The Windows XP Registry MCSE Guide to Microsoft Windows XP Professional 70-270:
Download
Report
Transcript The Windows XP Registry MCSE Guide to Microsoft Windows XP Professional 70-270:
The Windows XP Registry
70-270: MCSE Guide to
Microsoft Windows XP Professional
Windows Registry Overview
(Page 1)
The Registry is a hierarchical database of
information about system’s configuration …
Stores information essential to the
functioning of Windows XP
Information for Microsoft and third-party
applications
To “Registry Editor”
Windows Registry Overview
(Page 2)
Information replaces initialization files, i.e.
The WIN.INI (or other .ini files), or
Autoexec.bat and Config.sys files of MSDOS and Windows 3.x
It is not a text file, but rather several files
with data in binary or encrypted format
Windows Registry Overview
(Page 3)
Many changes are made to the system
configurations through various Control
Panel applets and applied to Registry …
It usually is better to use the appropriate
Windows interface
If the Registry Editor is used incorrectly,
serious problems may result that require
reinstalling the operating system
Windows Registry Overview
(Page 4)
Some settings can be established or
changed only by editing Registry directly:
In that case run the Registry editor from
the "Start" menu by entering command
"regedit" at the Run… command
Either way, the Registry is designed for
programming ease as well as speed of
interaction for processes
Windows Registry Components
(Page 1)
Left pane shows a hierarchical structure:
Keys—top-level containers in the hierarchy
Each
key starts with HKEY to indicate
highest-level status) , i.e.
HKEY_LOCAL_MACHINE
Subkeys—within each subkey exists:
One
or more values
Or additional subkey levels
To “Registry Editor”
Hierarchical Registry Structure
Return
Windows Registry Components
(Page 2)
Right pane displays the value entries:
Named parameters for control settings or
configuration data
Each value entry is composed of three
elements: (1) the entry name, (2) data type,
and (3) data value
To “Registry Editor”
Registry Data Types
Binary—binary format
(Page 1)
Most hardware component information is
stored as binary data
Actually displayed in hexadecimal format
Referred to as REG_BINARY
DWORD—binary, hex or decimal
Hexadecimal numbers are displayed
starting with characters "0x" as in 0xC (12)
Referred to as REG_DWORD
Registry Data Types
String—fixed-length text string
(Page 2)
Referred to as REG_SZ
Multiple String—contains multiple humanreadable characters
Entries are delimited by spaces, commas,
or other marks (i.e. NULLs)
Referred to as REG_MULTI_SZ
Registry Data Types
Expandable String—contains variables
that are resolved (replaced) when a
program or service uses the data
(Page 3)
I.e. %systemroot%\File.exe
Referred to as REG_EXPAND_SZ
This list is not complete, but rather is a
partial list of the most common data types
Registry Data Types
(Page 4)
Additionally there is a type "None" when
the data has no particular type
Written to registry by applications or the
system, and is displayed in hexadecimal
format as binary
Referred to as REG_NONE
Windows Registry
Not a complete collection of settings
Holds only exceptions to defaults
To alter a value that is a default, a new
value entry must be added to Registry
(Page 1)
Administrator must know the exact syntax,
spelling, location, and valid values
Always edit with extreme care
The Microsoft Windows XP Professional
Resource Kit includes help file (Registry.chm)
with all possible entries and valid values
Windows Registry
Each time Windows XP starts, Registry is
loaded into memory from files on the hard
drive …
(Page 2)
Changes become effective immediately
Only on rare occasions is rebooting the
system required
Written from memory back to hard drive
