The Registry and its Editors

The Windows 9x/NT/2000/ME System Registry is a complex, unified, system wide,
continually-referenced-during-operation database, used for centrally storing,
locating, editing, and administering system, software and user configuration
information, following a hierarchical structure.

Its role is to replace the text/ASCII based MS-DOS configuration and MS
Windows initialization (INI) files, used by the old MS-DOS 3/4/5/6.xx, MS
Windows 3.xx and MS Windows for WorkGroups 3.1x releases.

Most data from the MS-DOS configuration files–autoexec.bat and config.sys,
and from the Windows system initialization files–control.ini, system.ini,
win.ini, etc, is now contained in the registry, together with most of the other
system settings. Most Win 32 (32-bit) specific applications store their
initialization and configuration data into the registry instead of into INI
files. The MS-DOS and INI files are kept only for backward compatibility with
older MS-DOS and Win 16 (16-bit) based applications.

The Registry is stored in binary data executable format.

The Windows 95/98/Me registration database

This is contained in these five files, with Hidden, Read-only attributes for
write-protection purposes, usually located in the %WinDir% folder (default is
C:\Windows) in stand-alone single-user environments:

• System.Dat: stores
  persistent hardware and software settings related to the system it resides
  on.

• User.Dat: stores user
  specific and software settings. If there is more than one user, then
  multiple user profiles enable each user to have his own separate USER.DAT
  file, located in %WinDir%\Profiles\%UserName%. When a user logs on, the
  Windows OS (down)loads both USER.DAT files–the one from the local machine
  %WinDir% (global user settings), and the most recent one from the local
  machine %WinDir%\ Profiles\%UserName%, or from the central (host) server if
  user profiles reside on a network (local user settings).

• System.Da0 And User.Da0:
  automatically created backups of SYSTEM.DAT and USER.DAT from the last
  successful Windows GUI startup. Found only on Windows 95 retail, 95a OSR1,
  95B OSR 2.0, 95B OSR 2.1 and 95C OSR 2.5 systems.

• Classes.Dat: stores
  persistent data contained in the HKEY_CLASSES_ROOT Hive key, found only on
  Windows ME systems.
  
  
  
  This other file usually resides on the central (host) server in multi-user
  environments or networks, or in %WinDir% on stand-alone multi-user machines:

•  Policy.Pol:
  optional, provides additional information specific to the network, and can
  override certain settings in SYSTEM. DAT and/or USER.DAT, allowing network
  administrators to control users’ access level to the network.

Windows 98, 98 SE(U), and Me back up the registry
automatically upon loading, into compressed CAB files (Microsoft proprietary
compression technology), found in the %WinDir%\Sysbckup subfolder (default), and
holding 5 (default), up to a maximum of 99 different backup copies, a new one
being created on the first successful GUI boot of each new day (the oldest is
replaced with the newest). They are named from rb000.cab, rb001.cab, ... up to
rb099.cab. Check the date stamp to determine the newest backup set.

Windows 98/ME’s automatic Registry backup is enabled by the
command C:\Windows\Scanregw.exe /autorun found as a String Value called "ScanRegistry"
under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\Run

In addition, system.1st (Windows 95, 98 and Me) and
classes.1st (Windows Me) are created in the %bootdir% folder (boot drive root
directory, usually C:\), a backup of the first Win 95/98/ME SYSTEM.DAT and
Windows Me CLASSES.DAT respectively, created at the end of a successful setup.
These are Hidden, Read-only files.

The Windows NT/2000 registration database

This is contained in these five files located in the %SystemRoot%\System32\Config
folder (default is C:\Winnt\ System32\Config):

• Default: stores the HKEY_USERS\.Default
  key.

• Sam: stores the
  HKEY_LOCAL_MACHINE\Sam key.

• Security: stores the
  HKEY_LOCAL_MACHINE\Security key.

• Software: stores the
  HKEY_LOCAL_MACHINE\Software key.

• System: stores the
  HKEY_LOCAL_MACHINE\System key and the HKEY_CURRENT_CONFIG Hive key,

The file, Ntuser.Dat, located in the %SystemRoot%\Profiles\ %UserName%
folder, stores the HKEY_CURRENT_USER Hive key, and their automatically created
backups from the last known good booting process (successful startup):

• System.Alt = backup of SYSTEM file above, and

• *.Sav = backup of first Hive key created at the end of a
  successful text mode setup.

