Working with the
Windows Registry
Computer Club of the Sandhills
November 12, 2012
Registry Definition
► The
registry was developed to overcome the
restrictions of the INI and REG.DAT files.
► The registry is composed of two pieces of
information:
 System-Wide Information – This is data about software
and hardware settings. This information tends to be
apply to all users of the computer.
 User Specific Information – This is data about an
individual configuration. This information is specific to a
user’s profile.
Registry Definition
►
The Microsoft Computer Dictionary defines the registry as:
 A central hierarchical database used in the Microsoft Windows
family of Operating Systems to store information necessary to
configure the system for one or more users, applications and
hardware devices.
 The registry contains information that Windows continually
references during operation, such as profiles for each user, the
applications installed on the computer and the types of documents
that each can crate, property sheet settings for folders and
application icons, what hardware exists on the system and the ports
that are being used.
Details
► The
registry is a database that is used by all
windows operating systems that followed Win95.
► The registry is used by the Windows OS to store
hardware and software configuration information,
user preferences and setup information.
► A healthy registry is essential for proper windows
performance and function, this is why the registry
is usually attacked by viruses and other malicious
software.
Registry vs. File System
► The
registry is analogous to a file system.
File system:
 Folders
 Files
Registry:
 Keys
 Keys have inside them either other keys or name/value
pairs which correspond to object name and content.
Registry Content
The registry holds critical information about the system,
the users of the system, and installed applications:
►








Operating System version number, build number, and registered
user.
Information for every properly installed application,
Information about the computer’s processor type and system
memory.
User-specific information (home directory, app. preferences)
Security information such as user account names.
Installed services
Mapping from file names to programs/executables.
Mapping network addressees to host machine names.
Registry contents: Security
Information the registry includes:








System Configuration
Devices on the System
User Names
Personal Settings and Browser Preferences
Web Browsing Activity
Files Opened
Programs Executed
Passwords
Windows 9x Registry
Filename
Location
Content
system.dat
C:\Windows
Protected storage
area for all users
All installed
programs and their
settings
System settings
user.dat
C:\Windows
Most Recently Used
(MRU) files
User preference
settings
If there are multiple user
profiles, each user has an
individual user.dat file in
windows\profiles\user
account
Modern Windows Registry
Filename
ntuser.dat
Location
Content
\Documents and
Settings\user account
Protected storage area
for user
Most Recently Used
(MRU) files
User preference settings
Default
\Windows\system32\config
System settings
SAM
\Windows\system32\config
User account
management and security
settings
Security
\Windows\system32\config
Security settings
Software
\Windows\system32\config
All installed programs and
their settings
System
\Windows\system32\config
System settings
If there are multiple user
profiles, each user has an
individual user.dat file in
windows\profiles\user
account
Windows Security and Relative ID
► The
Windows Registry utilizes a alphanumeric
combination to uniquely identify a security
principal or security group.
► The Security ID (SID) is used to identify the
computer system.
► The Relative ID (RID) is used to identity the
specific user on the computer system.
► The SID appears as:
 S-1-5-21-927890586-3685698554-67682326-1005
Registry Structure
Registry Structure
►
Registry has five top level branches or Hives:
 HKEY_CLASSES_ROOT
► COM
server info, file associations, shortcuts
 HKEY_CURRENT-USER
► Logged
in user name, desktop, start menu
 HKEY_LOCAL_MACHINE
► Hardware,
software, preferences for all users
 HKEY_USERS
► Individual
(SID)
preferences for each user, represented by Security ID
 HKEY_CURRENT_CONFIG
► Links
to part of HKEY_LOCAL_MACHINE for current hardware
 HKEY_DYN_DATA
► Links
to part of HKEY_LOCAL_MACHINE for PlugAndPlay
Registry Value Types
► REG_BINARY
 Raw binary data
► REG_DWORD
 32 bit integers – often representing bools
► REG_SZ
 string
► REG_EXPAND_SZ
 Expandable string
► REG_MULTI_SZ
 Container for null separated strings
Exporting and Importing
► In
RegEdit select a key
► File Export
► Provide filespec info in resulting save dialog
Using Regedit
Using CCleaner
http://www.piriform.com/ccleaner