Lesson 2: Editing the Registry

Lesson 2:?Editing the Registry

Microsoft Windows XP Professional stores hardware and software settings centrally in a hierarchical database called the registry. The registry replaces many of the .ini, .sys, and .com configuration files used in earlier versions of Microsoft Windows. The registry controls the Windows XP Professional operating system by providing the appropriate initialization information to boot Windows XP Professional, to start applications, and to load components, such as device drivers and network protocols.

Most users of Windows XP Professional never need to access the registry. However, management of the registry is an important part of the system administrator's job and includes viewing, editing, backing up, and restoring the registry. You use Registry Editor to view and change the registry configuration.


After this lesson, you will be able to

  • Identify the purpose of the registry
  • Define the hierarchical structure of the registry
  • View and edit the registry with Registry Editor

Estimated lesson time: 60 minutes


Understanding the Registry

The registry contains a variety of different types of data, including the following:

  • The hardware installed on the computer, including the central processing unit (CPU), bus type, pointing device or mouse, and keyboard.
  • Installed device drivers.
  • Installed applications.
  • Installed network protocols.
  • Network adapter card settings. Examples include the interrupt request (IRQ) number, memory base address, I/O port base address, I/O channel ready, and transceiver type.

The registry structure provides a secure set of records. The data in the registry is read, updated, or modified by many of the Windows XP Professional components.

Table 18.6 describes some of the components that access and store data in the registry.

Table 18.6??Components That Use the Registry

Reviewing the Hierarchical Structure of the Registry

The registry is organized in a hierarchical structure similar to the hierarchical structure of folders and files on a disk. Figure 18.2 shows the hierarchical structure of the registry as displayed by the Registry Editor.

Figure 18.2??Registry Editor displays the hierarchical structure of the registry

Table 18.7 describes the components that make up the hierarchical structure of the registry.

Table 18.7??Components That Make Up the Registry

Component Description

Subtree

A subtree (or subtree key) is analogous to the root folder of a disk. The Windows XP Professional registry has two subtrees: HKEY_LOCAL_MACHINE and HKEY_USERS. However, to make the information in the registry easier to find and view, there are five predefined subtrees that can be seen in the editor:

HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG

Keys

Keys are analogous to folders and subfolders. Keys correspond to hardware or software objects and groups of objects. Subkeys are keys within higher level keys.

Entries

Keys contain one or more entries. An entry has three parts: name, data type, and value (data or configuration parameter).

Hive

A hive is a discrete body of keys, subkeys, and entries. Each hive has a corresponding registry file and .log file located in %systemroot%\ System32\Config. Windows XP Professional uses the .log file to record changes and ensure the integrity of the registry.

Data types

Each entry's value is expressed as one of these data types:

REG_SZ (String value). One value; Windows XP Professional interprets it as a string to store.

REG_BINARY (Binary value). One value; it must be a string of hexadecimal digits. Windows XP Professional interprets each pair as a byte value.

REG_DWORD (DWORD value). One value; must be a string of 1-8 hexadecimal digits.

REG_MULTI_SZ (Multistring value). Multiple values allowed; Windows XP Professional interprets each string as a component of multi_sz separate entries.

REG_EXPAND_SZ (Expandable string value). Similar to REG_SZ, except the text can contain a replaceable variable; for example, in the string %systemroot% \NTVDM.EXE, Windows XP Professional replaces the systemroot environmental variable with the path to the Windows XP Professional System32 folder.

REG_FULL_RESOURCE_DESCRIPTOR. Stores a resource list for hardware components or drivers. You cannot add or modify an entry with this data type.

Registry Subtrees

Understanding the purpose of each subtree can help you locate specific keys and values in the registry. The following five subtrees or subtree keys are displayed in the Registry Editor (see Figure 18.2):

  • HKEY_LOCAL_MACHINE.??Contains all configuration data for the local computer, including hardware and operating system data such as bus type, system memory, device drivers, and startup control data. Applications, device drivers, and the operating system use this data to set the computer configuration. The data in this subtree remains constant regardless of the user.
  • HKEY_USERS.??Contains two subkeys:
    • DEFAULT.??Contains the system default settings (system default profile) used to display the Ctrl+Alt+Delete logon screen, and the security identifier (SID) of the current user.
    • HKEY_CURRENT_USER.??Is a child of HKEY_USERS.
  • HKEY_CURRENT_USER.??Contains data about the current user. Retrieves a copy of each user account used to log on to the computer from the NTUSER.DAT file and stores it in the %systemroot%\Profiles\username key. This subkey points to the same data contained in HKEY_USERS\SID_currently_logged_on_user. This subtree takes precedence over HKEY_LOCAL_MACHINE for duplicated values.
  • HKEY_CLASSES_ROOT.??Contains software configuration data: object linking and embedding (OLE) and file-class association data. This subtree points to the Classes subkey under HKEY_LOCAL_MACHINE\SOFTWARE.
  • HKEY_CURRENT_CONFIG.??Contains data on the active hardware profile extracted from the SOFTWARE and SYSTEM hives. This information is used to configure settings such as the device drivers to load and the display resolution to use.