files on shutdown
Windows Registry
The Registry is stored not in one file, but
rather in several
(Page 3)
Each contains a discrete body of keys,
subkeys and values known as a hive
Complete listing of path and filenames are
found in Registry at subkey:
HKEY_LOCAL_MACHINE\SYSTEM\Current
ControlSet\Control\hivelist
The Registry Keys
The five highest-level keys (HKEY) in the
Registry are:
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
Root Key Abbreviations
The root keys have an abbreviated format:
For example the abbreviation for the
HKEY_LOCAL_MACHINE key is “HKLM”
(So subkeys can be rendered using a shorter
format, i.e. HKLM\HARDWARE)
Abbreviations for the other root keys are:
HKEY_CLASSES_ROOT—“HKCR”
HKEY_CURRENT_USER—“HKCU”
HKEY_USERS—“HKU”
HKEY_CURRENT_CONFIG—“HKCC”
HKEY_LOCAL_MACHINE
(Page 1)
Controls the local computer, establishing
configuration of hardware and operating
system environment
Includes information about the hardware
devices, installed applications, device
drivers, kernel services, physical settings
Dependent on physical composition of the
hardware and software present on machine
Not dependent on logged-on user, or
currently running processes or applications
HKEY_LOCAL_MACHINE
(Page 2)
The five subkeys are: HARDWARE, SAM,
SECURITY, SOFTWARE and SYSTEM
All these subkeys except HARDWARE are
saved to hive files in:
%systemroot%system32\config (usually
c:\windows\system32\config)
The files cannot be opened manually
To Registry Editor “HKLM”
To “HKLM” files
HKEY_LOCAL_MACHINE
Return
HKEY_LOCAL_MACHINE Files
Return
HKEY_LOCAL_MACHINE\
HARDWARE
(Page 1)
Sub key containing data related directly to
physical devices installed on a computer:
Configuration data
Device driver settings
Mappings and linkages
Relationships between kernel-mode and
user-mode hardware calls
IRQ hooks
HKEY_LOCAL_MACHINE\
HARDWARE
(Page 2)
Re-created from data read from state of
physical devices and associated device
drivers each time system starts …
Does not save when system shuts down
Does not map to a specific hive file
Contents should not be manipulated
Should be no need since settings always
reflect current state of system
Most data is encrypted in binary format
HKEY_LOCAL_MACHINE\
HARDWARE
(Page 3)
Subkeys:
DESCRIPTION—data extracted from
device's firmware or BIOS
DEVICEMAP—information about device
driver paths, locations and filenames
RESOURCEMAP—information about
mappings between system resources (I/O
ports, I/O memory address, interrupts,
direct memory access) and device drivers
HKEY_LOCAL_MACHINE\
HARDWARE
(Page 4)
Subkeys (con.)
ACPI (not always present)—when system
supports Advanced Configuration and
Power Interface
OWNERMAP (only present when certain
bus types are present in computer)
Same information is viewable from Start
menu Programs Accessories
System Tools System Information
HKEY_LOCAL_MACHINE\SAM
(Page 1)
Subkey which is the Security Accounts
Manager (SAM) database
Contains data related to security
Location where user accounts and group
memberships are defined
Stores the entire security structure of the
Windows XP system
HKEY_LOCAL_MACHINE\SAM
(Page 2)
Do not attempt to modify this subkey:
Not viewable in the Registry Editor
Most data is in binary or encrypted format
Also has a security setting so only System
(or the System utility) has read/write rights
Use the Local Users and Groups applet in
“Control Panel” to manipulate data
Resides in a hive file named SAM in the
\%systemroot%\System32\config directory
HKEY_LOCAL_MACHINE\
SECURITY
(Page 1)
Subkey which serves as a container for
security policy on the local machine
Applies to all local users
Defines control parameters, such as:
Password policy
User rights
Account lockout
Audit policy
General security options for local machine
HKEY_LOCAL_MACHINE\
