Understanding The Registry of Windows.

Put simply, the Windows registryis a central repository of informationabout all aspects of thecomputer – in particular, its hardware,operating system, applications and users.It can be accessed and updatedunder software control and also directlyby users.The registry first appeared in Windows3.1. In that system it was a singlefile, called REG.DAT, and was mainlyused to store information about OLEobjects. Most other configuration datawas held in various INI files, of whichWIN.INI and SYSTEM.INI were themost important.The modern registry, as found inWindows 9x and NT, brings togetherall the information thatwas previouslyheld in REG.DAT and the separate INIfiles.The registry has several advantagesover INI files. Because the informationis centralised, it is easier for applicationsto access it. 


It ismore hierarchicalthan INI files, and so better suited forstoring large amounts of structureddata. It is also free of the size limitationswhich affect INI files (althoughthere is still a maximum total registrysize limit).StorageAlthough the registry is usuallyconsidered to be a single entity, its contentsare in fact stored in more than onephysical file. InWindows 9x, there aretwo such files: SYSTEM.DAT andUSER.DAT.


 These hold computer-specificand user-specific information respectively.In Windows NT, theregistry is spread over a series of files,sometimes called hives.SYSTEM.DAT and USER.DAT areusually held in theWindows directory.However, it is also possible to placeUSER.DAT in the user’s login directoryon a network, thus allowing theuser to log in at other workstations. InNT, the hive files are located in theSYSTEM32\CONFIG directory,whichis off the Windows directory.ArchitectureWhen you view the registry in theMicrosoft Registry 


Editor its hierarchicalnature becomes obvious. (Tolaunch the editor, run REGEDIT.EXEfrom the Start/Run menu. I’ll describeit in more detail later in the article.) Theeditor presents an Explorer-like viewof the registry, with a tree in the leftpane and data in the right (see Figure1).The registry tree is divided into sixbroad sections (five in NT). These sections,which all have names beginningwith HKEY_, are called root keys ortop-level keys (see Figure 2). Each rootkey contains sub-keys, which might inturn contain further sub-keys and soon. The lowest level keys along a givenbranch are called values.Taking a hard disk as an analogy,keys are like directories and values arelike files. Keys and values both holddata,which can either be binary valuesor ASCII strings.Each item of data has an associatedname. As a minimum, each key andvalue holds a single data item, namedDefault. The data and names are displayedin the right pane of the editor,Editing the registry is not as hard as you might think, but you need to understandwhat you’re doing, and it’s essential to make a backup before you make any

changes so that you can back them out if necessary.

along with an icon which showswhether the data is binary or string.Continuingwith the hard disk analogy,you can identify any key or valueby specifying the path along its branch,using the familiar backslash notation.For example, information about installeddial-up networking connectionsis held in HKEY_CURRENT_USER\RemoteAccess\Addresses.If you drill down through thispath in the left pane, you will see therelevant data in the right pane. In thisexample, each data item correspondsto one DUN connection.AliasesI said earlier that the registry is dividedinto six broad sections, one foreach root key. This is certainly howtheregistry is usually regarded, but it isnot strictly true. The reason is that allbut two of the root keys are in factaliases for other parts of the tree.To see an example of this, drilldown from HKEY_CLASSES_ROOT.You will see that this root key containsa large number – perhaps many hundreds- of sub-keys at the first leveldown. The first group of these subkeyshave names which look like fileextensions, while the names of the remainderresemble those of applications.

Now locate HKEY_LOCAL_MACHINE\Software\Classes. As youcan see, this contains exactly the samesub-keys, values and data asHKEY_CLASSES_ROOT. That’s becauseHKEY_CLASSES_ROOT is analias for HKEY_LOCAL_MACHINE\Software\Classes.An alias is not a copy. Rather, it isanother view of the same information.If you edit the data in the alias, thechange is immediately reflected in thepart of the tree towhich the alias refers,and vice versa. Only one edit actuallytakes place, but you are seeing it fromtwo different viewpoints. Figure 3 liststhe aliases in theWindows 9x registry.One of the root keys,HKEY_DYN_DATA, works slightlydifferently. This key is essentially aRAM-resident copy of certain parts ofthe registry which Windows needs toget at quickly. It is created at boot timeand discarded at shut-down; it nevergets written back to disk.Because aliases only exist whileWindows is running, they will not getbacked up if you create your backupcopies fromDOS. This is not a problemas the information in the aliases is allavailable elsewhere in the registry.Windows always re-creates the aliasesduring startup.Registry EditorsThemain tool for viewing and editingthe registry is the Microsoft RegistryEditor, REGEDIT.EXE. Althoughthird-party editors exist, you willprobably want to stickwith the officialMicrosoft product, given the criticalnature of the registry editing process.(That’s not to say that REGEDIT.EXEis itself completely reliable; the MicrosoftKnowledge Base notes severalbugs in the Windows 95 version, butthese are unlikely to cause problems inday-to-day 