Registry structure

The Registry consists of two basic components:

1. (Sub)Key: storage container (folder, directory, tree,
   heading). They organize the registry data in a consistent and hierarchical
   format. Keys can contain subkeys and values. Each (sub)key’s name is
   predefined by the system or created by users or Win32 (32-bit) programs, and
   can contain spaces and most alphanumeric characters. A (sub)key is defined by
   its complete pathway starting at the root level (main key):

• HKEY_KEY_NAME: Root Handle/Hive/Main/Parent Key. The
  Windows 95/98/Me registry contains six root keys under ‘My Computer’ (see
  further below).
• HKEY_KEY_NAME\KeyName: Child (Sub)Key.

2. Value: stores actual registry data created, modified or
   used by the system, users and Win32 (32-bit) applications to control hardware
   and software settings. Values (like files) are stored inside (sub)keys (like
   folders):

"ValueName"=ValueType:ValueData

Value names define data types and are displayed in multiple
alphanumeric formats.

There are three basic (simple) registry Value types, valid
for all Windows 95, 98, Me, NT, and 2000 releases, and available in both RegEdit
and RegEdt32:

• REG_DWORD : API code 4>: Double WORD data of
  4 bytes (32 bits) in length, in 3 numeric formats: decimal (base of 10),
  hexadecimal (base of 16) or binary (base of 2).

• REG_BINARY 3>: data of any
  length, in two numeric formats: binary (base of 2) or hexadecimal (base of
  16).

• REG_SZ 1>: data of any length, in
  three Unicode or ANSI formats: simple text/ASCII (string), expanded (%string%)
  or extended (multi-string).

There are several complex (multiple) registry Value types
(contain multiple or a list of data types of any length separated and terminated
by null characters), valid only for Windows NT and 2000, and available only in
RegEdt32:

• REG_EXPAND_SZ Value: API code 2>: in
  system variable (%string%) format, stores environment variables within
  strings, accessed by substituting variables with actual system path names.

• REG_MULTI_SZ 7>: in
  extended multi-string format, stores multiple strings into a single Registry
  entry.

• REG_RESOURCE_LIST 8>:
  device driver list of hardware resources stored under the HKEY_LOCAL_MACHINE\HARDWARE\ResourceMap
  tree.

• REG_FULL_RESOURCE_DESCRIPTOR API code 9>: device driver description of hardware resources stored under the
  HKEY_ LOCAL_MACHINE\HARDWARE\HardwareDescription tree.

• REG_RESOURCE_REQUIREMENTS_LIST Value: API code 10>: device driver list of hardware resource requirements
  stored under the HKEY_LOCAL_MACHINE\HARDWARE\ResourceMap tree. (see table).

When you run the Registry Editor, you’ll see the following
expandable Registry subtrees, each marked with a plus (+) sign, under the
"My Computer" heading (main tree).

To further expand each subtree and view all underlying branches (subkeys), click
on the plus (+) signs of the six main Hive keys below.

Typical layout of the Windows 95/98/Me registry

<+> My Computer

-<+> HKEY_CLASSES_ROOT (HKCR): Software settings, DDE,
OLE, drag-n-drop, Win31 backward compatibility, shortcut settings and
subkeys for every defined file association, also found at HKEY_LOCAL_MACHINE SOFTWARE\Classes.

-<+> HKEY_CURRENT_USER (HKCU): Currently logged on user
configuration settings, also found at HKEY_USERS.

Subkeys:

-<+> AppEvents: Assigned system and applications sound
events settings.

-<+> Control Panel: Control Panel settings, similar to
those defined in System.ini, Win.ini, and Control.ini in Windows/WfWG 3.xx.

-<+> Identitites: Created and used by MS Outlook Express
4/5 and its Address Book.

-<+> InstallLocationsMRU (Most Recently Used):

Installation and Startup folders paths.

-<+> Keyboard: Current keyboard layout.

-<+> Network: Network connection settings.

-<+> RemoteAccess: Current logon location settings, if
using Dial-Up Networking (DUN).