SECURITY
(Page 2)
Do not attempt to modify this subkey …
Not viewable in the Registry Editor
Most data is in binary or encrypted format
Also has a security setting so only System
utility has read/write rights
Use the Local Security Policy applet in
"Adminstrative Tools" in " Control Panel" to
manipulate data
Resides in a hive file named SECURITY in
\%systemroot%\System32\config directory
HKEY_LOCAL_MACHINE\
SOFTWARE
Subkey which serves as a container for
data about installed software and mapped
file extensions
HKLM\SOFTWARE\Classes subkey stores
same data as HKEY_CLASSES_ROOT key
To “HKLM” files
Applies to all local users
In fact it is created by copying data from
HKLM\SOFTWARE\Classes subkey
Resides in a hive file named SOFTWARE in
\%systemroot%\System32\config directory
To Registry Editor “HKLM\SOFTWARE\Classes”
HKEY_LOCAL_MACHINE\
SOFTWARE\CLASSES
Return
HKEY_LOCAL_MACHINE\
SYSTEM
(Page 1)
Subkey that stores data required to boot
Windows XP:
Startup parameters
Loading order for device drivers
Service startup credentials (settings and
parameters)
Basic operating system behavior
HKEY_LOCAL_MACHINE\
SYSTEM
(Page 2)
To “HKLM” files
Essential to start process of Windows XP
Contains subkeys called control sets that
include complete information about start
process for the system
Resides in a hive file named SYSTEM in
\%systemroot%\System32\config directory
To Registry Editor “HKLM\SYSTEM”
HKEY_LOCAL_MACHINE\
SYSTEM
Return
Update HKLM\System\LocalDevices by
changing drive letter for any partition
using "Computer Management" applet
HKEY_LOCAL_MACHINE\
SYSTEM
(Page 3)
The MountedDevices subkey contains
settings for storage devices including the
control set boot status
Additionally contains Control set subkeys
called CurrentControlSet, ControlSet001,
ControlSet002, etc:
CurrentControlSet is redirected from one
of the numbered control sets as identified
in the HKLM\SYSTEM\Select subkey (the
Default value entry)
HKEY_LOCAL_MACHINE\
SYSTEM
(Page 4)
Control set subkeys (con.):
Each control set has four subkeys:
Control—data
related to controlling system
startup, boot parameters, computer name,
and necessary subsystem to initiate
Enum—data regarding required device
drivers and their configurations
Hardware Profiles—the one currently in use
Services—data about drivers, services, file
systems, and required components needed
to load services during bootup, and order in
which they are called
HKEY_LOCAL_MACHINE\
SYSTEM\Select Subkey
HKLM\SYSTEM\Select subkey values
reference the Control sets:
Default—which one will be used during the
next bootup
Current—which one was used to start
current session
LastKnownGood—which one was used to
boot and successfully log on a user (more
to follow)—select <F8> when booting
Failed—which one was replaced from the
LastKnownGood because of failure to start
The <F8> Selection Menu
HKEY_CLASSES_ROOT
(Page 1)
Container for information pertaining to
application associations based on file
extensions and COM object data
Copied from HKLM\SOFTWARE\Classes
subkey
Maintained for backward compatibility and
not strictly required by Windows XP
HKEY_CLASSES_ROOT
(Page 2)
Do not edit contents of this key directly in
the Registry Editor:
1.
2.
To update use either:
"File Types" tab of Folder Options in
"Control Panel", or …
Select Tools menu Folder Options…
command in "Windows Explorer"
HKEY_CURRENT_CONFIG
(Page 1)
Container for data that pertains to whatever
hardware profile is currently in use
Links to the:
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\Current subkey
Maintained for backward compatibility
Not strictly required by Windows XP
HKEY_CURRENT_CONFIG
(Page 2)
Do not edit directly in the Registry Editor:
To update use Device Manager in "Control
Panel" by selecting either:
1.
2.
