Windows registry


Windows registry is a hierarchical Data Store that stores low-level settings for the Microsoft Windows Operating System and for applications that opt to use the Windows registry.

The Microsoft Windows kernel, device drivers, services, Security Account Manager (SAM), and user interface can all use the Windows registry.
Windows registry also allows access to counters for profiling system performance.

Keys and values#

Windows registry contains two basic elements:
  • keys are Containers objects similar to folders.
  • values are non-container objects similar to files.
Keys may contain values and subkeys. Keys are referenced with a syntax similar to Microsoft Windows' File System path names, using backslashes to indicate levels of hierarchy. Keys must have a Case-insensitive name without backslashes.

The hierarchy of registry keys can only be accessed from a known root key handle (which is anonymous but whose effective value is a constant numeric handle) that is mapped to the content of a registry key preloaded by the kernel from a stored "hive", or to the content of a subkey within another root key, or mapped to a registered service or DLL that provides access to its contained subkeys and values.

There are seven predefined root keys, traditionally named according to their constant handles defined in the Win32 API, or by synonymous abbreviations (depending on applications)

HKEY_CURRENT_CONFIGHKCCSystem, System.alt, System.log, System.sav
HKEY_CURRENT_USERHKCUNtuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SecurityHKLM Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\SoftwareHKLMSoftware, Software.log, Software.sav
HKEY_LOCAL_MACHINE\SystemHKLMSystem, System.alt, System.log, System.sav
HKEY_CLASSES_ROOTHKCR contains information about registered applications, such as file associations and OLE Object Class IDs, tying them to the applications used to handle these items.
HKEY_USERSHKUcontains subkeys corresponding to the HKEY_CURRENT_USER keys for each user actively loaded on the machine, user hives are usually only loaded for currently logged-in users.
HKEY_USERS.DEFAULTHKUDefault, Default.log, Default.sav
HKEY_PERFORMANCE_DATA only in Windows Server NT, but invisible in the Windows Registry Editor)
HKEY_DYN_DATA only in Windows 95,Windows 98,Windows ME, and visible in the Windows Registry Editor)

More Information#

There might be more information for this subject on one of the following: