The Registry and its Editors

The Windows 9x/NT/2000/ME System Registry is a complex, unified, system wide,

continually-referenced-during-operation database, used for centrally storing,

locating, editing, and administering system, software and user configuration

information, following a hierarchical structure.

Its role is to replace the text/ASCII based MS-DOS configuration and MS

Windows initialization (INI) files, used by the old MS-DOS 3/4/5/6.xx, MS

Windows 3.xx and MS Windows for WorkGroups 3.1x releases.

Most data from the MS-DOS configuration files–autoexec.bat and config.sys,

and from the Windows system initialization files–control.ini, system.ini,

win.ini, etc, is now contained in the registry, together with most of the other

system settings. Most Win 32 (32-bit) specific applications store their

initialization and configuration data into the registry instead of into INI

files. The MS-DOS and INI files are kept only for backward compatibility with

older MS-DOS and Win 16 (16-bit) based applications.

The Registry is stored in binary data executable format.

The Windows 95/98/Me registration database

This is contained in these five files, with Hidden, Read-only attributes for

write-protection purposes, usually located in the %WinDir% folder (default is

C:\Windows) in stand-alone single-user environments:

• System.Dat: stores
  
  persistent hardware and software settings related to the system it resides
  
  on.

• User.Dat: stores user
  
  specific and software settings. If there is more than one user, then
  
  multiple user profiles enable each user to have his own separate USER.DAT
  
  file, located in %WinDir%\Profiles\%UserName%. When a user logs on, the
  
  Windows OS (down)loads both USER.DAT files–the one from the local machine
  
  %WinDir% (global user settings), and the most recent one from the local
  
  machine %WinDir%\ Profiles\%UserName%, or from the central (host) server if
  
  user profiles reside on a network (local user settings).

• System.Da0 And User.Da0:
  
  automatically created backups of SYSTEM.DAT and USER.DAT from the last
  
  successful Windows GUI startup. Found only on Windows 95 retail, 95a OSR1,
  
  95B OSR 2.0, 95B OSR 2.1 and 95C OSR 2.5 systems.

• Classes.Dat: stores
  
  persistent data contained in the HKEY_CLASSES_ROOT Hive key, found only on
  
  Windows ME systems.
  
  
  
  
  
  
  This other file usually resides on the central (host) server in multi-user
  environments or networks, or in %WinDir% on stand-alone multi-user machines:
  
  

•  Policy.Pol:
  
  optional, provides additional information specific to the network, and can
  
  override certain settings in SYSTEM. DAT and/or USER.DAT, allowing network
  
  administrators to control users’ access level to the network.

Windows 98, 98 SE(U), and Me back up the registry

automatically upon loading, into compressed CAB files (Microsoft proprietary

compression technology), found in the %WinDir%\Sysbckup subfolder (default), and

holding 5 (default), up to a maximum of 99 different backup copies, a new one

being created on the first successful GUI boot of each new day (the oldest is

replaced with the newest). They are named from rb000.cab, rb001.cab, ... up to

rb099.cab. Check the date stamp to determine the newest backup set.

Windows 98/ME’s automatic Registry backup is enabled by the

command C:\Windows\Scanregw.exe /autorun found as a String Value called "ScanRegistry"

under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\Run

In addition, system.1st (Windows 95, 98 and Me) and

classes.1st (Windows Me) are created in the %bootdir% folder (boot drive root

directory, usually C:\), a backup of the first Win 95/98/ME SYSTEM.DAT and

Windows Me CLASSES.DAT respectively, created at the end of a successful setup.

These are Hidden, Read-only files.

The Windows NT/2000 registration database

This is contained in these five files located in the %SystemRoot%\System32\Config

folder (default is C:\Winnt\ System32\Config):

• Default: stores the HKEY_USERS\.Default
  
  key.

• Sam: stores the
  
  HKEY_LOCAL_MACHINE\Sam key.

• Security: stores the
  
  HKEY_LOCAL_MACHINE\Security key.

• Software: stores the
  
  HKEY_LOCAL_MACHINE\Software key.

• System: stores the
  
  HKEY_LOCAL_MACHINE\System key and the HKEY_CURRENT_CONFIG Hive key,

The file, Ntuser.Dat, located in the %SystemRoot%\Profiles\ %UserName%

folder, stores the HKEY_CURRENT_USER Hive key, and their automatically created

backups from the last known good booting process (successful startup):

• System.Alt = backup of SYSTEM file above, and

• *.Sav = backup of first Hive key created at the end of a
  
  successful text mode setup.

