Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Windows Registry - What is it?
Message
<blockquote data-quote="BoraMurdar" data-source="post: 226904" data-attributes="member: 2291"><p><span style="font-size: 18px"><strong>What is the Windows Registry?</strong></span></p><p><span style="font-size: 12px"><strong>The complete registry only exists in memory</strong></span></p><p>The registry is commonly described as a hierarchical database. But you may not have realized two important facts:</p><p></p><ol> <li data-xf-list-type="ol">The registry database is only ever complete when loaded into your computer's memory.</li> <li data-xf-list-type="ol">The registry is the sum of two parts, the data and the processes that create it and provide access to it.</li> </ol><p><strong>Diagram 1 - Windows assembles the registry in memory</strong></p><p><img src="http://www.techsupportalert.com/files/images/Registry-load-510x195.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>In other words, the registry hive files stored on your disk are not the complete registry. The complete registry is created during the startup process and assembled in memory.</p><p></p><p>This is so important so I'll repeat it. At the heart of the registry is a database that exists in two main forms:</p><p></p><ul> <li data-xf-list-type="ul">Some registry hives are stored on disk even when Windows is not running.</li> <li data-xf-list-type="ul">All the registry hive structures only exist in memory. This includes a set of volatile hives that only exist when Windows is running.</li> </ul><p><span style="font-size: 12px"><strong>The registry can only be accessed through the Registry Configuration Manager</strong></span></p><p>The other Windows components that allow the registry data to be accessed are in the Windows kernel. The Registry Configuration Manager is the most dedicated but other kernel components like the Object Manager provide further essential capabilities. These are discussed in more detail in How is the registry managed? but here's a preview so you can picture it.</p><p></p><p><strong>Diagram 2 - Windows kernel components provide access to the registry</strong></p><p><img src="http://www.techsupportalert.com/files/images/Registry-CM-simple-305x488.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>What this means is that when your computer is turned off the registry does not exist even though most of the registry data is stored on disk.</p><p></p><p><span style="font-size: 12px"><strong>The beehive references started as a joke</strong></span></p><p>In reading about the registry you may have noticed the references to hives, bees and cells. They are a long running joke. Apparently, one of the developers hated bees and another developer took the opportunity to introduce many references to bees. It is also relevant that the registry database is indexed using binary trees or B-trees (pronounced "Bee-trees"). That's why the primary database structures are called hives.</p><p></p><p>You can see registry database structure by running the registry editor, RegEdit. It shows one hierarchical tree but the Windows registry is not one big database file. The primary data structure is the hive of which there are several. Each hive is indentified by a root key which provides access to all sub-keys in the tree up to 512 levels deep.</p><p></p><p><span style="font-size: 12px"><strong>Each hive has a root key</strong></span></p><p>There are six pre-defined root keys which are used to access all other keys or sub-keys. In other words, the binary tree is traversed from the root downwards. So new keys are added through these root keys and all existing keys have to be found through the root keys. One disadvantage of this approach is that a problem with a higher key may prevent access to lower keys. In practice this does not occur very often.</p><p></p><p>The following table lists the root keys with the abbreviations that will be used in the remainder of this article.</p><p></p><p><strong>Table 1 - Registry root keys</strong></p><p>HKCCHKEY_CURRENT_CONFIG <strong>Current hardware</strong></p><p>HKCRHKEY_CLASSES_ROOT <strong>Classes (types) of documents and registered applications</strong></p><p>HKCUHKEY_CURRENT_USER <strong>Current logged-on user</strong></p><p>HKLMHKEY_LOCAL_MACHINE <strong>The system hardware, software and security</strong></p><p>HKPDHKEY_PERFORMANCE_DATA <strong>Performance data</strong></p><p>HKUHKEY_USERS <strong>User profiles</strong></p><p><strong></strong></p><p><em>There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows:</em></p><p><em></em></p><ul> <li data-xf-list-type="ul"><em><strong>HKEY_CLASSES_ROOT</strong> - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.</em></li> <li data-xf-list-type="ul"><em><strong>HKEY_CURRENT_USER</strong> - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.</em></li> <li data-xf-list-type="ul"><em><strong>HKEY_LOCAL_MACHINE </strong>- This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.</em></li> <li data-xf-list-type="ul"><em><strong>HKEY_USERS</strong> - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.</em></li> <li data-xf-list-type="ul"><em><strong>HKEY_CURRENT_CONFIG </strong>- This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.</em></li> <li data-xf-list-type="ul"><em><strong>HKEY_DYN_DATA</strong> - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.</em></li> </ul><p><em>Each registry value is stored as one of five main data types:</em></p><p><em></em></p><ul> <li data-xf-list-type="ul"><em><strong>REG_BINARY</strong> - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.</em></li> <li data-xf-list-type="ul"><em><strong>REG_DWORD</strong> - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.</em></li> <li data-xf-list-type="ul"><em><strong>REG_EXPAND_SZ</strong> - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)</em></li> <li data-xf-list-type="ul"><em><strong>REG_MULTI_SZ</strong> - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)</em></li> <li data-xf-list-type="ul"><em><strong>REG_SZ</strong> - This type is a standard string, used to represent human readable text values.</em></li> </ul><p><em>Other data types not available through the standard registry editors include:</em></p><ul> <li data-xf-list-type="ul"><em><strong>REG_DWORD_LITTLE_ENDIAN</strong> - A 32-bit number in little-endian format.</em></li> <li data-xf-list-type="ul"><em><strong>REG_DWORD_BIG_ENDIAN </strong>- A 32-bit number in big-endian format.</em></li> <li data-xf-list-type="ul"><em><strong>REG_LINK</strong> - A Unicode symbolic link. Used internally; applications should not use this type.</em></li> <li data-xf-list-type="ul"><em><strong>REG_NONE</strong> - No defined value type.</em></li> <li data-xf-list-type="ul"><em><strong>REG_QWORD</strong> - A 64-bit number.</em></li> <li data-xf-list-type="ul"><em><strong>REG_QWORD_LITTLE_ENDIAN </strong>- A 64-bit number in little-endian format.</em></li> <li data-xf-list-type="ul"><em><strong>REG_RESOURCE_LIST</strong> - A device-driver resource list.</em></li> </ul><p></p><p></p><p><span style="font-size: 12px"><strong>Registry HKEYS are handle keys used to access the registry objects</strong></span></p><p><span style="font-size: 12px"></span></p><p>As shown in Diagram 2, programs gain access to the registry by using the Registry Application Programming Interface (API) which provides a standard set of functions for the Windows sub-systems and application programs to access and update the Registry. This is how the Registry editor (RegEdit) and other utilities work. When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key".</p><p></p><p>Although the handles are valid in any registry they can be used differently in different versions of Windows. Also, some registry handles are not provided from the registry hives. HKPD, for example, is diverted by the API to the Windows performance management sub-systems. That is why you cannot find HKEY_PERFORMANCE_DATA when you use the Registry editor.</p><p></p><p><span style="font-size: 12px"><strong>The registry structure is like a file storage structure</strong></span></p><p>You may find it easier to relate to the registry terminology by referring to tree formats or file storage. The analogy of files is particularly apt because Windows used to be configured from .INI files. More particularly, the keys themselves use file-naming conventions. This is a handy feature because Windows can manage registry objects just like file objects. Registry hives have symbolic links which are like virtual paths mappings in file system. Registry subkeys also have owners and permissions just like directories and folders.</p><p></p><p><strong>Table 2 - Relating to Registry terminology</strong></p><p></p><p>HiveTree <strong>File-system</strong></p><p>KeyNode <strong>Directory or folder</strong></p><p>SubkeySubnode <strong>Subdirectory or subfolder</strong></p><p>ValueKey <strong>File</strong></p><p>DataValue <strong>File content</strong></p><p>Note that a key can contain subkeys or values. A subkey can have another subkey so key and subkey are usually interchangeable in the same way as directory and subdirectory or folder and subfolder. A key with no value can still store data in what is called the default value.