*-<+> Software: Software configuration settings for the
currently logged on user, sorted by vendor or developer.

-<+> HKEY_LOCAL_MACHINE (HKLM): User independent hardware
and software machine specific information: bus type, device drivers,
keyboard layout etc. Subkeys:

-<+> Config: System and software configuration.

-<+> Drivers: Used by the Device Manager to keep track of
active loaded drivers for hardware peripherals like plug-n-play devices, PC
cards, PCMCIA etc.

-<+> Enum: Hardware devices’ information and settings.

-<+> Hardware: Serial communication port(s)’
information and settings.

-<+> Network: Information and settings about network(s)
the user is currently logged on to.

-<+> Security: Network security information and settings.

-<+> SOFTWARE: Software-specific information and settings
sorted by developer or vendor.

*-<+> System: System startup, device driver, and
operating system information and settings.

-<+> HKEY_USERS (HKU): Information about desktop and user
specific settings for each user who logs on to the same Windows 9x/Me
system. Each user has a separate subkey here. If there is only one user, the
only subkey is ".Default".

-<+> HKEY_CURRENT_CONFIG (HKCC): Information about the
current hardware profile used by the local computer at startup, pointing to
HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current.  

*-<+> HKEY_DYN_DATA (HKDD): Virtual key (exists only in
memory) created every time Windows 9x/Me initializes; dynamic configuration
data about installed plug-n-play devices. Changes constantly when hardware
devices are added, swapped or removed on-the-fly.

-<+> Config Manager: Hardware problem codes and status.

*-<+> PerfStats: System and network performance
statistics.

Registry editors

To modify the registry, you need to use a Registry Editor,
which would be one of the following:

• Regedit.exe (Windows 95/98/Me/NT/2000): located in
  %WinBootDir%,

• Regedt32.exe (Windows NT/2000): located in %System
  Root%\System32\Config, or

• a third-party Registry editing tool like Registrar Lite
  (freeware).

The Windows 95/98/NT/2000/Me Registry Editor is a tool used
to display, search, modify, create, delete, save, import, and export the
registry’s (sub)keys and values (see table).

You can use either RegEdit’s or RegEdt32’s interface in
protected mode Windows environment from within the Windows GUI. Alternatively,
you can use REGEDIT’s DOS based (Windows 95/98/ME) command line parameters in
real mode MS-DOS from outside Windows.

To learn how to use the regedit.exe available DOS mode
switches, run the following from native MS-DOS:

RegEdit.exe versus RegEdt32.exe comparison

Creating a shortcut to the registry editor

To create a RegEdit shortcut, right-click on an empty raised
Taskbar spot. Select Properties, click Start Menu>Programs, and click the ‘Add...’
button. Browse to your main Windows folder, double-click on regedit.exe, and
click the Next button. Double-click Start Menu>Programs> Accessories>
System Tools, click the Next button, and type Registry Editor in the ‘Select
name for the shortcut’ box. Click the Finish button.

If you are not familiar with ‘messing around’ with your
Registry, don’t attempt to make any changes. However, if you are familiar
enough with your system registry’s "innards" and would like to tweak
it for maximum performance, but don’t like to modify your registry directly,
an alternative is to use one of the free Windows 9x/NT/2000/Me
system-cum-registry tweakers. Some of these are:

• Xteq X-Setup: tweaks more than 700 system or registry
  settings

• Microsoft TweakUI 1.33: More information on this is
  available at http://home.aol.com/AXCEL216/98-3.htm#TWK98

• DirectControl: tweaks DirectX, video, audio, and 3D
  settings

• CacheMan: tweaks disk and file cache settings.

Words of caution

When editing the registry, backup all your hard drives to a
safe location before making any system changes (for details on how to do this,
go to http://home.aol.com/axcel216/newtip12.htm#
regbak). Remember that when you
add, delete or modify a registry (sub)key or value using RegEdit, all changes
take place instantly, and you aren’t prompted for confirmation upon saving
changes to before closing the registry editor. Take extreme caution when
modifying your system settings, because faulty registry changes may result in
computer crashes, lockups, or permanent data loss, and may cause you to
reinstall the entire operating system. And, always have your most recent system
backup ready.

Reprinted with permission from http://home.aol.com/AXCEL216/reg.htm