Registry structure

The Registry consists of two basic components:

1. (Sub)Key: storage container (folder, directory, tree,
   
   heading). They organize the registry data in a consistent and hierarchical
   
   format. Keys can contain subkeys and values. Each (sub)key’s name is
   
   predefined by the system or created by users or Win32 (32-bit) programs, and
   
   can contain spaces and most alphanumeric characters. A (sub)key is defined by
   
   its complete pathway starting at the root level (main key):

• HKEY_KEY_NAME: Root Handle/Hive/Main/Parent Key. The
  
  Windows 95/98/Me registry contains six root keys under ‘My Computer’ (see
  
  further below).
• HKEY_KEY_NAME\KeyName: Child (Sub)Key.

2. Value: stores actual registry data created, modified or
   
   used by the system, users and Win32 (32-bit) applications to control hardware
   
   and software settings. Values (like files) are stored inside (sub)keys (like
   
   folders):

"ValueName"=ValueType:ValueData

Value names define data types and are displayed in multiple

alphanumeric formats.

There are three basic (simple) registry Value types, valid

for all Windows 95, 98, Me, NT, and 2000 releases, and available in both RegEdit

and RegEdt32:

• REG_DWORD : API code 4>: Double WORD data of
  
  4 bytes (32 bits) in length, in 3 numeric formats: decimal (base of 10),
  
  hexadecimal (base of 16) or binary (base of 2).

• REG_BINARY 3>: data of any
  
  length, in two numeric formats: binary (base of 2) or hexadecimal (base of
  
  16).

• REG_SZ 1>: data of any length, in
  
  three Unicode or ANSI formats: simple text/ASCII (string), expanded (%string%)
  
  or extended (multi-string).

There are several complex (multiple) registry Value types

(contain multiple or a list of data types of any length separated and terminated

by null characters), valid only for Windows NT and 2000, and available only in

RegEdt32:

• REG_EXPAND_SZ Value: API code 2>: in
  
  system variable (%string%) format, stores environment variables within
  
  strings, accessed by substituting variables with actual system path names.

• REG_MULTI_SZ 7>: in
  
  extended multi-string format, stores multiple strings into a single Registry
  
  entry.

• REG_RESOURCE_LIST 8>:
  
  device driver list of hardware resources stored under the HKEY_LOCAL_MACHINE\HARDWARE\ResourceMap
  
  tree.

• REG_FULL_RESOURCE_DESCRIPTOR API code 9>: device driver description of hardware resources stored under the
  
  HKEY_ LOCAL_MACHINE\HARDWARE\HardwareDescription tree.

• REG_RESOURCE_REQUIREMENTS_LIST Value: API code 10>: device driver list of hardware resource requirements
  
  stored under the HKEY_LOCAL_MACHINE\HARDWARE\ResourceMap tree. (see table).

When you run the Registry Editor, you’ll see the following

expandable Registry subtrees, each marked with a plus (+) sign, under the

"My Computer" heading (main tree).

To further expand each subtree and view all underlying branches (subkeys), click

on the plus (+) signs of the six main Hive keys below.

Typical layout of the Windows 95/98/Me registry

<+> My Computer

-<+> HKEY_CLASSES_ROOT (HKCR): Software settings, DDE,

OLE, drag-n-drop, Win31 backward compatibility, shortcut settings and

subkeys for every defined file association, also found at HKEY_LOCAL_MACHINE SOFTWARE\Classes.

-<+> HKEY_CURRENT_USER (HKCU): Currently logged on user

configuration settings, also found at HKEY_USERS.

Subkeys:

-<+> AppEvents: Assigned system and applications sound

events settings.

-<+> Control Panel: Control Panel settings, similar to

those defined in System.ini, Win.ini, and Control.ini in Windows/WfWG 3.xx.

-<+> Identitites: Created and used by MS Outlook Express

4/5 and its Address Book.

-<+> InstallLocationsMRU (Most Recently Used):

Installation and Startup folders paths.

-<+> Keyboard: Current keyboard layout.

-<+> Network: Network connection settings.

-<+> RemoteAccess: Current logon location settings, if

using Dial-Up Networking (DUN).