</p><p></p><p>You might have noticed that I haven't explained what cells are here. I mentioned them when discussing hives and bees. The reason that they aren't here is that cells are part of the in-memory structure for the hives and are not visible anywhere outside the kernel. They will only be explained if I add a section on the internal workings of the Registry Configuration Manager.</p><p></p><p><span style="font-size: 12px"><strong>The registry is kernel-based for speed</strong></span></p><p>The registry is an integral part of Windows so it is based in the Windows kernel for the best performance and access to the most important components of Windows.</p><p></p><p><span style="font-size: 12px"><strong>The registry is designed to save space</strong></span></p><p>The registry stores configuration settings in a hierarchy to minimise the size of the registry. System-wide settings are used first then the user settings are added on top. This means that the user settings only have to store those settings that differ from the default. The user settings then supercede the equivalent system-wide settings.</p><p></p><p>The same applies for programs and hardware. Programs normally have settings for the system, e.g. installed components, and settings for each user, e.g. recently-opened files. Likewise multiple hardware profiles can be used.</p><p></p><p>Another advantage of only storing differences from the system or default settings is that different users can easily use the same computer with the same system configuration. They only need the settings in their profile to customize the system to suit them.</p><p></p><p>The minimized size of the user settings also makes it easier to transmit those settings when you are roaming and log onto a different computer on the same local area network (LAN) or wide area network (WAN).</p><p></p><p><strong>Diagram 3 - User settings override system-wide settings</strong></p><p><strong>Specific differences</strong></p><p></p><p>User-specific differences e.g. HKCU\<em>User SID</em></p><p>System-specific difference e.g. HKCU\Software\Classes</p><p></p><p><strong>Defaults</strong></p><p></p><p>User defaults e.g. HKU\.default</p><p>System-wide defaults e.g. HKLM\Software\Classes</p><p></p><p>Diagram 3 is oversimplified. Just remember that the differences usually override the defaul settings. An example of system-wide default is the user profile defaults found in HKU\.default which are superceded by per user settings in HKCU\<em>user account SID</em>.</p><p></p><p><span style="font-size: 12px"><strong>Some of the registry complexity is to maintain backward compatibility</strong></span></p><p>Originally Windows 3.1 only had the REG.DAT file. Windows 95 to ME and NT had the SYSTEM.DAT and USER.DAT. Every major release of Windows introduces further complexity to the files and the internal structure. So some hives are retained purely for backwards compatibility. This leaves us with three main categories of hive:</p><p></p><ul> <li data-xf-list-type="ul">Windows 9x (and 3.1) software classes to maintain compatibility with 16-bit applications, OLE and the Component Object Model (COM) for developing applications.</li> <li data-xf-list-type="ul">Windows 2000 has Standard hives which are maintained to alllow users to roam with a standard configuration. Windows 2000 largely moved to the current registry files.</li> <li data-xf-list-type="ul">Windows latest versions.</li> </ul><p>Further complicating this are other major changes:</p><p></p><ul> <li data-xf-list-type="ul">The emulation of Windows 32-bit on Windows 64 (WOW64) to allow 32-bit and 64-bit registry entries to coexist in the registry</li> <li data-xf-list-type="ul">The introduction of the .NET Framework and web-based software which is superceding the old COM framework.</li> </ul><p></p><p></p><p><span style="font-size: 18px"><strong>How does Windows startup use the registry?.