The Device Manager interface on the
"Hardware" tab of Systems applet, or …
The Device Manager node from "Computer
Management" utility in Administrative
Tools
Use the Hardware Profiles interface on
the "Hardware" tab of Systems applet in
"Control Panel" to select a profile
HKEY_CURRENT_USER
Container for profile for whichever user is
currently logged on
Contents are built each time a user logs
on by copying appropriate subkey from the
HKEY_USERS key
Should not be edited directly …
Modify user’s profile through conventional
profile management techniques
Values stored in the \Documents and
Settings\%username% folder
HKEY_USERS
(Page 1)
Contains profiles for all current users who
have ever logged onto system
Each time system boots builds the key:
Loads a default user profile file and locally
stored copies of either "Ntuser.dat" or
"Ntuser.man" from user's profile directory
(\Documents and Settings\%username%)
HKEY_USERS\.Default node is location
for the default (new) user settings
To “Ntuser.dat”
Ntuser.dat
Folder options:
“Show hidden files
and folders” is on
Return
HKEY_USERS
Should not be edited directly
Modify user’s profile through conventional
profile management techniques
To remove user profile from this key, delete
the user account utilizing either “User
Accounts” or “Computer Management”
(Page 2)
The latter from Administrative Tools
Subkeys in HKEY_USERS use Windows
Security IDs (SIDs) to identify users, and
not usernames
HKEY_DYN_DATA
Appears only on machines with Windows
95 or Windows 98 applications that use
older versions of Plug and Play
Maintained for backward compatibility
Registry Editors
Two tools that can be used to operate on
the Registry directly:
Regedit.exe—a GUI viewer and editor
Reg.exe—a command-line utility
Regedit.exe
Combines all of keys into a single display
Can be executed from the Start menu
Run… command
(Page 1)
Type "regedit" and click <OK> button
Double-click keys or click [+] and [-]
buttons to open and close nodes
Close all nodes to the five highest-level keys—
then trying searching for the DefaultUserName value entry
Regedit.exe
(Page 2)
Functions include:
Global searching—
1. Select Edit menu Find… command
2. Use <F3> function key to continue
searching with same search value
Regedit.exe
(Page 3)
Functions include (con.):
Security manipulation (more next slide)—
Select any key or subkey in Registry
Select Edit menu Permissions…
command
Set Full Control, Read and/or Special
Permissions
Protecting the Registry
The Registry should only be edited by a
qualified person
Permissions can be assigned to the hives
and keys within the Registry
Almost identical to assigning permissions
and protecting files and folders on any
NTFS partition
Only privileged groups and users should be
allowed to edit and view the Registry
Reg.exe
Console Registry tool for Windows XP,
executed as a command-line utility (not
a GUI interface)
Permits users, batch files, or programs
(scripts) to operate on the Registry
(Page 1)
Update seems to have been eliminated
from the Windows XP version
Not as convenient or user-friendly as
Regedit.exe
Reg.exe
Launch the command prompt …
(Page 2)
Start menu Programs Accessories
Command Prompt, or …
Start menu Run… command, then type
"cmd" and click <OK> button
Type "reg" and press <Enter> key to view
basic documentation
Notice each major key can be abbreviated,
i.e. HKLM is HKEY_LOCAL_MACHNE
Reg.exe
(Page 3)
Use the "reg query" command to view
contents for a specific key or keys
Type "reg query /?" for help on the query
function
Reg.exe
(Page 4)
Format of the query function:
reg query SubKeyName /v ValueName
Quotes may be needed around the SubKey
structure if any elements are two or more words
The "/v" parameter tells Reg.exe to search for
the specific value entry
Example to view your logon name:
reg query
"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon" /v
DefaultUserName
Create this file and save it on Desktop—
then execute it from Command prompt
A Sample Batch File
Changing the Registry
Back up all important data on computer
before editing Registry
Make a distinct backup of all or the part of
Registry that will be changed
(Page 1)
Saving each key or subkey individually is
recommended
Restart machine before editing Registry
Writes any unsaved values to disk
Changing the Registry
Perform only a single Registry modification
at a time (test before going on)
Restart immediately after each change
(Page 2)
Forces full system compliance with new
settings in Registry
Test changes on nonproduction system
before deploying on critical production
systems
Registry Storage Files
(Page 1)
Static images of the Registry are stored in
\%systemroot%\System32\config and
\%systemroot%\Repair of boot partition
Files do not necessarily match one-to-one
with top-level keys
Large number of files are used for storing
Registry data which are available for
backup or for rollback versions
Files categorized a subkey files, logging
and backup files
Registry Storage Files
Registry Storage Files
(Page 2)
The Registry file extensions:
No extension—the actual storage file itself
(the hive file)
.alt—the backup file for the subkey
Only
HKLM\SYSTEM has a backup file
.log—log files record all successful and
failed changes to Registry
Verifies
all modifications are completed
.sav—copies of original key values after
the text portion of Windows XP installation
Registry Storage Files
Only two of HKEY_LOCAL_MACHINE
subkeys are stored in files:
(Page 3)
Default subkey of HKEY_USERS key
HKEY_CURRENT_USER key
Other subkeys built "on the fly" or copied
from subkeys of HKEY_LOCAL_MACHINE
Registry Storage Files
(Page 4)
The ERD (Emergency Repair Disk) no
longer exists in Windows XP …
Copy \%systemroot\System32\Config and
\%systemroot\Repair directories to create
a custom ERD (more to follow in section
on backup and recovery)
Registry Fault Tolerance
(Page 1)
If the Registry becomes corrupted or is
destroyed, Windows XP cannot function
or even start
Fault tolerance of Registry is sustained by
its structure …
Uses an "all or nothing" approach
If change is interrupted, desired change is
not implemented and the Registry remains
in it previous state
Interrupted
due to power failure, hardware
failure, too little CPU time, etc.