*-<+> Software: Software configuration settings for the

currently logged on user, sorted by vendor or developer.

-<+> HKEY_LOCAL_MACHINE (HKLM): User independent hardware

and software machine specific information: bus type, device drivers,

keyboard layout etc. Subkeys:

-<+> Config: System and software configuration.

-<+> Drivers: Used by the Device Manager to keep track of

active loaded drivers for hardware peripherals like plug-n-play devices, PC

cards, PCMCIA etc.

-<+> Enum: Hardware devices’ information and settings.

-<+> Hardware: Serial communication port(s)’

information and settings.

-<+> Network: Information and settings about network(s)

the user is currently logged on to.

-<+> Security: Network security information and settings.

-<+> SOFTWARE: Software-specific information and settings

sorted by developer or vendor.

*-<+> System: System startup, device driver, and

operating system information and settings.

-<+> HKEY_USERS (HKU): Information about desktop and user

specific settings for each user who logs on to the same Windows 9x/Me

system. Each user has a separate subkey here. If there is only one user, the

only subkey is ".Default".

-<+> HKEY_CURRENT_CONFIG (HKCC): Information about the

current hardware profile used by the local computer at startup, pointing to

HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.  

*-<+> HKEY_DYN_DATA (HKDD): Virtual key (exists only in

memory) created every time Windows 9x/Me initializes; dynamic configuration

data about installed plug-n-play devices. Changes constantly when hardware

devices are added, swapped or removed on-the-fly.

-<+> Config Manager: Hardware problem codes and status.

*-<+> PerfStats: System and network performance

statistics.

Registry editors

To modify the registry, you need to use a Registry Editor,

which would be one of the following:

• Regedit.exe (Windows 95/98/Me/NT/2000): located in
  
  %WinBootDir%,

• Regedt32.exe (Windows NT/2000): located in %System
  
  Root%\System32\Config, or

• a third-party Registry editing tool like Registrar Lite
  
  (freeware).

The Windows 95/98/NT/2000/Me Registry Editor is a tool used

to display, search, modify, create, delete, save, import, and export the

registry’s (sub)keys and values (see table).

You can use either RegEdit’s or RegEdt32’s interface in

protected mode Windows environment from within the Windows GUI. Alternatively,

you can use REGEDIT’s DOS based (Windows 95/98/ME) command line parameters in

real mode MS-DOS from outside Windows.

To learn how to use the regedit.exe available DOS mode

switches, run the following from native MS-DOS:

RegEdit.exe versus RegEdt32.exe comparison

Creating a shortcut to the registry editor

To create a RegEdit shortcut, right-click on an empty raised

Taskbar spot. Select Properties, click Start Menu>Programs, and click the ‘Add...’

button. Browse to your main Windows folder, double-click on regedit.exe, and

click the Next button. Double-click Start Menu>Programs> Accessories>

System Tools, click the Next button, and type Registry Editor in the ‘Select

name for the shortcut’ box. Click the Finish button.

If you are not familiar with ‘messing around’ with your

Registry, don’t attempt to make any changes. However, if you are familiar

enough with your system registry’s "innards" and would like to tweak

it for maximum performance, but don’t like to modify your registry directly,

an alternative is to use one of the free Windows 9x/NT/2000/Me

system-cum-registry tweakers. Some of these are:

• Xteq X-Setup: tweaks more than 700 system or registry
  
  settings

• Microsoft TweakUI 1.33: More information on this is
  
  available at http://home.aol.com/AXCEL216/98-3.htm#TWK98

• DirectControl: tweaks DirectX, video, audio, and 3D
  
  settings

• CacheMan: tweaks disk and file cache settings.

Words of caution

When editing the registry, backup all your hard drives to a

safe location before making any system changes (for details on how to do this,

go to http://home.aol.com/axcel216/newtip12.htm#

regbak). Remember that when you

add, delete or modify a registry (sub)key or value using RegEdit, all changes

take place instantly, and you aren’t prompted for confirmation upon saving

changes to before closing the registry editor. Take extreme caution when

modifying your system settings, because faulty registry changes may result in

computer crashes, lockups, or permanent data loss, and may cause you to

reinstall the entire operating system. And, always have your most recent system

backup ready.

Reprinted with permission from http://home.aol.com/AXCEL216/reg.htm