</strong></span></p><p><span style="font-size: 18px"></span></p><p><span style="font-size: 15px">The first steps of startup are designed to determine the configuration needed to load Windows. But initially the Windows Kernel and the registry are not loaded. So the Boot Configuration Data (BCD) is loaded from its file. Once the Windows Loader is started then the hardware abstraction layer and the kernel image are loaded before the Registry API is available. The System hive is loaded into physical memory to determine the relevant control set to be used to configure Windows properly. The registry is then assembled and from that point further startup processes are accessing the registry and making changes. These changes are made whether there are any further changes to the computer configuration or any problems that may develop.</span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"><span style="font-size: 12px">User logon</span></span></p><p><span style="font-size: 15px">When a user logs on, Windows loads hives that are specific to that user. These contain settings that differ from the defaults. How does Windows startup use the registry? also provides further details for this.</span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"><span style="font-size: 12px">Device driver changes</span></span></p><p><span style="font-size: 15px">When we install (or uninstall) drivers this changes the registry. We may not even notice this happening because new hardware is normally recognized automatically by Plug and Play so the correct drivers can be loaded without our intervention.</span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"><span style="font-size: 12px">Applications changes</span></span></p><p><span style="font-size: 15px">Installing or uninstalling applications is a major source of changes after the initial install of Windows. This almost always involves user intervention.</span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"><span style="font-size: 12px">User interaction primarily with programs</span></span></p><p><span style="font-size: 15px">We also have interactions with our application programs and Windows components. These programs modify the registry in many ways and the changes can be to system-wide settings as well as user-specific settings.</span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px">Diagram 6 - The registry is changed by driver and application changes or simply using a program</span></p><p><span style="font-size: 15px"><img src="http://www.techsupportalert.com/files/images/Registry-interact-542x292.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px"><span style="font-size: 15px">a registry value can store up to 1MB but a separate file is recommended if it is more than 1 or 2 KB.</span></span></p><p><span style="font-size: 15px"></span></p><p>The original Windows 3.1 registry was a single-node flat file REG.DAT. The System registry hive was introduced for Windows 95.</p><p><span style="font-size: 15px"><span style="font-size: 15px"></span></span></p><p><span style="font-size: 15px"><span style="font-size: 15px">Registry size limits</span></span></p><p></p><p><span style="font-size: 15px">Windows 3.1 16KB </span></p><p><span style="font-size: 15px">Windows 9x na</span></p><p><span style="font-size: 15px">Windows ME 16MB</span></p><p><span style="font-size: 15px">Windows NT 4~154MB</span></p><p><span style="font-size: 15px">Windows 2000~296MB </span>~ 80% of the paged pool12MB</p><p><span style="font-size: 15px">Windows XP~376MB</span>~ 80% of the paged pool200MB</p><p><span style="font-size: 15px">Windows Vista, 7, 82GB </span>~ half physical memory1 ~75% of the paged pool 400MB x86 1.5GB x64 ~ half physical memory</p><p><span style="font-size: 15px"><strong><strong>Normally the entire registry should be loaded into memory. If it is not then it will be paged to disk and your PC will run noticeably slower.</strong></strong></span></p><p><span style="font-size: 12px"><a href="http://www.techsupportalert.com/content/deeper-windows-registry.htm" target="_blank">Techsupportalert</a></span></p></blockquote><p></p>
[QUOTE="BoraMurdar, post: 226904, member: 2291"] [SIZE=5][B]What is the Windows Registry?[/B][/SIZE] [SIZE=3][B]The complete registry only exists in memory[/B][/SIZE] The registry is commonly described as a hierarchical database. But you may not have realized two important facts: [LIST=1] [*]The registry database is only ever complete when loaded into your computer's memory. [*]The registry is the sum of two parts, the data and the processes that create it and provide access to it. [/LIST] [B]Diagram 1 - Windows assembles the registry in memory[/B] [IMG]http://www.techsupportalert.com/files/images/Registry-load-510x195.png[/IMG] In other words, the registry hive files stored on your disk are not the complete registry. The complete registry is created during the startup process and assembled in memory. This is so