating system use this data to set the computer configuration. The data in this subtree remains constant regardless of the user.
HKEY_USERS Contains two subkeys: DEFAULT, which contains the system default settings (system default profile) used to display the Ctrl+Alt+Delete logon screen, and the security identifier (SID) of the current user; and HKEY_CURRENT_USER, which is a child of HKEY_USERS.
HKEY_CURRENT_USER Contains data about the current user. Retrieves a copy of each user account used to log on to the computer from the NTUSER.DAT file and stores it in the %systemroot%Profilesusername key. This subtree takes precedence over HKEY_LOCAL_MACHINE for duplicated values.
HKEY_CLASSES_ROOT Contains software configuration data: object linking and embedding (OLE) and file-class association data. This subtree points to the Classes subkey under HKEY_LOCAL_MACHINESOFTWARE
HKEY_CURRENT_CONFIG Contains data on the active hardware profile extracted from the SOFTWARE and SYSTEM hives. This information is used to configure settings such as the device drivers to load and the display resolution to use

1.3.2: The HKEY_LOCAL_MACHINE Subtree

The HKEY_LOCAL_MACHINE root key has five subkeys. These are listed in Table 1.9.

Table 1.9: HKEY_LOCAL_MACHINE Subkeys

Subkey Description
HARDWARE Contains information on the type and state of physical devices attached to the computer. Windows XP Professional builds this subkey from information gathered during startup and therefore it is not mapped to a file on the disk. Applications query this subkey to determine the type and state of physical devices attached to the computer.
SAM Contains information on the directory database for the computer and is mapped to the SAM and SAM.LOG files in the %systemroot% System32Config directory. Applications that query SAM must use the appropriate application programming interfaces (APIs).
SECURITY Contains the security information for the local computer and is mapped to the Security and SECURITY.LOG files in the %systemroot%System32Config directory. Applications cannot modify the keys contained in the SECURITY subkey. Instead, applications must query security information by using the security APIs.
SOFTWARE Contains information about the local computer software that is independent of user configuration information and is mapped to the Software and SOFTWARE.LOG files in the %systemroot%Sy stem32C onfig directory.
SYSTEM Contains information about system devices and services. When you install or configure device drivers or services, they add or modify information under this hive. The SYSTEM hive is mapped to the System and SYSTEM.LOG files in the %systemroot% System32Config directory. The registry keeps a backup of the data in the SYSTEM hive in the SYSTEM.ALT file.