Windows 7 is designed in such a way that direct
registry edits by end users are generally unnecessary. When you change
some detail about your system's configuration using Control Panel,
Control Panel writes the necessary updates to the registry for you, and
you needn't be concerned with
how it happens. When you install a new piece of hardware or a new
program, a myriad of registry modifications take place; again, you don't
need to know the details. On the other hand, because the designers of
Windows couldn't provide a user interface for every conceivable
customization you might want to make, sometimes working directly with
the registry is the only way to get a job done. And sometimes, even
when it's not the only way, it might be the fastest way. Windows
includes a registry editor that you should know how to use—safely. This
section tells you how.
1. Understanding the Structure of the Registry
Before you begin browsing or editing the registry, it's good to know a bit about how this database is built. Figure 1
shows a portion of a system's registry, as seen through Registry
Editor, the registry editor supplied with Windows 7. As shown in the
figure, the registry consists of the following five root keys:
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_ LOCAL_MACHINE, HKEY_USERS,
and HKEY_CURRENT_CONFIG. For simplicity's sake and typographical
convenience, this book, like many others, abbreviates the root key names
as HKCR, HKCU, HKLM, HKU, and HKCC, respectively.
Root keys, sometimes called predefined keys, contain subkeys. Registry Editor displays this structure as an outline. In Figure 1,
for example, HKCU has been opened to show the top-level subkeys:
AppEvents, Console, Control Panel, Environment, EUDC, Identities,
Keyboard Layout, Network, Printers, Software, System, and Volatile
Environment. A root key and its subkeys can be described as a path, like
this: HKCU\Console. Root keys and their subkeys appear in the left pane
in Registry Editor.
Note:
The registry
is the work of many hands, and capitalization and word spacing are not
always consistent. With readability as our goal, we have made our own
capitalization decisions for this book, and our treatment of names
frequently differs from what you see in Registry Editor. No matter.
Capitalization is irrelevant. Spelling and spacing must be correct,
however.
Subkeys, which we call keys for short, can contain subkeys of their own. Whether they do or not, they always contain at least one value. In Registry Editor, that obligatory value is known as the default value. Many keys have additional values. The names, data types, and data associated with values appear in the right pane. As Figure 22-19 shows, the HKCU\Console key has many values—ColorTable00, ColorTable01, and so on.
The default value
for many keys—including HKCU\Console—is not defined. You can therefore
think of an empty default value as a placeholder—a slot that could hold
data but currently does not.
All values other than the default always include the following three components: name, data type, and data. As Figure 1
shows, the ColorTable00 value of HKCU\Console is of data type
REG_DWORD. The data associated with this value (on the system used for
this figure) is 0x00000000. (The prefix 0x denotes a hexadecimal value. Registry Editor displays the decimal equivalent of hexadecimal values in parentheses after the value.)
A key with all its subkeys and values is commonly called a hive.
The registry is stored on disk as several separate hive files. The
appropriate hive files are read into memory when the operating system
starts (or when a new user logs on) and assembled into the registry. You
can see where the hives of your system physically live by examining the values associated with HKLM\System\CurrentControlSet\Control\HiveList. Figure 2 shows the HiveList key for one of the systems used for this book.
Notice that one
hive, \Registry\Machine\Hardware, has no associated disk file. This
hive, which records your hardware configuration, is completely volatile;
that is, Windows 7 creates it anew each time you turn your system on.
Notice also the path specifications for the remaining hive files.
Windows assigns drive letters after assembling the registry, so these
paths do not specify drive letters.
Two predefined keys—HKCR and HKCU—are
not shown in the HiveList key at all. Like the file system in
Windows—which uses junctions, symlinks, and other trickery to display a
virtual namespace—the registry uses a bit of misdirection (implemented
with the REG_LINK data type) to create these keys. Both are
representations of keys actually stored within HKLM and HKU:
You can view or edit the registry's actual locations or its virtual keys; the results are identical. The HKCR and HKCU keys are generally more convenient to use.