important so I'll repeat it. At the heart of the registry is a database that exists in two main forms: [LIST] [*]Some registry hives are stored on disk even when Windows is not running. [*]All the registry hive structures only exist in memory. This includes a set of volatile hives that only exist when Windows is running. [/LIST] [SIZE=3][B]The registry can only be accessed through the Registry Configuration Manager[/B][/SIZE] The other Windows components that allow the registry data to be accessed are in the Windows kernel. The Registry Configuration Manager is the most dedicated but other kernel components like the Object Manager provide further essential capabilities. These are discussed in more detail in How is the registry managed? but here's a preview so you can picture it. [B]Diagram 2 - Windows kernel components provide access to the registry[/B] [IMG]http://www.techsupportalert.com/files/images/Registry-CM-simple-305x488.png[/IMG] What this means is that when your computer is turned off the registry does not exist even though most of the registry data is stored on disk. [SIZE=3][B]The beehive references started as a joke[/B][/SIZE] In reading about the registry you may have noticed the references to hives, bees and cells. They are a long running joke. Apparently, one of the developers hated bees and another developer took the opportunity to introduce many references to bees. It is also relevant that the registry database is indexed using binary trees or B-trees (pronounced "Bee-trees"). That's why the primary database structures are called hives. You can see registry database structure by running the registry editor, RegEdit. It shows one hierarchical tree but the Windows registry is not one big database file. The primary data structure is the hive of which there are several. Each hive is indentified by a root key which provides access to all sub-keys in the tree up to 512 levels deep. [SIZE=3][B]Each hive has a root key[/B][/SIZE] There are six pre-defined root keys which are used to access all other keys or sub-keys. In other words, the binary tree is traversed from the root downwards. So new keys are added through these root keys and all existing keys have to be found through the root keys. One disadvantage of this approach is that a problem with a higher key may prevent access to lower keys. In practice this does not occur very often. The following table lists the root keys with the abbreviations that will be used in the remainder of this article. [B]Table 1 - Registry root keys[/B] HKCCHKEY_CURRENT_CONFIG [B]Current hardware[/B] HKCRHKEY_CLASSES_ROOT [B]Classes (types) of documents and registered applications[/B] HKCUHKEY_CURRENT_USER [B]Current logged-on user[/B] HKLMHKEY_LOCAL_MACHINE [B]The system hardware, software and security[/B] HKPDHKEY_PERFORMANCE_DATA [B]Performance data[/B] HKUHKEY_USERS [B]User profiles [/B] [I]There are six main branches, each containing a specific portion of the information stored in the Registry. They are as follows: [/I] [LIST] [*][I][B]HKEY_CLASSES_ROOT[/B] - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.[/I] [*][I][B]HKEY_CURRENT_USER[/B] - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.[/I] [*][I][B]HKEY_LOCAL_MACHINE [/B]- This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.[/I] [*][I][B]HKEY_USERS[/B] - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.[/I] [*][I][B]HKEY_CURRENT_CONFIG [/B]- This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.[/I] [*][I][B]HKEY_DYN_DATA[/B] - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dymanic and will change as devices are added and removed from the system.[/I] [/LIST] [I]Each registry value is stored as one of five main data types: [/I] [LIST] [*][I][B]REG_BINARY[/B] - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.[/I] [*][I][B]REG_DWORD[/B] - This type represents the data by a four byte number and is commonly used for boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.[/I] [*][I][B]REG_EXPAND_SZ[/B] - This type is an expandable data string that is string containing a variable to be replaced when called by an application. For example, for the following value, the string "%SystemRoot%" will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32)[/I] [*][I][B]REG_MULTI_SZ[/B] - This type is a multiple string used to represent values that contain lists or multiple values, each entry is separated by a NULL character. (This type is only available using an advanced registry editor such as REGEDT32)[/I] [*][I][B]REG_SZ[/B] - This type is a standard string, used to represent human readable text values.