How-to Guide Windows Registry - What is it?

Discussion in 'Tutorials & Guides' started by BoraMurdar, Jul 14, 2014.

  1. BoraMurdar

    BoraMurdar Super Moderator
    Staff Member

    Aug 30, 2012
    5,784
    22,531
    Doctor of medicine
    Serbia
    Windows 10
    Emsisoft
    What is the Windows Registry?
    The complete registry only exists in memory
    The registry is commonly described as a hierarchical database. But you may not have realized two important facts:

    1. The registry database is only ever complete when loaded into your computer's memory.
    2. The registry is the sum of two parts, the data and the processes that create it and provide access to it.
    Diagram 1 - Windows assembles the registry in memory
    [​IMG]
    In other words, the registry hive files stored on your disk are not the complete registry. The complete registry is created during the startup process and assembled in memory.

    This is so important so I'll repeat it. At the heart of the registry is a database that exists in two main forms:

    • Some registry hives are stored on disk even when Windows is not running.
    • All the registry hive structures only exist in memory. This includes a set of volatile hives that only exist when Windows is running.
    The registry can only be accessed through the Registry Configuration Manager
    The other Windows components that allow the registry data to be accessed are in the Windows kernel. The Registry Configuration Manager is the most dedicated but other kernel components like the Object Manager provide further essential capabilities. These are discussed in more detail in How is the registry managed? but here's a preview so you can picture it.

    Diagram 2 - Windows kernel components provide access to the registry
    [​IMG]

    What this means is that when your computer is turned off the registry does not exist even though most of the registry data is stored on disk.

    The beehive references started as a joke
    In reading about the registry you may have noticed the references to hives, bees and cells. They are a long running joke. Apparently, one of the developers hated bees and another developer took the opportunity to introduce many references to bees. It is also relevant that the registry database is indexed using binary trees or B-trees (pronounced "Bee-trees"). That's why the primary database structures are called hives.

    You can see registry database structure by running the registry editor, RegEdit. It shows one hierarchical tree but the Windows registry is not one big database file. The primary data structure is the hive of which there are several. Each hive is indentified by a root key which provides access to all sub-keys in the tree up to 512 levels deep.

    Each hive has a root key
    There are six pre-defined root keys which are used to access all other keys or sub-keys. In other words, the binary tree is traversed from the root downwards. So new keys are added through these root keys and all existing keys have to be found through the root keys. One disadvantage of this approach is that a problem with a higher key may prevent access to lower keys. In practice this does not occur very often.

    The following table lists the root keys with the abbreviations that will be used in the remainder of this article.

    Table 1 - Registry root keys
    HKCCHKEY_CURRENT_CONFIG Current hardware
    HKCRHKEY_CLASSES_ROOT Classes (types) of documents and registered applications
    HKCUHKEY_CURRENT_USER Current logged-on user
    HKLMHKEY_LOCAL_MACHINE The system hardware, software and security
    HKPDHKEY_PERFORMANCE_DATA Performance data
    HKUHKEY_USERS User profiles

    There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:

    • HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
    • HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
    • HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
    • HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
    • HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
    • HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.
    Each registry value is stored as one of five main data types:

    • REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
    • REG_DWORD - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
    • REG_EXPAND_SZ - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)
    • REG_MULTI_SZ - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)
    • REG_SZ - This type is a standard string, used to represent human readable text values.
    Other data types not available through the standard registry editors include:
    • REG_DWORD_LITTLE_ENDIAN - A 32-bit number in little-endian format.
    • REG_DWORD_BIG_ENDIAN - A 32-bit number in big-endian format.
    • REG_LINK - A Unicode symbolic link. Used internally; applications should not use this type.
    • REG_NONE - No defined value type.
    • REG_QWORD - A 64-bit number.
    • REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian format.
    • REG_RESOURCE_LIST - A device-driver resource list.


    Registry HKEYS are handle keys used to access the registry objects

    As shown in Diagram 2, programs gain access to the registry by using the Registry Application Programming Interface (API) which provides a standard set of functions for the Windows sub-systems and application programs to access and update the Registry. This is how the Registry editor (RegEdit) and other utilities work. When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key".

