by March 1, 2001 0 comments

The Windows 9x/NT/2000/ME System Registry is a complex, unified, system wide,
continually-referenced-during-operation database, used for centrally storing,
locating, editing, and administering system, software and user configuration
information, following a hierarchical structure.

Its role is to replace the text/ASCII based MS-DOS configuration and MS
Windows initialization (INI) files, used by the old MS-DOS 3/4/5/6.xx, MS
Windows 3.xx and MS Windows for WorkGroups 3.1x releases.

Most data from the MS-DOS configuration files–autoexec.bat and config.sys,
and from the Windows system initialization files–control.ini, system.ini,
win.ini, etc, is now contained in the registry, together with most of the other
system settings. Most Win 32 (32-bit) specific applications store their
initialization and configuration data into the registry instead of into INI
files. The MS-DOS and INI files are kept only for backward compatibility with
older MS-DOS and Win 16 (16-bit) based applications.

The Registry is stored in binary data executable format.

The Windows 95/98/Me registration database

This is contained in these five files, with Hidden, Read-only attributes for
write-protection purposes, usually located in the %WinDir% folder (default is
C:\Windows) in stand-alone single-user environments:

  • System.Dat: stores
    persistent hardware and software settings related to the system it resides

  • User.Dat: stores user
    specific and software settings. If there is more than one user, then
    multiple user profiles enable each user to have his own separate USER.DAT
    file, located in %WinDir%\Profiles\%UserName%. When a user logs on, the
    Windows OS (down)loads both USER.DAT files–the one from the local machine
    %WinDir% (global user settings), and the most recent one from the local
    machine %WinDir%\ Profiles\%UserName%, or from the central (host) server if
    user profiles reside on a network (local user settings).

  • System.Da0 And User.Da0:
    automatically created backups of SYSTEM.DAT and USER.DAT from the last
    successful Windows GUI startup. Found only on Windows 95 retail, 95a OSR1,
    95B OSR 2.0, 95B OSR 2.1 and 95C OSR 2.5 systems.

  • Classes.Dat: stores
    persistent data contained in the HKEY_CLASSES_ROOT Hive key, found only on
    Windows ME systems.

    This other file usually resides on the central (host) server in multi-user
    environments or networks, or in %WinDir% on stand-alone multi-user machines:

  •  Policy.Pol:
    optional, provides additional information specific to the network, and can
    override certain settings in SYSTEM. DAT and/or USER.DAT, allowing network
    administrators to control users’ access level to the network.

Windows 98, 98 SE(U), and Me back up the registry
automatically upon loading, into compressed CAB files (Microsoft proprietary
compression technology), found in the %WinDir%\Sysbckup subfolder (default), and
holding 5 (default), up to a maximum of 99 different backup copies, a new one
being created on the first successful GUI boot of each new day (the oldest is
replaced with the newest). They are named from,, … up to Check the date stamp to determine the newest backup set.

Windows 98/ME’s automatic Registry backup is enabled by the
command C:\Windows\Scanregw.exe /autorun found as a String Value called “ScanRegistry”
under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\Run

In addition, system.1st (Windows 95, 98 and Me) and
classes.1st (Windows Me) are created in the %bootdir% folder (boot drive root
directory, usually C:\), a backup of the first Win 95/98/ME SYSTEM.DAT and
Windows Me CLASSES.DAT respectively, created at the end of a successful setup.
These are Hidden, Read-only files.

The Windows NT/2000 registration database

This is contained in these five files located in the %SystemRoot%\System32\Config
folder (default is C:\Winnt\ System32\Config):

  • Default: stores the HKEY_USERS\.Default

  • Sam: stores the

  • Security: stores the
    HKEY_LOCAL_MACHINE\Security key.

  • Software: stores the
    HKEY_LOCAL_MACHINE\Software key.

  • System: stores the
    HKEY_LOCAL_MACHINE\System key and the HKEY_CURRENT_CONFIG Hive key,

The file, Ntuser.Dat, located in the %SystemRoot%\Profiles\ %UserName%
folder, stores the HKEY_CURRENT_USER Hive key, and their automatically created
backups from the last known good booting process (successful startup):

  • System.Alt = backup of SYSTEM file above, and

  • *.Sav = backup of first Hive key created at the end of a
    successful text mode setup.

Registry structure

The Registry consists of two basic components:

  1. (Sub)Key: storage container (folder, directory, tree,
    heading). They organize the registry data in a consistent and hierarchical
    format. Keys can contain subkeys and values. Each (sub)key’s name is
    predefined by the system or created by users or Win32 (32-bit) programs, and
    can contain spaces and most alphanumeric characters. A (sub)key is defined by
    its complete pathway starting at the root level (main key):
  • HKEY_KEY_NAME: Root Handle/Hive/Main/Parent Key. The
    Windows 95/98/Me registry contains six root keys under ‘My Computer’ (see
    further below).
  • HKEY_KEY_NAME\KeyName: Child (Sub)Key.
  1. Value: stores actual registry data created, modified or
    used by the system, users and Win32 (32-bit) applications to control hardware
    and software settings. Values (like files) are stored inside (sub)keys (like


Value names define data types and are displayed in multiple
alphanumeric formats.

There are three basic (simple) registry Value types, valid
for all Windows 95, 98, Me, NT, and 2000 releases, and available in both RegEdit
and RegEdt32:

  • REG_DWORD [DWORD Value: API code 4]: Double WORD data of
    4 bytes (32 bits) in length, in 3 numeric formats: decimal (base of 10),
    hexadecimal (base of 16) or binary (base of 2).

  • REG_BINARY [Binary Value: API code
    : data of any
    length, in two numeric formats: binary (base of 2) or hexadecimal (base of

  • REG_SZ [String Value: API code
    : data of any length, in
    three Unicode or ANSI formats: simple text/ASCII (string), expanded (%string%)
    or extended (multi-string).

There are several complex (multiple) registry Value types
(contain multiple or a list of data types of any length separated and terminated
by null characters), valid only for Windows NT and 2000, and available only in

  • REG_EXPAND_SZ [Expanded String
    : API code 2]: in
    system variable (%string%) format, stores environment variables within
    strings, accessed by substituting variables with actual system path names.

  • REG_MULTI_SZ [Multiple String Value: API code
    : in
    extended multi-string format, stores multiple strings into a single Registry

  • REG_RESOURCE_LIST [Resource List Value: API code
    device driver list of hardware resources stored under the HKEY_LOCAL_MACHINE\HARDWARE\ResourceMap

  • REG_FULL_RESOURCE_DESCRIPTOR [Resource Descriptor Value:
    API code 9]
    : device driver description of hardware resources stored under the
    HKEY_ LOCAL_MACHINE\HARDWARE\HardwareDescription tree.

    Value: API code 10]
    : device driver list of hardware resource requirements
    stored under the HKEY_LOCAL_MACHINE\HARDWARE\ResourceMap tree. (see table).

When you run the Registry Editor, you’ll see the following
expandable Registry subtrees, each marked with a plus (+) sign, under the
“My Computer” heading (main tree).

To further expand each subtree and view all underlying branches (subkeys), click
on the plus (+) signs of the six main Hive keys below.

Typical layout of the Windows 95/98/Me registry

[+] My Computer

-[+] HKEY_CLASSES_ROOT (HKCR): Software settings, DDE,
OLE, drag-n-drop, Win31 backward compatibility, shortcut settings and
subkeys for every defined file association, also found at HKEY_LOCAL_MACHINE SOFTWARE\Classes.

-[+] HKEY_CURRENT_USER (HKCU): Currently logged on user
configuration settings, also found at HKEY_USERS.


-[+] AppEvents: Assigned system and applications sound
events settings.

-[+] Control Panel: Control Panel settings, similar to
those defined in System.ini, Win.ini, and Control.ini in Windows/WfWG 3.xx.

-[+] Identitites: Created and used by MS Outlook Express
4/5 and its Address Book.

-[+] InstallLocationsMRU (Most Recently Used):

Installation and Startup folders paths.

-[+] Keyboard: Current keyboard layout.

-[+] Network: Network connection settings.

-[+] RemoteAccess: Current logon location settings, if
using Dial-Up Networking (DUN).

*-[+] Software: Software configuration settings for the
currently logged on user, sorted by vendor or developer.

-[+] HKEY_LOCAL_MACHINE (HKLM): User independent hardware
and software machine specific information: bus type, device drivers,
keyboard layout etc. Subkeys:

-[+] Config: System and software configuration.

-[+] Drivers: Used by the Device Manager to keep track of
active loaded drivers for hardware peripherals like plug-n-play devices, PC
cards, PCMCIA etc.

-[+] Enum: Hardware devices’ information and settings.

-[+] Hardware: Serial communication port(s)’
information and settings.

-[+] Network: Information and settings about network(s)
the user is currently logged on to.

-[+] Security: Network security information and settings.

-[+] SOFTWARE: Software-specific information and settings
sorted by developer or vendor.

*-[+] System: System startup, device driver, and
operating system information and settings.

-[+] HKEY_USERS (HKU): Information about desktop and user
specific settings for each user who logs on to the same Windows 9x/Me
system. Each user has a separate subkey here. If there is only one user, the
only subkey is “.Default”.

-[+] HKEY_CURRENT_CONFIG (HKCC): Information about the
current hardware profile used by the local computer at startup, pointing to
HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.

*-[+] HKEY_DYN_DATA (HKDD): Virtual key (exists only in
memory) created every time Windows 9x/Me initializes; dynamic configuration
data about installed plug-n-play devices. Changes constantly when hardware
devices are added, swapped or removed on-the-fly.

-[+] Config Manager: Hardware problem codes and status.

*-[+] PerfStats: System and network performance

Registry editors

To modify the registry, you need to use a Registry Editor,
which would be one of the following:

  • Regedit.exe (Windows 95/98/Me/NT/2000): located in

  • Regedt32.exe (Windows NT/2000): located in %System
    Root%\System32\Config, or

  • a third-party Registry editing tool like Registrar Lite

The Windows 95/98/NT/2000/Me Registry Editor is a tool used
to display, search, modify, create, delete, save, import, and export the
registry’s (sub)keys and values (see table).


API Code




Error request value



Null value



Null terminated Unicode string Value



Null terminated unexpanded Unicode/ANSI environment string



Binary value of any form/length



32-bit numerical value



32-bit numerical value



32-bit reversed numerical value



Symbolic Unicode link string value



Array of multiple Unicode strings separated/ended by null



Device driver list of resources in Resource Map



List of hardware resources in Hardware Description



Device driver list of resource requirements in Resource

You can use either RegEdit’s or RegEdt32’s interface in
protected mode Windows environment from within the Windows GUI. Alternatively,
you can use REGEDIT’s DOS based (Windows 95/98/ME) command line parameters in
real mode MS-DOS from outside Windows.

To learn how to use the regedit.exe available DOS mode
switches, run the following from native MS-DOS:

RegEdit.exe versus RegEdt32.exe comparison



Single window display

Separate Hive Key window display

Key and Value level Search

Key level Search only

Handles only simple Value types

Handles also complex Value types

Only Read and Write mode

Optional Read Only mode

No Security mode

Optional Permissions Security mode

No Security control

Full Security control [Win2000 only]

Text REG files export and import

Text REG files export only

No binary REG files export or import

Binary REG files export and import

Creates/renames/deletes only Subkeys

Creates/renames/deletes also Hive Keys

Opens at last accessed (Sub)Key level [WinME only]

Opens at Root level only

Creating a shortcut to the registry editor

To create a RegEdit shortcut, right-click on an empty raised
Taskbar spot. Select Properties, click Start Menu>Programs, and click the ‘Add…’
button. Browse to your main Windows folder, double-click on regedit.exe, and
click the Next button. Double-click Start Menu>Programs> Accessories>
System Tools, click the Next button, and type Registry Editor in the ‘Select
name for the shortcut’ box. Click the Finish button.

If you are not familiar with ‘messing around’ with your
Registry, don’t attempt to make any changes. However, if you are familiar
enough with your system registry’s "innards" and would like to tweak
it for maximum performance, but don’t like to modify your registry directly,
an alternative is to use one of the free Windows 9x/NT/2000/Me
system-cum-registry tweakers. Some of these are:

  • Xteq X-Setup: tweaks more than 700 system or registry

  • Microsoft TweakUI 1.33: More information on this is
    available at

  • DirectControl: tweaks DirectX, video, audio, and 3D

  • CacheMan: tweaks disk and file cache settings.

Words of caution

When editing the registry, backup all your hard drives to a
safe location before making any system changes (for details on how to do this,
go to
). Remember that when you
add, delete or modify a registry (sub)key or value using RegEdit, all changes
take place instantly, and you aren’t prompted for confirmation upon saving
changes to before closing the registry editor. Take extreme caution when
modifying your system settings, because faulty registry changes may result in
computer crashes, lockups, or permanent data loss, and may cause you to
reinstall the entire operating system. And, always have your most recent system
backup ready.

Reprinted with permission from

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.