Registry Fault Tolerance
(Page 2)
Memory residence also supports fault
tolerance--changes to the registry are made
in RAM
Become permanent when key values are
written to disk; occurs:
During a process known as a flush,
At system shutdown
When forced by an application
Occasionally just after a Registry alteration
Registry Fault Tolerance
Fault tolerance also built-in through the use
of Transaction logs …
(Page 3)
Alterations are written first to appropriate log
If the system fails before flush is complete,
original state of the key can be recovered
from log and stored to Registry in RAM
The flush operation for the HKLM\SYSTEM
key uses the backup file (System.alt) to
store the changes until update is complete
Then updates the backup as well
Backing Up the Registry
Important to backup the Registry in one of
several ways
Use Windows XP Backup tool or some
other third party backup utility
(Page 1)
Usually involves selecting a "Backup the
Registry" or "System State" checkbox
Manually make copies of the files in the
\%systemroot%\System32\config and
\%systemroot%\Repair folders
For creating the custom ERD
Backup the
HKLM\SOFTWARE subkey
Backing Up the Registry
(Page 2)
Use the tools in the "Microsoft Windows
XP Professional Resource Kit"
Launch Regedit.exe to backup all or part
of the Registry
1.
2.
3.
4.
Select a root key or subkey
From File menu Export… command
Make sure the Selected Branch radio
button in "Export Range" group is selected
Enter filename and select path, then click
the <Save> button
Restoring the Registry
(Page 1)
First Windows XP uses its automatic faulttolerance mechanisms to maintain a
functional Registry
Otherwise access the boot option by
pressing <F8> and select Last Known
Good Configuration (LKGC)
The most recent settings that worked
Any changes made since the LKGC was
stored will be lost
Restoring the Registry
If the LKGC fails:
(Page 2)
Use backup software such as UltraBac
(www.ultrabac.com) to restore Registry files
Reinstall Windows XP, either fully or as an
upgrade, the latter of which may replace
the part of the Registry causing problem
If system boots but is not functioning the
way is should, use your Registry backup
Same tool used to create the backup
Before beginning modify the "LegalNoticeText" value entry in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system subkey
Restoring the Registry
(Page 3)
Use the Import tool if Regedit.exe export
command was used to create backup:
1.
2.
3.
4.
From File menu Import… command
Select the file
Click the <Open> button
Wait until message indicates the import
was successful and click the <OK> button
May be full Registry or subset of subkeys
The backup .reg file can be executed
directly without launching Regedit
Windows XP Professional
Resource Kit Registry Tools
(Page 1)
Tools that are separate from Windows XP
Professional operating system that can be
used to manipulate the Registry
Purchased from Microsoft as well as most
software or book vendors
Windows XP Professional
Resource Kit Registry Tools
(Page 2)
Key utilities:
Regdump.exe—command-line tool used to
dump all or part of Registry to a file
Regfind.exe—command-line tool used to
search for keys, value names, or data
values based on keywords
Compreg.exe—GUI tool used to compare
Registry keys and highlight differences
Windows XP Professional
Resource Kit Registry Tools
(Page 3)
Key utilities (con.):
Regini.exe—command-line scripting tool to
add keys to Registry ***
Regback.exe—command-line scripting tool
to back up keys
Regrest.exe—command-line scripting tool
to restore keys
Scanreg.exe—GUI tool used to search for
keys, value names, or data values based
on keywords