    Although the handles are valid in any registry they can be used differently in different versions of Windows. Also, some registry handles are not provided from the registry hives. HKPD, for example, is diverted by the API to the Windows performance management sub-systems. That is why you cannot find HKEY_PERFORMANCE_DATA when you use the Registry editor.

    The registry structure is like a file storage structure
    You may find it easier to relate to the registry terminology by referring to tree formats or file storage. The analogy of files is particularly apt because Windows used to be configured from .INI files. More particularly, the keys themselves use file-naming conventions. This is a handy feature because Windows can manage registry objects just like file objects. Registry hives have symbolic links which are like virtual paths mappings in file system. Registry subkeys also have owners and permissions just like directories and folders.

    Table 2 - Relating to Registry terminology

    HiveTree File-system
    KeyNode Directory or folder
    SubkeySubnode Subdirectory or subfolder
    ValueKey File
    DataValue File content
    Note that a key can contain subkeys or values. A subkey can have another subkey so key and subkey are usually interchangeable in the same way as directory and subdirectory or folder and subfolder. A key with no value can still store data in what is called the default value.

    You might have noticed that I haven't explained what cells are here. I mentioned them when discussing hives and bees. The reason that they aren't here is that cells are part of the in-memory structure for the hives and are not visible anywhere outside the kernel. They will only be explained if I add a section on the internal workings of the Registry Configuration Manager.

    The registry is kernel-based for speed
    The registry is an integral part of Windows so it is based in the Windows kernel for the best performance and access to the most important components of Windows.

    The registry is designed to save space
    The registry stores configuration settings in a hierarchy to minimise the size of the registry. System-wide settings are used first then the user settings are added on top. This means that the user settings only have to store those settings that differ from the default. The user settings then supercede the equivalent system-wide settings.

    The same applies for programs and hardware. Programs normally have settings for the system, e.g. installed components, and settings for each user, e.g. recently-opened files. Likewise multiple hardware profiles can be used.

    Another advantage of only storing differences from the system or default settings is that different users can easily use the same computer with the same system configuration. They only need the settings in their profile to customize the system to suit them.

    The minimized size of the user settings also makes it easier to transmit those settings when you are roaming and log onto a different computer on the same local area network (LAN) or wide area network (WAN).

    Diagram 3 - User settings override system-wide settings
    Specific differences


    User-specific differences e.g. HKCU\User SID
    System-specific difference e.g. HKCU\Software\Classes

    Defaults

    User defaults e.g. HKU\.default
    System-wide defaults e.g. HKLM\Software\Classes

    Diagram 3 is oversimplified. Just remember that the differences usually override the defaul settings. An example of system-wide default is the user profile defaults found in HKU\.default which are superceded by per user settings in HKCU\user account SID.

    Some of the registry complexity is to maintain backward compatibility
    Originally Windows 3.1 only had the REG.DAT file. Windows 95 to ME and NT had the SYSTEM.DAT and USER.DAT. Every major release of Windows introduces further complexity to the files and the internal structure. So some hives are retained purely for backwards compatibility. This leaves us with three main categories of hive:

    • Windows 9x (and 3.1) software classes to maintain compatibility with 16-bit applications, OLE and the Component Object Model (COM) for developing applications.
    • Windows 2000 has Standard hives which are maintained to alllow users to roam with a standard configuration. Windows 2000 largely moved to the current registry files.
    • Windows latest versions.
    Further complicating this are other major changes:

    • The emulation of Windows 32-bit on Windows 64 (WOW64) to allow 32-bit and 64-bit registry entries to coexist in the registry
    • The introduction of the .NET Framework and web-based software which is superceding the old COM framework.


    How does Windows startup use the registry?.