The HKEY_LOCAL_MACHINE Subtree

HKEY_LOCAL_MACHINE provides a good example of the subtrees in the registry for two reasons:

  • The structure of all subtrees is similar.
  • HKEY_LOCAL_MACHINE contains information specific to the local computer and is always the same, regardless of the user who is logged on.

The HKEY_LOCAL_MACHINE root key has five subkeys, which are explained in Table 18.8.

Table 18.8??HKEY_LOCAL_MACHINE Subkeys

Subkey Description

HARDWARE

The type and state of physical devices attached to the computer. This subkey is volatile, meaning that Windows XP Professional builds it from information gathered during startup. Because the values for this subkey are volatile, it does not map to a file on the disk. Applications query this subkey to determine the type and state of physical devices attached to the computer.

SAM

The directory database for the computer. The SAM hive maps to the SAM and SAM.LOG files in the %systemroot% \System32\Config directory. Applications that query SAM must use the appropriate application programming interfaces (APIs). This hive is a pointer to the same one accessible under HKEY_LOCAL_MACHINE\ SECURITY\SAM.

SECURITY

The security information for the local computer. The SECURITY hive maps to the Security and SECURITY.LOG files in the %systemroot%\System32\Config directory.

Applications cannot modify the keys contained in the SECURITY subkey. Instead, applications must query security information by using the security APIs.

SOFTWARE

Information about the local computer software that is independent of per-user configuration information. This hive maps to the Software and SOFTWARE.LOG files in the %systemroot%\System32\Config directory. It also contains file associations and OLE information.

SYSTEM

Information about system devices and services. When you install or configure device drivers or services, they add or modify information under this hive. The SYSTEM hive maps to the System and SYSTEM.LOG files in the %systemroot% \System32\Config directory. The registry keeps a backup of the data in the SYSTEM hive in the SYSTEM.ALT file.

Control Sets

A typical Windows XP Professional installation contains the following control set subkeys: Clone, ControlSet001, ControlSet002, and CurrentControlSet. Control sets are stored as subkeys of the registry key HKEY_LOCAL_MACHINE\SYSTEM (see Figure 18.3). The registry might contain several control sets, depending on how often you change or have problems with system settings.

Figure 18.3??Registry Editor displaying the control sets

The CurrentControlSet subkey is a pointer to one of the ControlSet00x keys. The Clone control set is a clone of the control set used to initialize the computer (either Default or LastKnownGood), and is created by the kernel initialization process each time you start your computer. The Clone control set is not available after you log on.

To better understand control sets, you should know about the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\Select. The entries contained in this subkey include the following:

  • Current.??Identifies which control set is the CurrentControlSet. When you use Control Panel options or the Registry Editor to change the registry, you modify information in the CurrentControlSet.
  • Default.??Identifies the control set to use the next time Windows XP Professional starts, unless you select the LastKnownGood configuration. Default and Current typically contain the same control set number.
  • Failed.??Identifies the control set that was designated as failed the last time the computer was started using the LastKnownGood control set.
  • LastKnownGood.??Identifies a copy of the control set that was used the last time the computer started Windows XP Professional successfully. After a successful logon, the Clone control set is copied to the LastKnownGood control set.

Each of these entries in HKEY_LOCAL_MACHINE\SYSTEM\Select takes a REG_DWORD data type, and the value for each entry refers to a specific control set. For example, if the value for the Current entry is set to 0x1, the CurrentControlSet points to ControlSet001. Similarly, if the value for the LastKnownGood entry is set to 0x2, the LastKnownGood control set points to ControlSet002.

Using the Registry Editor

Setup installs Registry Editor (REGEDT32.EXE) in the %systemroot%\System32 directory during installation. However, because most users do not need to use Registry Editor, it does not appear on the Start menu. You start Registry Editor by selecting Run on the Start menu.

Although Registry Editor allows you to perform manual edits on the registry, it is intended for troubleshooting and problem resolution. You should make most configuration changes through either Control Panel or Administrative Tools. However, some configuration settings can only be made directly through the registry.

Using Registry Editor incorrectly can cause serious, system-wide problems that could require reinstallation of Windows XP Professional. When using Registry Editor to view or edit data, use a program such as Windows Backup to save a backup copy of the registry file before viewing. In Windows XP Professional, you can use Backup to back up the System State, which includes the registry, the COM class registration database, and the system boot files.