2. Registry Data Types
The registry uses the following data types:
REG_SZ The SZ
indicates a zero-terminated string. This is a variable-length string
that can contain Unicode as well as ANSI characters. When you enter or
edit a REG_SZ value, Registry Editor terminates the value with a 00 byte
for you.
REG_BINARY The REG_BINARY type contains binary data—0s and 1s.
REG_DWORD This data type is a "double word"—that is, a 32-bit numeric value. Although it can hold any integer from 0 to 232, the registry often uses it for simple Boolean values (0 or 1) because the registry lacks a Boolean data type.
REG_QWORD This data type is a "quadruple word"—a 64-bit numeric value.
REG_MULTI_SZ This data type contains a group of zero-terminated strings assigned to a single value.
REG_EXPAND_SZ
This data type is a zero-terminated string containing an unexpanded
reference to an environment variable, such as %SystemRoot%. If you need to create a key containing a variable name, use this data type, not REG_SZ.
Internally, the registry
also uses REG_LINK, REG_FULL_RESOURCE_DESCRIPTOR, REG_ RESOURCE_LIST,
REG_RESOURCE_REQUIREMENTS_LIST, and REG_NONE data types. Although you
might occasionally see references in technical documentation to these
data types, they're not visible or accessible in Registry Editor.
3. Registry Virtualization
One of the key elements of
security in Windows 7 is that it prevents applications running under a
standard user's token from writing to system folders in the file system
and to machine-wide keys in the registry, while at the same time
enabling users with a standard account to run applications without
running into "access denied" roadblocks. Many applications that require
administrator-level access are still in use in Windows 7, but standard
users can run them without hassle. That's because in Windows 7, UAC uses
registry virtualization to redirect attempts to write to subkeys of HKLM\Software. (Settings in HKLM apply to all users of the computer, and therefore
only administrators have write permission.) When an application
attempts to write to this hive, Windows writes instead to a per-user
location, HKCR\VirtualStore\Machine\Software.
Like file virtualization, this is done transparently; the application
(and all but the most curious users) never know this is going on behind
the scenes.
Note:
When an application
requests information from HKLM\Software, Windows looks first in the
virtualized key if it exists. Therefore, if a value exists in both the
VirtualStore hive and in HKLM, the application sees only the one in
VirtualStore.
Note that, because the
virtualized data is stored in a per-user section of the registry,
settings made by one user do not affect other users. Running the same
application in Windows XP, which doesn't use virtualization and
therefore looks only at the actual HKLM hive, presents all users with
the same settings. This can lead to confusion by users who are
accustomed to sharing an application in Windows XP and find that it
works differently in Windows 7.
|
The hive that stores virtualized registry data, HKCR\VirtualStore\Machine\Software, can also be found in HKU\sid_Classes\VirtualStore\Machine\Software, where sid
is the security identifier of the user who is currently logged on. If
you want to make sure that a certain application works identically for a
different user, you can copy that application's subkey to the
corresponding HKU subkey for the other user.
|
4. Avoiding Registry Mishaps
The primary tool in
Windows 7 for working directly with the registry is Registry Editor. You
won't find it anywhere on the Start menu, however, and it doesn't show
up in the Start menu search box when you type its name; you must use the
name of its executable file, Regedit.exe. To start Registry Editor, at a
command prompt, type regedit.
The two most
important things to know about Registry Editor are that it copies your
changes immediately into the registry and that it has no Undo command.
Registry Editor doesn't wait for
you to issue a File, Save command (it has no such command) before
making changes in the registry files. And after you have altered some
bit of registry data, the original data is gone forever—unless you remember it and restore it yourself or unless you have some form of
backup that you can restore. Registry Editor is therefore a tool to be
used sparingly and soberly; it should not be left open when not in use.
So that you can recover
from ill-advised edits to the registry, before you make any changes you
should back up the registry using one or both of these methods:
