Guide | How To Windows Registry - What is it?

The associated guide may contain user-generated or external content.

BoraMurdar

Super Moderator
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
What is the Windows Registry?
The complete registry only exists in memory
The registry is commonly described as a hierarchical database. But you may not have realized two important facts:

  1. The registry database is only ever complete when loaded into your computer's memory.
  2. The registry is the sum of two parts, the data and the processes that create it and provide access to it.
Diagram 1 - Windows assembles the registry in memory
Registry-load-510x195.png

In other words, the registry hive files stored on your disk are not the complete registry. The complete registry is created during the startup process and assembled in memory.

This is so important so I'll repeat it. At the heart of the registry is a database that exists in two main forms:

  • Some registry hives are stored on disk even when Windows is not running.
  • All the registry hive structures only exist in memory. This includes a set of volatile hives that only exist when Windows is running.
The registry can only be accessed through the Registry Configuration Manager
The other Windows components that allow the registry data to be accessed are in the Windows kernel. The Registry Configuration Manager is the most dedicated but other kernel components like the Object Manager provide further essential capabilities. These are discussed in more detail in How is the registry managed? but here's a preview so you can picture it.

Diagram 2 - Windows kernel components provide access to the registry
Registry-CM-simple-305x488.png


What this means is that when your computer is turned off the registry does not exist even though most of the registry data is stored on disk.

The beehive references started as a joke
In reading about the registry you may have noticed the references to hives, bees and cells. They are a long running joke. Apparently, one of the developers hated bees and another developer took the opportunity to introduce many references to bees. It is also relevant that the registry database is indexed using binary trees or B-trees (pronounced "Bee-trees"). That's why the primary database structures are called hives.

You can see registry database structure by running the registry editor, RegEdit. It shows one hierarchical tree but the Windows registry is not one big database file. The primary data structure is the hive of which there are several. Each hive is indentified by a root key which provides access to all sub-keys in the tree up to 512 levels deep.

Each hive has a root key
There are six pre-defined root keys which are used to access all other keys or sub-keys. In other words, the binary tree is traversed from the root downwards. So new keys are added through these root keys and all existing keys have to be found through the root keys. One disadvantage of this approach is that a problem with a higher key may prevent access to lower keys. In practice this does not occur very often.

The following table lists the root keys with the abbreviations that will be used in the remainder of this article.

Table 1 - Registry root keys
HKCCHKEY_CURRENT_CONFIG Current hardware
HKCRHKEY_CLASSES_ROOT Classes (types) of documents and registered applications
HKCUHKEY_CURRENT_USER Current logged-on user
HKLMHKEY_LOCAL_MACHINE The system hardware, software and security
HKPDHKEY_PERFORMANCE_DATA Performance data
HKUHKEY_USERS User profiles

There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

  • HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
  • HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
  • HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
  • HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
  • HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
  • HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.
Each registry value is stored as one of five main data types:

  • REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
  • REG_DWORD - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
  • REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)
  • REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)
  • REG_SZ - This type is a standard string, used to represent human readable text values.
Other data types not available through the standard registry editors include:
  • REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian format.
  • REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian format.
  • REG_LINK - A Unicode symbolic link. Used internally; applications should not use this type.
  • REG_NONE - No defined value type.
  • REG_QWORD - A 64-bit number.
  • REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian format.
  • REG_RESOURCE_LIST - A device-driver resource list.


Registry HKEYS are handle keys used to access the registry objects

As shown in Diagram 2, programs gain access to the registry by using the Registry Application Programming Interface (API) which provides a standard set of functions for the Windows sub-systems and application programs to access and update the Registry. This is how the Registry editor (RegEdit) and other utilities work. When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key".

Although the handles are valid in any registry they can be used differently in different versions of Windows. Also, some registry handles are not provided from the registry hives. HKPD, for example, is diverted by the API to the Windows performance management sub-systems. That is why you cannot find HKEY_PERFORMANCE_DATA when you use the Registry editor.

The registry structure is like a file storage structure
You may find it easier to relate to the registry terminology by referring to tree formats or file storage. The analogy of files is particularly apt because Windows used to be configured from .INI files. More particularly, the keys themselves use file-naming conventions. This is a handy feature because Windows can manage registry objects just like file objects. Registry hives have symbolic links which are like virtual paths mappings in file system. Registry subkeys also have owners and permissions just like directories and folders.

Table 2 - Relating to Registry terminology

HiveTree File-system
KeyNode Directory or folder
SubkeySubnode Subdirectory or subfolder
ValueKey File
DataValue File content
Note that a key can contain subkeys or values. A subkey can have another subkey so key and subkey are usually interchangeable in the same way as directory and subdirectory or folder and subfolder. A key with no value can still store data in what is called the default value.

You might have noticed that I haven't explained what cells are here. I mentioned them when discussing hives and bees. The reason that they aren't here is that cells are part of the in-memory structure for the hives and are not visible anywhere outside the kernel. They will only be explained if I add a section on the internal workings of the Registry Configuration Manager.

The registry is kernel-based for speed
The registry is an integral part of Windows so it is based in the Windows kernel for the best performance and access to the most important components of Windows.

The registry is designed to save space
The registry stores configuration settings in a hierarchy to minimise the size of the registry. System-wide settings are used first then the user settings are added on top. This means that the user settings only have to store those settings that differ from the default. The user settings then supercede the equivalent system-wide settings.

The same applies for programs and hardware. Programs normally have settings for the system, e.g. installed components, and settings for each user, e.g. recently-opened files. Likewise multiple hardware profiles can be used.

Another advantage of only storing differences from the system or default settings is that different users can easily use the same computer with the same system configuration. They only need the settings in their profile to customize the system to suit them.

The minimized size of the user settings also makes it easier to transmit those settings when you are roaming and log onto a different computer on the same local area network (LAN) or wide area network (WAN).

Diagram 3 - User settings override system-wide settings
Specific differences


User-specific differences e.g. HKCU\User SID
System-specific difference e.g. HKCU\Software\Classes

Defaults

User defaults e.g. HKU\.default
System-wide defaults e.g. HKLM\Software\Classes

Diagram 3 is oversimplified. Just remember that the differences usually override the defaul settings. An example of system-wide default is the user profile defaults found in HKU\.default which are superceded by per user settings in HKCU\user account SID.

Some of the registry complexity is to maintain backward compatibility
Originally Windows 3.1 only had the REG.DAT file. Windows 95 to ME and NT had the SYSTEM.DAT and USER.DAT. Every major release of Windows introduces further complexity to the files and the internal structure. So some hives are retained purely for backwards compatibility. This leaves us with three main categories of hive:

  • Windows 9x (and 3.1) software classes to maintain compatibility with 16-bit applications, OLE and the Component Object Model (COM) for developing applications.
  • Windows 2000 has Standard hives which are maintained to alllow users to roam with a standard configuration. Windows 2000 largely moved to the current registry files.
  • Windows latest versions.
Further complicating this are other major changes:

  • The emulation of Windows 32-bit on Windows 64 (WOW64) to allow 32-bit and 64-bit registry entries to coexist in the registry
  • The introduction of the .NET Framework and web-based software which is superceding the old COM framework.


How does Windows startup use the registry?.

The first steps of startup are designed to determine the configuration needed to load Windows. But initially the Windows Kernel and the registry are not loaded. So the Boot Configuration Data (BCD) is loaded from its file. Once the Windows Loader is started then the hardware abstraction layer and the kernel image are loaded before the Registry API is available. The System hive is loaded into physical memory to determine the relevant control set to be used to configure Windows properly. The registry is then assembled and from that point further startup processes are accessing the registry and making changes. These changes are made whether there are any further changes to the computer configuration or any problems that may develop.