    The first steps of startup are designed to determine the configuration needed to load Windows. But initially the Windows Kernel and the registry are not loaded. So the Boot Configuration Data (BCD) is loaded from its file. Once the Windows Loader is started then the hardware abstraction layer and the kernel image are loaded before the Registry API is available. The System hive is loaded into physical memory to determine the relevant control set to be used to configure Windows properly. The registry is then assembled and from that point further startup processes are accessing the registry and making changes. These changes are made whether there are any further changes to the computer configuration or any problems that may develop.

    User logon

    When a user logs on, Windows loads hives that are specific to that user. These contain settings that differ from the defaults. How does Windows startup use the registry? also provides further details for this.

    Device driver changes

    When we install (or uninstall) drivers this changes the registry. We may not even notice this happening because new hardware is normally recognized automatically by Plug and Play so the correct drivers can be loaded without our intervention.

    Applications changes

    Installing or uninstalling applications is a major source of changes after the initial install of Windows. This almost always involves user intervention.

    User interaction primarily with programs

    We also have interactions with our application programs and Windows components. These programs modify the registry in many ways and the changes can be to system-wide settings as well as user-specific settings.

    Diagram 6 - The registry is changed by driver and application changes or simply using a program
    [​IMG]



    a registry value can store up to 1MB but a separate file is recommended if it is more than 1 or 2 KB.

    The original Windows 3.1 registry was a single-node flat file REG.DAT. The System registry hive was introduced for Windows 95.

    Registry size limits


    Windows 3.1 16KB
    Windows 9x na
    Windows ME 16MB
    Windows NT 4~154MB
    Windows 2000~296MB
    ~ 80% of the paged pool12MB
    Windows XP~376MB~ 80% of the paged pool200MB
    Windows Vista, 7, 82GB ~ half physical memory1 ~75% of the paged pool 400MB x86 1.5GB x64 ~ half physical memory
    Normally the entire registry should be loaded into memory. If it is not then it will be paged to disk and your PC will run noticeably slower.
    Techsupportalert
     
  2. Nico@FMA

    Nico@FMA Level 27

    May 11, 2013
    1,677
    3,705
    Security Consultant, ICT Advisor and Developer
    Friesland (Harlingen)
    Windows 7
    Norton
    Ohhh please do sticky this tread, as it is pretty much 95% complete.
    It does not mention some things but thats ok.
    Nice nice nice topic.
     
    testing02 and BoraMurdar like this.
  3. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,169
    29,702
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    This feature is a big mess ^^
     
  4. software182

    software182 Level 12

    Mar 4, 2014
    591
    591
    Nah, very interesting topic :D
     
    shmu26 and BoraMurdar like this.
  5. WinXPert

    WinXPert Level 23
    Trusted AV Tester

    Jan 9, 2013
    1,298
    4,725
    Graphic Artist
    Manila
    Windows 7
    Emsisoft
  6. koushik

    koushik Level 2

    Nov 15, 2013
    93
    74
    woaw !!! very interesting !!! a big thx to BoraMurdar for posting this article :)
     
    shmu26, Kent and BoraMurdar like this.
  7. BoraMurdar

    BoraMurdar Super Moderator
    Staff Member

    Aug 30, 2012
    5,784
    22,531
    Doctor of medicine
    Serbia
    Windows 10
    Emsisoft
    what things do you want me to include? :)

