Understanding the Structure of the Registry

Registry Easy Cleaner

Advanced Registry Cleaner PC Diagnosis and Repair

Get Instant Access

Before you begin browsing or editing the registry, it's good to know a bit about how this database is built. Figure 22-19 shows a portion of a system's registry, as seen through Registry Editor, the registry editor supplied with Windows 7 . As shown in the figure, the registry consists of the following five root keys: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_ LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG. For simplicity's sake and typographical convenience, this book, like many others, abbreviates the root key names as HKCR, HKCU, HKLM, HKU, and HKCC, respectively.

Root keys, sometimes called predefined keys, contain subkeys. Registry Editor displays this structure as an outline. In Figure 22-19, for example, HKCU has been opened to show the top-level subkeys: AppEvents, Console, Control Panel, Environment, EUDC, Identities, Keyboard Layout, Network, Printers, Software, System, and Volatile Environment. A root key and its subkeys can be described as a path, like this: HKCU\Console. Root keys and their subkeys appear in the left pane in Registry Editor.

ggf Registry Editor File Edit View Favorites Help i "L Computer t>-[| H KEY_C L ASSE S_RO OT j- H KEY_C U RRE NT_U SE R App Events Console Control Panel Environment EUDC Identities Keyboard Layout Network Printers Software System

Volatile Environment ■ ■■ HKEY_LOCAL_MACHINE HKEYJJSERS HKEY_CURRENT_CONFIG

Name

Typ

Data

® (Default)

REG

SZ

(value not set)

£¡1 ColorTableOO

REG

DWORD

0x00000000(0)

£¡1 ColorTableOl

REG

DWORD

0x00800000(8388608)

£Î]ColorTable02

REG

DWORD

0x00008000(32768)

£¡1 ColorTableOO

REG

DWORD

0x00808000(8421376)

^¡lColorTable04

REG

DWORD

0x00000080(128)

£Î]ColorTable05

REG

DWORD

0x00800080(8388736)

ColorTableOO

REG

DWORD

0x00008080(32896)

^¡lColorTableO?

REG

DWORD

0x00c0c0c0(12632256)

£Î]ColorTable08

REG

DWORD

0x00808080(8421504)

£¡1 ColorTableOO

REG

DWORD

0x00ff0000 (16711680)

^¡lColorTablelO

REG

DWORD

0x0000ff00 (65280)

^¡lColorTablell

REG

DWORD

0x00ffff00 (16776960)

£Î]ColorTablel2

REG

DWORD

0x000000ff(255)

£Î]ColorTablel3

REG

DWORD

0x0 Off0 Off (16711935)

-5°|ColorTablel4

REG

DWORD

0x0000ffff (65535)

£Î]ColorTablel5

REG

DWORD

OxOOffffff (16777215)

.no Curio ( Size

REG

DWORD

0x00000019(25)

Computer\HKEY_CURRENT_USER\Console

Figure 22-19 The registry consists of five root keys, each of which contains many subkeys .

The registry is the work of many hands, and capitalization and word spacing are not always consistent. With readability as our goal, we have made our own capitalization decisions for this book, and our treatment of names frequently differs from what you see in Registry Editor. No matter. Capitalization is irrelevant. Spelling and spacing must be correct, however.

Subkeys, which we call keys for short, can contain subkeys of their own . Whether they do or not, they always contain at least one value. In Registry Editor, that obligatory value is known as the default value. Many keys have additional values. The names, data types, and data associated with values appear in the right pane . As Figure 22-19 shows, the HKCU\Console key has many values—ColorTableOO, ColorTableOl, and so on .

The default value for many keys—including HKCU\Console—is not defined. You can therefore think of an empty default value as a placeholder—a slot that could hold data but currently does not

All values other than the default always include the following three components: name, data type, and data. As Figure 22-19 shows, the ColorTableOO value of HKCU\Console is of data type REG_DWORD. The data associated with this value (on the system used for this figure) is 0x00000000. (The prefix 0x denotes a hexadecimal value . Registry Editor displays the decimal equivalent of hexadecimal values in parentheses after the value.)