[/I] [/LIST] [I]Other data types not available through the standard registry editors include:[/I] [LIST] [*][I][B]REG_DWORD_LITTLE_ENDIAN[/B] - A 32-bit number in little-endian format.[/I] [*][I][B]REG_DWORD_BIG_ENDIAN [/B]- A 32-bit number in big-endian format.[/I] [*][I][B]REG_LINK[/B] - A Unicode symbolic link. Used internally; applications should not use this type.[/I] [*][I][B]REG_NONE[/B] - No defined value type.[/I] [*][I][B]REG_QWORD[/B] - A 64-bit number.[/I] [*][I][B]REG_QWORD_LITTLE_ENDIAN [/B]- A 64-bit number in little-endian format.[/I] [*][I][B]REG_RESOURCE_LIST[/B] - A device-driver resource list.[/I] [/LIST] [SIZE=3][B]Registry HKEYS are handle keys used to access the registry objects[/B] [/SIZE] As shown in Diagram 2, programs gain access to the registry by using the Registry Application Programming Interface (API) which provides a standard set of functions for the Windows sub-systems and application programs to access and update the Registry. This is how the Registry editor (RegEdit) and other utilities work. When a program uses the API to access the registry the Windows Object Manager will return a handle for the object identified by a key. That is why the "HKEY" in the root keys means "handle key". Although the handles are valid in any registry they can be used differently in different versions of Windows. Also, some registry handles are not provided from the registry hives. HKPD, for example, is diverted by the API to the Windows performance management sub-systems. That is why you cannot find HKEY_PERFORMANCE_DATA when you use the Registry editor. [SIZE=3][B]The registry structure is like a file storage structure[/B][/SIZE] You may find it easier to relate to the registry terminology by referring to tree formats or file storage. The analogy of files is particularly apt because Windows used to be configured from .INI files. More particularly, the keys themselves use file-naming conventions. This is a handy feature because Windows can manage registry objects just like file objects. Registry hives have symbolic links which are like virtual paths mappings in file system. Registry subkeys also have owners and permissions just like directories and folders. [B]Table 2 - Relating to Registry terminology[/B] HiveTree [B]File-system[/B] KeyNode [B]Directory or folder[/B] SubkeySubnode [B]Subdirectory or subfolder[/B] ValueKey [B]File[/B] DataValue [B]File content[/B] Note that a key can contain subkeys or values. A subkey can have another subkey so key and subkey are usually interchangeable in the same way as directory and subdirectory or folder and subfolder. A key with no value can still store data in what is called the default value. You might have noticed that I haven't explained what cells are here. I mentioned them when discussing hives and bees. The reason that they aren't here is that cells are part of the in-memory structure for the hives and are not visible anywhere outside the kernel. They will only be explained if I add a section on the internal workings of the Registry Configuration Manager. [SIZE=3][B]The registry is kernel-based for speed[/B][/SIZE] The registry is an integral part of Windows so it is based in the Windows kernel for the best performance and access to the most important components of Windows. [SIZE=3][B]The registry is designed to save space[/B][/SIZE] The registry stores configuration settings in a hierarchy to minimise the size of the registry. System-wide settings are used first then the user settings are added on top. This means that the user settings only have to store those settings that differ from the default. The user settings then supercede the equivalent system-wide settings. The same applies for programs and hardware. Programs normally have settings for the system, e.g. installed components, and settings for each user, e.g. recently-opened files. Likewise multiple hardware profiles can be used. Another advantage of only storing differences from the system or default settings is that different users can easily use the same computer with the same system configuration. They only need the settings in their profile to customize the system to suit them. The minimized size of the user settings also makes it easier to transmit those settings when you are roaming and log onto a different computer on the same local area network (LAN) or wide area network (WAN). [B]Diagram 3 - User settings override system-wide settings Specific