operations.)Windows NT 4.0 comes with a secondeditor: REGEDT32.EXE. This supportscertain NT-specific featureswhich REGEDIT.EXE does not knowabout, such as the ability to maintainsecurity settings. However, it lacks thevery useful search function found inthe standard version. NT 4.0 also includesREGEDIT.EXE, although thismight not be the same as the one foundin Windows 9x. If you upgraded fromWindows 3.1 to WindowsNT, youwillhave the original 3.1 version of REGEDIT.EXE.As far as the Windows 9x version isconcerned, its operation is completelystraightforward, with all its functionsbeing easily accessible from the registryand Editmenus. You can also rightclickon an item to edit, delete orrename it, or to create new keys orvalues.When you edit a data item in theeditor, the change is written to the registryalmost immediately – you do notexplicitly save the file. If you make amistake, the only recourse (apart fromrestoring from a backup) is to edit thesame item again.Conversely, if another processchanges a registry item while the editoris open, the editor will pick up thenew setting straight away – althoughyou might need to refresh the displayin order to see it (to do so, select View,Refresh, or press F5).Remote RegistriesAswell as letting you viewand editthe registry on your local machine, theMicrosoft Registry Editor can also accessregistries on other computers onthe network. 

If your machine and theremote computer are both running NT4.0, this operation is completelystraightforward. But if either or bothmachines have Windows 9x, you mustfirst install the Remote Registry service,which in turn depends on havinguser-level security enabled and RemoteAdministration services installed.For step-by-step instructionson setting this up, see Article Q141460in the Microsoft Knowledge Base.Once you have installed the necessarycomponents, you can access theother computer’s registry by selectingConnect Network Registry from theHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_DYN_DATAThe six root keys.Root key Alias forHKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE\Software\ClassesHKEY_CURRENT_USER User’s branch within HKEY_USERSHKEY_CURRENT_CONFIG Hardware profile within HKEY_LOCAL_MACHINE\Config registry menu within the editor. Havingdone so, you will be able to viewand edit the remote registry in thesame way as the local registry. Whenyou have finished, go back to the registrymenu and select Disconnect NetworkRegistry.Registry BackupBacking up the Windows registrypresents a specific problem: you cannotdirectly copy the relevant fileswhile they are open, and they are alwaysopen while Windows is running.However, there are a couple of techniquesyou can use to work round this.Backup UtilitiesFor Windows 95 users, the easiestapproach is to use the ConfigurationBackup utility (Figure 4). This copiesthe registry to a compressed backupfile, the name of which is REGBACKn.RBK, where n is a sequencenumber. Up to nine generations ofbackup can be made. You areprompted to enter a description for thebackup to help you subsequently identifyit. The backup is always created inthe Windows directory, but you arefree to move it elsewhere.The same utility can be used to restoreand delete backups. It can onlyrestore from the Windows directoryso, if you have moved the file to anotherdirectory, you mustmove it backbefore running the utility.