User logon

When a user logs on, Windows loads hives that are specific to that user. These contain settings that differ from the defaults. How does Windows startup use the registry? also provides further details for this.

Device driver changes

When we install (or uninstall) drivers this changes the registry. We may not even notice this happening because new hardware is normally recognized automatically by Plug and Play so the correct drivers can be loaded without our intervention.

Applications changes

Installing or uninstalling applications is a major source of changes after the initial install of Windows. This almost always involves user intervention.

User interaction primarily with programs

We also have interactions with our application programs and Windows components. These programs modify the registry in many ways and the changes can be to system-wide settings as well as user-specific settings.

Diagram 6 - The registry is changed by driver and application changes or simply using a program
Registry-interact-542x292.png




a registry value can store up to 1MB but a separate file is recommended if it is more than 1 or 2 KB.

The original Windows 3.1 registry was a single-node flat file REG.DAT. The System registry hive was introduced for Windows 95.

Registry size limits


Windows 3.1 16KB
Windows 9x na
Windows ME 16MB
Windows NT 4~154MB
Windows 2000~296MB
~ 80% of the paged pool12MB
Windows XP~376MB~ 80% of the paged pool200MB
Windows Vista, 7, 82GB ~ half physical memory1 ~75% of the paged pool 400MB x86 1.5GB x64 ~ half physical memory
Normally the entire registry should be loaded into memory. If it is not then it will be paged to disk and your PC will run noticeably slower.
Techsupportalert
 

Nico@FMA

Level 27
Verified
May 11, 2013
1,687
what things do you want me to include? :)

@Umbra Polaris
:p :p :p
I know

Well to start with Windows Registry has a centralized function within the OS as described above.
However WR also has a authority function and a dynamic policy function.
And within this article the focus is on WR as a engine to keep W-OS running, however it fails to mention what role the WR really plays in towards other programs.
For example most programs could not run without being registered into the WR. But more importantly it does not mention the journal functions within the WR.
Keep in mind that the WR is the true roadmap trough the system, without the WR windows would not be capable of running any driver or upper level software program.
But its also the centralized place where ini like configurations are stored.
People do not realize that the true brain of W-OS is the register. In windows 95 and previous versions windows register did have a secondary role to play as older windows versions where "ini" config based so without explicit config based commands the OS was brain death.
However in later generations of the W-OS the register did become dynamic and can adapt to the system and the user profile by adding, removing, enabling, disabling keys to suit the current overall system config and semi adapt on its own without being subject to windows authority system, as this finds it origin brain wise and config wise directly in the WR itself. Out of all the windows functions the Windows register is the only part that does not fall under windows protection policies, in fact it dictates how windows should apply its very routines and security.
So one could say that W-OS is the main authority on a system, but the true authority behind the scenes is the Windows register.
Control the WR = control windows and if windows itself would control the WR it would crash and become brain death.
That being said the importance of the register goes way beyond what is described in your fine article

I have a bit difficulty to explain what i mean as its hard to write it in English, but i hope you understand what i am trying to explain.

Cheers
 
Last edited:

jackuars

Level 28
Verified
Top Poster
Well-known
Jul 2, 2014
1,717
Last edited:

Aura

Level 20
Verified
Jul 29, 2014
966
It would be nice to link to the original article. :)

This is from Remah's article Deeper into the Windows Registry from the popular and amazing freeware site Gizmo's Freeware. He's also the author of What happens when Windows starts up and Windows Startup Terminology

Am one of the editors at Gizmo's Freeware :D Thanks for sharing this and spreading the word. A well written article

I don't know why people never admit that they copy/pasted tutorial or don't post the source they copy/pasted it from. It takes 15 seconds to find out if a tutorial is copy/pasted or not and it just makes you look bad.

But it's a really nice tutorial, indeed.
 
  • Like
Reactions: Malware1 and Oxygen

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
864
A somewhat less detailed explanation would be that the registry is akin to the back bone of a human so best not to mess with it.

Great detailed explanation, bye the way.

Regards Eck:)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top