differences[/B] User-specific differences e.g. HKCU\[I]User SID[/I] System-specific difference e.g. HKCU\Software\Classes [B]Defaults[/B] User defaults e.g. HKU\.default System-wide defaults e.g. HKLM\Software\Classes Diagram 3 is oversimplified. Just remember that the differences usually override the defaul settings. An example of system-wide default is the user profile defaults found in HKU\.default which are superceded by per user settings in HKCU\[I]user account SID[/I]. [SIZE=3][B]Some of the registry complexity is to maintain backward compatibility[/B][/SIZE] Originally Windows 3.1 only had the REG.DAT file. Windows 95 to ME and NT had the SYSTEM.DAT and USER.DAT. Every major release of Windows introduces further complexity to the files and the internal structure. So some hives are retained purely for backwards compatibility. This leaves us with three main categories of hive: [LIST] [*]Windows 9x (and 3.1) software classes to maintain compatibility with 16-bit applications, OLE and the Component Object Model (COM) for developing applications. [*]Windows 2000 has Standard hives which are maintained to alllow users to roam with a standard configuration. Windows 2000 largely moved to the current registry files. [*]Windows latest versions. [/LIST] Further complicating this are other major changes: [LIST] [*]The emulation of Windows 32-bit on Windows 64 (WOW64) to allow 32-bit and 64-bit registry entries to coexist in the registry [*]The introduction of the .NET Framework and web-based software which is superceding the old COM framework. [/LIST] [SIZE=5][B]How does Windows startup use the registry?.[/B] [/SIZE] [SIZE=4]The first steps of startup are designed to determine the configuration needed to load Windows. But initially the Windows Kernel and the registry are not loaded. So the Boot Configuration Data (BCD) is loaded from its file. Once the Windows Loader is started then the hardware abstraction layer and the kernel image are loaded before the Registry API is available. The System hive is loaded into physical memory to determine the relevant control set to be used to configure Windows properly. The registry is then assembled and from that point further startup processes are accessing the registry and making changes. These changes are made whether there are any further changes to the computer configuration or any problems that may develop. [SIZE=3]User logon[/SIZE][/SIZE] [SIZE=4]When a user logs on, Windows loads hives that are specific to that user. These contain settings that differ from the defaults. How does Windows startup use the registry? also provides further details for this. [SIZE=3]Device driver changes[/SIZE][/SIZE] [SIZE=4]When we install (or uninstall) drivers this changes the registry. We may not even notice this happening because new hardware is normally recognized automatically by Plug and Play so the correct drivers can be loaded without our intervention. [SIZE=3]Applications changes[/SIZE][/SIZE] [SIZE=4]Installing or uninstalling applications is a major source of changes after the initial install of Windows. This almost always involves user intervention. [SIZE=3]User interaction primarily with programs[/SIZE][/SIZE] [SIZE=4]We also have interactions with our application programs and Windows components. These programs modify the registry in many ways and the changes can be to system-wide settings as well as user-specific settings. Diagram 6 - The registry is changed by driver and application changes or simply using a program [IMG]http://www.techsupportalert.com/files/images/Registry-interact-542x292.png[/IMG] [SIZE=4]a registry value can store up to 1MB but a separate file is recommended if it is more than 1 or 2 KB.[/SIZE] [/SIZE] The original Windows 3.1 registry was a single-node flat file REG.DAT. The System registry hive was introduced for Windows 95. [SIZE=4][SIZE=4] Registry size limits[/SIZE][/SIZE] [SIZE=4]Windows 3.1 16KB Windows 9x na Windows ME 16MB Windows NT 4~154MB Windows 2000~296MB [/SIZE]~ 80% of the paged pool12MB [SIZE=4]Windows XP~376MB[/SIZE]~ 80% of the paged pool200MB [SIZE=4]Windows Vista, 7, 82GB [/SIZE]~ half physical memory1 ~75% of the paged pool 400MB x86 1.5GB x64 ~ half physical memory [SIZE=4][B][B]Normally the entire registry should be loaded into memory. If it is not then it will be paged to disk and your PC will run noticeably slower.[/B][/B][/SIZE] [SIZE=3][URL='http://www.techsupportalert.com/content/deeper-windows-registry.htm']Techsupportalert[/URL][/SIZE] [/QUOTE]
Insert quotes…
Verification
Post reply
Top