Section 13.5. Hives

You can think of HKEY_USERS and HKEY_LOCAL_MACHINE as the only true root keys, because the Registry's three other root keys are simply symbolic links, or mirrors, of different portions of these two. This means that these two branches are the only ones that actually need to be stored on your hard disk, and this is where hives come into play.

For every branch in HKEY_LOCAL_MACHINE, a corresponding hive file is stored in your \Windows\System32\config folder. For example, HKEY_LOCAL_MACHINE\Software is stored in a file called software (no filename extension). Because new branches can be added to HKEY_LOCAL_MACHINE, new hives can be generated at any time. Most systems will have the following hives: sam, security, software, components, and system.

Not all Registry data is stored on your hard disk, however. Some keys are dynamic, in that they are held only in memory and are forgotten when you shut down. An example of a dynamic branch is HKEY_LOCAL_MACHINE\HARDWARE, which is built up each time Windows is started (an artifact of Plug and Play). Only nondynamic branches are stored in hives, so you won't see a hive called hardware.

The branches in HKEY_USERS, one for each configured user, are similarly stored in hives. The hive file for each user is called ntuser.dat, and it is located in \Users\username.

Knowing which files comprise the Registry is important only for backup and emergency recovery procedures (see "Backing Up the Registry," next) and for troubleshooting (and so that you don't accidentally delete them). The storage mechanism is quite transparent to the Registry Editor and the applications that use the Registry; there's no reason to ever edit the hive files directly. If you want to migrate a key or a collection of keys from one computer to another, don't even think about trying to copy the hive files. Instead, use Registry patches, discussed later in this chapter.

Part II: Nutshell Reference