A key with all its subkeys and values is commonly called a hive. The registry is stored on disk as several separate hive files . The appropriate hive files are read into memory when the operating system starts (or when a new user logs on) and assembled into the registry. You can see where the hives of your system physically live by examining the values associated with HKLM\System\CurrentControlSet\Control\HiveList. Figure 22-20 shows the HiveList key for one of the systems used for this book.

NJ NJ

gjf Registry Editor File Edit View Favorites

Help

Errata FileSysterr FileSyiterr GraphicsC GroupOrd ■■ HAL ! £

... IDConfigC Keyboard Keyboard Lia

LsaExtensi Lsalnform MediaCat Medialnte MediaPro MediaRei MediaSet: MobilePC

Errata FileSysterr FileSyiterr GraphicsC GroupOrd ■■ HAL ! £

Name

Typ

Data

a_bl (Default) 1

REG

SZ

(value not set)

Sj>l\RE GISTRY\M AC HIN E\B C D 0 0 0 0 0 0 0 0

REG

SZ

\Device\HarddiskVolumel\B

S!>] \RE GISTRY\M AC HIN E\H ARD WARE

REG

SZ

S!>] \RE GISTRY\M AC HIN E\SAM

REG

SZ

\Device\HarddiskVolumelVA

® \RE GimYWI AC HIN E\SE C U RITY

REG

SZ

\Device\HarddiskVolumelVA

S!>] \RE GISTRY\M AC HIN E\SO FTWARE

REG

SZ

\Device\HarddiskVolumelVA

S!>] \RE GISTRY\M AC HIN E\SYSTE M

REG

SZ

\Device\HarddiikVolumel\Vl

\RE GISTRYVJ SE R\. D E F AU LT

REG

SZ

\Device\HarddiikVolumel\Vl

\RE GISTRV\U SE R\S-1-5-19

REG

SZ

\Device\HarddiikVolumel\Vl

\RE GISTRV\U SE R\S-1-5-20

REG

SZ

\Device\HarddiikVolumel\Vl

Sj>l\Regiitry\Llier\S-1-5-21-2357950033-22527...

REG

SZ

\Device\HarddiskVolumel\U

Sj>l\Regiitry\Llier\S-1-5-21-2357950033-22527...

REG

SZ

\Device\HarddiskVolumel\U

Compute r\H KEY_L 0 C AL_M AC HIN E\SYSTE M\C u rre ntC o ntro I Set\C o ntro l\h ive I i it

Figure 22-20 You can find the names and locations of the files that make up your registry in HKLM\System\CurrentControlSet\Control\HiveList.

Notice that one hive, \Registry\Machine\Hardware, has no associated disk file. This hive, which records your hardware configuration, is completely volatile; that is, Windows 7 creates it anew each time you turn your system on . Notice also the path specifications for the remaining hive files . Windows assigns drive letters after assembling the registry, so these paths do not specify drive letters.

Two predefined keys—HKCR and HKCU—are not shown in the HiveList key at all. Like the file system in Windows—which uses junctions, symlinks, and other trickery to display a virtual namespace—the registry uses a bit of misdirection (implemented with the REG_LINK data type) to create these keys . Both are representations of keys actually stored within HKLM and HKU:

• HKCR is merged from keys within HKLM\Software\Classes and HKU\s/'d_Classes (where sid is the security identifier of the currently logged-on user).

You can view or edit the registry's actual locations or its virtual keys; the results are identical. The HKCR and HKCU keys are generally more convenient to use.

Was this article helpful?

0 0
Digital Cancers

Digital Cancers

Get All The Support And Guidance You Need To Be A Success At Protecting Your PC. This Book Is One Of The Most Valuable Resources In The World When It Comes To The Damaging Facts About Computer Viruses.

Get My Free Ebook


Post a comment