    @Umbra Polaris
    :p :p :p
    I know
     
    Kent likes this.
  8. Nico@FMA

    Nico@FMA Level 27

    May 11, 2013
    1,677
    3,705
    Security Consultant, ICT Advisor and Developer
    Friesland (Harlingen)
    Windows 7
    Norton
    #8 Nico@FMA, Jul 14, 2014
    Last edited: Jul 14, 2014
    Well to start with Windows Registry has a centralized function within the OS as described above.
    However WR also has a authority function and a dynamic policy function.
    And within this article the focus is on WR as a engine to keep W-OS running, however it fails to mention what role the WR really plays in towards other programs.
    For example most programs could not run without being registered into the WR. But more importantly it does not mention the journal functions within the WR.
    Keep in mind that the WR is the true roadmap trough the system, without the WR windows would not be capable of running any driver or upper level software program.
    But its also the centralized place where ini like configurations are stored.
    People do not realize that the true brain of W-OS is the register. In windows 95 and previous versions windows register did have a secondary role to play as older windows versions where "ini" config based so without explicit config based commands the OS was brain death.
    However in later generations of the W-OS the register did become dynamic and can adapt to the system and the user profile by adding, removing, enabling, disabling keys to suit the current overall system config and semi adapt on its own without being subject to windows authority system, as this finds it origin brain wise and config wise directly in the WR itself. Out of all the windows functions the Windows register is the only part that does not fall under windows protection policies, in fact it dictates how windows should apply its very routines and security.
    So one could say that W-OS is the main authority on a system, but the true authority behind the scenes is the Windows register.
    Control the WR = control windows and if windows itself would control the WR it would crash and become brain death.
    That being said the importance of the register goes way beyond what is described in your fine article

    I have a bit difficulty to explain what i mean as its hard to write it in English, but i hope you understand what i am trying to explain.

    Cheers
     
    Nikos751, Ved, sid_16 and 2 others like this.
  9. Ved

    Ved New Member

    Jan 19, 2014
    107
    120
    informative :)
     
    Nico@FMA and BoraMurdar like this.
  10. sid_16

    sid_16 Level 18

    Jul 19, 2013
    890
    3,092
    Interesting and very informative.
     
    shmu26, BoraMurdar and Nico@FMA like this.
  11. jackuars

    jackuars Level 21

    Jul 2, 2014
    1,092
    2,158
    #11 jackuars, Aug 8, 2014
    Last edited: Aug 8, 2014
    Sunshine-boy, Telos and shmu26 like this.
  12. Aura

    Aura Level 20

    Jul 29, 2014
    963
    2,479
    Technical Support Tier 2
    Québec, Canada
    Windows 10
    Emsisoft
    I don't know why people never admit that they copy/pasted tutorial or don't post the source they copy/pasted it from. It takes 15 seconds to find out if a tutorial is copy/pasted or not and it just makes you look bad.

    But it's a really nice tutorial, indeed.
     
    Malware1 and Oxygen like this.
  13. Shuji vax

    Shuji vax New Member

    Sep 28, 2014
    28
    51
    Clear Explanation I understand now.. :):)
     
  14. akshay1189

    akshay1189 Level 3

    Dec 6, 2013
    128
    232
    Information
     
  15. Witchsmeller Pursuivant

    Nov 26, 2014
    4
    5
    I learned a lot! Thank you.
     
    shmu26 and Khan54 like this.
  16. Behold Eck

    Behold Eck Level 9

    Jun 22, 2014
    431
    1,033
    A somewhat less detailed explanation would be that the registry is akin to the back bone of a human so best not to mess with it.

    Great detailed explanation, bye the way.

    Regards Eck:)
     
  17. Ali80

    Ali80 New Member

    Nov 13, 2014
    221
    1,112
    Very well explained, very good work ;)
     
    Sunshine-boy and Khan54 like this.
  18. c4ndym4n

    c4ndym4n Level 1

    Mar 23, 2017
    10
    25
    Amsterdam
    Wow good guide but This is a mess!! This morning watched some tuts about this and gonna test it ASAP. Thanx!
     
  19. Winter Soldier

    Winter Soldier Level 25

    Feb 13, 2017
    1,466
    10,344
    PLC programmer - Robotics industry
    Wormhole
    Windows 10
    Emsisoft
    Thanks for sharing :)
    Considering the Windows Registry isn't fully documented, very interesting resource you've provided.
     
    Sunshine-boy, BoraMurdar and frogboy like this.
Loading...
Similar Threads Forum Date
How-to Guide Discover the Windows Registry Tutorials & Guides Dec 28, 2017
SOLVED Windows 7 persistent virus on registry keys. Malware Removal Assistance For Windows Jul 17, 2017
SOLVED Assistance Needed on Push Notifications Registry Key Problem in Windows 10 Pro 64-bit Apps - Questions & Help Dec 13, 2016