Registry Editor saves data automatically as you make entries or corrections. New registry data takes effect immediately.

You can select Find Key on the View menu to search the registry for a specific key. Key names appear in the left pane of Registry Editor. The search begins at the currently selected key and parses all descendant keys for the specified key name. The search is local to the subtree in which the search begins. For example, a search for a key in the HKEY_LOCAL_MACHINE subtree does not include keys under HKEY_CURRENT_USER.

Practice:?Using the Registry Editor

In this practice, you use Registry Editor to view the information in the registry. You determine information such as the BIOS, the processor on your computer, and the version of the operating system. You use Registry Editor's Find Key command to search the registry for a specific word with key names. You then modify the registry by adding a value to it, and you save a subtree as a file so that you can use an editor, like Notepad, to search the file.

Exercise 1: Exploring the Registry

In this exercise, you use Registry Editor to view information in the registry.

To view information in the registry

  1. Ensure that you are logged on as Administrator.
  2. Click Start and then click Run.
  3. In the Open text box, type Regedt32 and then click OK.
  4. Maximize the Registry Editor window, and then expand HKEY_LOCAL_MACHINE.
  5. Under HKEY_LOCAL_MACHINE, expand HARDWARE.
  6. Expand DESCRIPTION and then double-click the System subkey.

    What are the SystemBIOSDate and SystemBIOSVersion of your computer?

    What is the computer type of your local machine according to the Identifier entry?

  7. Expand SOFTWARE\Microsoft\Windows NT.
  8. Click CurrentVersion, and then fill in the following information.

Exercise 2: Using the Find Command

In this exercise, you use the Registry Editor's Find command to search the registry to find a specific word in the keys, values, and data in the registry.

To use the find command

  1. Click the HKEY_LOCAL_MACHINE subkey to ensure that the entire subtree is searched.
  2. On the Edit menu, click Find.

    The Registry Editor displays the Find dialog box.

  3. In the Find What text box, type serial, and clear Values and Data.
  4. Click Find Next.

    The Registry Editor locates and highlights the first entry containing serial.

  5. Press F3 to find the next entry containing serial.
  6. Continue pressing F3 until a Registry Editor dialog box appears, indicating that Registry Editor has finished searching the registry.

    Notice that serial appears in many locations in the registry.

  7. Click OK to close the Registry Editor dialog box.

Exercise 3: Modifying the Registry

In this exercise, you add a value to the registry.

To add a value to the registry

  1. Right-click HKEY_CURRENT_USER and then click Expand.
  2. In the left pane of the Registry Editor window, click Environment.

    The values in the Environment key appear in the right pane of the Registry Editor window.

  3. On the Edit menu, click New, and then click String Value.

    The Registry Editor adds A New Value #1 entry in the right pane of the Registry Editor window.

  4. Type Test and then press Enter.
  5. Right-click Test and then click Modify.

    The Registry Editor displays an Edit String dialog box.

  6. In the Value Data text box, type %windir%\system32 and then click OK.

    Test REG_SZ %windir%\ system32 is now an entry in the right pane of the Registry Editor window.

  7. Minimize the Registry Editor window.

To verify the new registry value

  1. Click Start, right-click My Computer, and then click Properties.

    The System Properties dialog box appears.

  2. Click the Advanced tab, and then click Environment Variables.

    The Environment Variables dialog box appears.

    Does the test variable appear in the User Variables For Administrator list?

  3. Close the Environment Variables dialog box, and then close the System Properties dialog box.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

  1. What is the registry and what does it do?
  2. What is the purpose of the BOOTSECT.DOS file and what happens if it is not present?
  3. What are some of the Windows XP Professional components that use the registry?
  4. How do you access the Registry Editor?
  5. Why should you make most of your configuration changes through either Control Panel or Administrative Tools rather than by editing the registry directly with the Registry Editor?

Lesson Summary

  • Windows XP Professional stores hardware and software settings in the registry, a hierarchical database that replaces many of the .ini, .sys, and .com configuration files used in earlier versions of Windows.
  • The registry provides the appropriate initialization information to boot Windows XP Professional, to start applications, and to load components, such as device drivers and network protocols.
  • The registry structure provides a secure set of records that can be read, updated, or modified by many of the Windows XP Professional components.
  • The registry has two subtrees: HKEY_LOCAL_MACHINE and HKEY_USERS.
  • The Registry Editor (REGEDT32.EXE) allows you to view and change the registry.
  • The Registry Editor is primarily intended for troubleshooting. For most configuration changes, you should use either Control Panel or Administrative Tools, not Registry Editor.