Section 13.1. What's in the Registry

Data in the Registry is stored in individual pieces called values. Every value has a name and is capable of holding one of several types of data. Values are grouped and organized in keys, which are represented by Folder icons in the Registry Editor. Keys can also contain other keys, thereby forming the basis for the hierarchy in the Registry. Like Explorer, the Registry Editor arranges the keys in a collapsible tree structure, allowing you to navigate through the branches to locate a particular key, and hence, all the values contained therein.

Often, in order to view or modify a certain key or value, you must follow a Registry path. A path is merely a series of key names, separated by backslashes (\), used to specify an absolute location in the Registry. For example, to navigate to HKEY_CURRENT_USER\Control Panel\Keyboard, simply expand the HKEY_CURRENT_USER branch by clicking on the right-facing triangle next to it, then expand the Control Panel branch, and finally click on the Keyboard key name to display its contents. The path leading to the currently highlighted key is always shown at the bottom of the Registry Editor window.

It's easy to get confused about keys and values. In fact, value names sometimes appear at the end of a path, although this is mostly a holdover from the early days of the Registry. It's important to realize that only values can contain data, and keys are used only to organize valuesjust like files and folders in Explorer, respectively. Note that unlike folders in Explorer, keys never appear in the right pane of the Registry Editor window, even though they can contain other keys.

Every key contains a value named (Default). If the default value contains no data, you'll see (value not set), as in Figure 13-1. If a given key contains other values, they will be listed below the default value. To modify the data stored in a value, simply double-click on the value name, or highlight it and select Modify from the Edit menu. To rename a value, which is not the same as changing its data, highlight it and press F2 or right-click it and select Rename.

For example, if I wanted to change the default font used by Notepad, I could navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts, double-click on the ifFaceName value, and use the edit dialog box shown in Figure 13-2 to type the name of a different font to use.

Figure 13-2. Editing a string value to change the default font for Notepad

The data stored in the ifFaceName value is a string of text, which means that ifFaceName is a string value (the most common type). There are six types of values in all, each having a common name and a symbolic name (shown in parentheses in the following list):

String values (REG_SZ)

String values contain strings of characters, more commonly known as text. Most values discussed in this book are string values; they're the easiest to edit and are usually in plain English. In addition to standard strings, there are two far less common string variants, used for special purposes:

Multistring values (REG_MULTI_SZ)

Contain several strings (usually representing a list of some sort), concatenated (glued) together and separated by null characters (ASCII code 00). The dialog used to modify these values is the same as for binary values. Note that the individual characters in REG_MULTI_SZ keys are also separated by null characters, so you'll actually see three null characters in a row between multiple strings.

Expandable string values (REG_EXPAND_SZ)

Contain special variables into which Windows substitutes information before delivering to the owning application. For example, an expanded string value intended to point to a sound file may contain %SystemRoot%\media\startup.wav. When Windows reads this value from the Registry, it substitutes the full Windows path for the variable, %SystemRoot%; the resulting data then becomes (depending on where Windows is installed) c:\windows\media\startup.wav. This way, the value data is correct regardless of the location of the Windows folder.

Binary values (REG_BINARY)

Similarly to string values, binary values hold strings of characters. The difference is the way the data is entered. Instead of a standard text box, binary data is entered with hexadecimal codes in an interface commonly known as a hex editor. Each individual character is specified by a two-digit number in base 16 (e.g., 6E is 110 in base 10), which allows characters not found on the keyboard to be entered. See Figure 13-3 for an example. Note that you can type hex codes on the left or normal ASCII characters on the right, depending on where you click with the mouse.

Note that hex values stored in binary Registry values are displayed in a somewhat unconventional format, in which the lowest-order digits appear first, followed by the next-higher pair of digits, and so on. In other words, the digits in a binary value are paired and their order reversed: the hex value 1B3 thus needs to be entered as B3 01. If you want to convert a binary value shown in the Registry Editor to decimal, you'll have to reverse this notation. For example, to find the decimal equivalent of 47 00 65 6e, set the Windows Calculator to hexadecimal mode and enter 6e650047, and then switch to decimal mode to display the decimal equivalent, 1,852,112,967.

Binary values are often not represented by plain English and, therefore, should be left unchanged unless you either understand the contents or are instructed to change them by a solution in this book.

Figure 13-3. Binary values are entered differently from the common string values, but the contents are sometimes nearly as readable


Essentially, a DWORD is a number. Often, the contents of a DWORD value are easily understood, such as 0 for no and 1 for yes, or 60 for the number of seconds in some timeout setting. A DWORD value is used only where numerical digits are allowed; string and binary types allow anything.

In some circumstances, the particular number entered into a DWORD value is actually made up of several components, called bytes. The REG_DWORD_BIGENDIAN type is a variant of the DWORD type, where the bytes are in a different order. Unless you're a programmer, you'll want to stay away from these types of DWORD values.

The DWORD format, like the binary type, is a hexadecimal number, but this time in a more conventional representation. The leading 0x is a standard programmer's notation for a hex value, and the number is properly read from left to right. The equivalent decimal value is shown in parentheses following the hex value. What's more, when you edit a DWORD value, the edit dialog box gives you a choice of entering the new value in decimal or hex notation.

Even if you're not a programmer, you can figure out hexadecimal values pretty easily with the Windows Calculator (calc.exe; see Chapter 10). Just enter the number you want to convert and click the Hex radio button to see the hexadecimal equivalent; 435 decimal is equal to 1B3 hex.

If you aren't sure about the meaning of a specific Registry value, don't be afraid to experiment. Experimenting might include editing a value with the Registry Editor, but it might be easier or safer to work from the other end: open the application whose data is stored there (e.g., a Control Panel applet), change a setting, and watch how the Registry data changes. In this way, you can derive the meaning of many binary-encoded values. Note that although the Registry data will often change immediately, you may need to press F5 (Refresh) to force the Registry Editor to display the newly affected data. It's a good idea, though, to make a backup copy of a Registry key before making any changes. See "Adding and Deleting Registry Keys and Values" and "Exporting and Importing Registry Data with Patches," later in this chapter, for details.


This is much like a DWORD value, with one difference: it is a 64-bit value, rather than a 32-bit value like DWORD.

In addition to editing values, you can create new ones. For example, to create a new DWORD value, highlight a key for which you want to create a new value, and then in the Registry Editor choose Edit New DWORD Value. This brings up a very important point: a Registry entry is superfluous unless a program actually reads it. You can enter new keys and values all you like, with the only consequence being that you've bloated your Registry. (Note that there are sometimes undocumented Registry values that are meaningful to a program but that are not normally present; adding them to the Registry can make useful changes; see Windows Vista Annoyances by David Karp [O'Reilly] for several examples.) The chief concern is in deleting or modifying existing entries; the odds of randomly creating a value that an application might be looking for are extremely small.

You can take advantage of this fact by occasionally leaving yourself notes in new Registry values. For example, before modifying a value, you might place a backup of its data in a new value in the same key. The application will ignore it, and it may come in handy to have a record of the original value!

A final note: any changes you make in the Registry Editor are saved automatically and immediately; there's no "undo" command in the Registry Editor, and the automatic Registry backups made by Windows are of little use when small changes are made. The saving grace is the use of Registry patches, discussed later in this chapter.

Part II: Nutshell Reference