The Configuration Backup utility isnot installed by default. You will findit on the Windows CD-ROM, in the\OTHER\MISC\CFGBACK directory.You can copy the two files(CFGBACK.EXE and a help file) fromthis directory to your hard disk, or youcan run the executable directly fromthe CD-ROM.In Windows 98, the best way ofbacking up the registry is to use theRegistry Checker (SCANREGW.EXE).This creates a backup automaticallyeach time the computer starts, but itcan also be run on demand. Thebackup is held in a CAB file, namedRBn.CAB (where n is a sequencenumber), in the SYSBCKUP directory(this is a hidden directory off the Windowsdirectory). By default, five generationsof backup are maintained, butthis number can be varied by editingSCANREG.INI.Windows NT does not include aspecific registry backup tool. However,the standard NT backup utility,NTBACKUP.EXE, is able to back upthe registry, but only to supported tapedrives.Manual BackupsAnotherway of backing up the registryis simply to copy the relevantfiles. You cannot do this while Windowsis running but, in the case ofWindows 9x, you can work round thiseither by booting to DOS (hold downF8 during startup, then select CommandPrompt Only) or by exiting toDOS from the Shut Down dialog.The two registry files, SYSTEM.DAT and USER.DAT, areflagged as hidden, system and readonly.Before copying them, you willneed to use the ATTRIB command toswitch off these flags.Once that’s done,you can copy the two files from theWindows directory to another suitablelocation. Finally, use ATTRIB again torestore the flags.In the case of NT, if the system isconfigured for dual-booting youshould boot to DOS or Windows 9xbefore copying the registry files. Alternatively,boot to DOS from a startupfloppy. The files which you shouldcopy are those stored in the SYSTEM32\CONFIG directory, which isoff the Windows directory. Note thatyou cannot use thismethod if theWindowsdirectory is on an NTFS partition,as the booted operating systemwill not be able to access it.Whatever the operating system,you can restore the registry by reversingthe above process.Exporting The RegistryAnother approach to backing upthe registry is to export it. Exportingthe registry is not the same as copyingit. Instead, the process creates a text filewhich contains the registry data in aformat similar to that of an INI file (seeFigure 5). If you need to restore theregistry, you can do so by re-importingthe text file.An advantage of this approach isthat you do not have to export the en-The Configuration Backup tool provides the simplest way of

backing up and restoring the registry in Windows 95.

tire registry. If you want to try outchanges which only affect one branch,you can limit the export to that branch.Another benefit is that you can performboth the export and import operationsfrom withinWindows.To start the export process, launchthe Microsoft Registry Editor, selectthe branch that you wish to copy,choose Export Registry File from theRegistry menu, and specify the nameand location of the export file. Notethat the Save dialog includes a choicebetween exporting the selected branchand exporting “all”, that is, the wholeregistry.The resulting file has the extensionREG. You can view its contents byopening it in a text editor.Whenworkingwith this file, take care not to double-click on it, as this will re-import it.You can also import the REG file byselecting Import Registry File from theRegistry menu.Automatic BackupsIf the worst happens and you findyourself with a damaged registry andno recent backup, there is an escaperoute. As soon as Windows has successfullybooted, it automatically createsa backup, which you can then useto restore the registry if the need arises.This is not always an ideal solution, asyou can only restore the registry as itwas at the start of the session, but itshould be enough to get you out oftrouble.In Windows 98, these automaticbackups are held in the CAB files createdby the Registry Checker. If youneed to restore from them, boot toDOS, then type SCANREG /RESTOREto launch the command-lineversion of the utility.

 Youwill see a listof the available backups, from whichyou can select the one you wish torestore.The Registry Checker offers a coupleof extra benefits. As its name suggests,it performs a check, albeit a rudimentaryone, on the integrity of theregistry. It does this at boot time. If itdetects a problem, itwill automaticallyrestore the most recent backup. It willalso defragment the registry if it detectsmore than half a megabyte ofempty space.In the case of Windows 95, only onegeneration of automatic backup ismaintained. This consists of two files,named SYSTEM.DA0 and USER.DA0.They are hidden, system read-onlyfiles in the Windows directory. If youneed to restore from them, boot toDOS, change the attributes (on thebackup and the existing registry files),and copy the backups over the existingfiles. This will only work if you havenot booted to Windows since the registrybecame corrupted.Registry ContentsFor the remainder of the article, Iwill describe the most important keysand values in the registry of a typicalPC. As you read this, you might wantto follow along by having your ownregistry open in the editor. For convenience,I’ll deal with the root keys in theorder in which they appear in the editor.HKEY_CLASSES_ROOTThis branch is an alias forHKEY_LOCAL_MACHINE\Software\Classes (see below), and is a directdescendant of the REG.

DAT file foundin Windows 3.1. It is mainly used tokeep track of file extensions and theirassociated applications, documentsand OLE objects. It is a particularlylarge branch, with a very large numberof sub-keys at the first level down (Icounted over a thousand on my ownPC).The first group of these first-levelsub-keys have names that look like fileextensions: .JPG, .XLS and the like.There is one of these for each “registered”document type, that is, for eachtype of file listed in the File Types tabin the Options dialog in Windows Explorer.As a minimum, the sub-key’sdata contains a reference to the class

definition associated with the document.

posted by yourchoice