The registry is organized into a hierarchy of keys, subkeys, and
value entries. The root keys are at the top of the hierarchy and form
the primary branches, or subtrees, of registry information. There are two
physical root keys: HKEY_LOCAL_MACHINE and HKEY_USERS. These physical root keys are associated with
actual files stored on the disk and are divided into additional
logical groupings of registry information. As shown in Table 1, the logical groupings are simply
subsets of information gathered from HKEY_LOCAL_MACHINE and
HKEY_USERS. Table 1. Registry subtrees
|
Subtree |
Description |
|
Physical
Subtree | |
|
HKEY_LOCAL_MACHINE (HKLM) |
Stores all the settings that pertain to the
hardware currently installed on the machine. |
|
HKEY_USERS (HKU) |
Stores user profile data for each user who has
previously logged on to the computer locally as well as a
default user profile. |
|
Logical
Subtree | |
|
HKEY_CLASSES_ROOT (HKCR) |
Stores all file associations and object linking
and embedding (OLE) class identifiers. This subtree is built
from HKEY_LOCAL_MACHINE\SOFTWARE\Classes and
HKEY_CURRENT_USER\SOFTWARE\Classes. |
|
HKEY_CURRENT_CONFIG (HKCC) |
Stores information about the hardware
configuration with which you started the system. This subtree
is built from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current, which in turn is a pointer to a numbered
subkey that has the current hardware profile. |
|
HKEY_CURRENT_USER (HKCU) |
Stores information about the user currently
logged on. This key has a pointer to HKEY_USERS\UserSID, where
UserSID is the security identifier for
the current user as well as for the default profile discussed
previously. |
HKEY_LOCAL_MACHINE, abbreviated as HKLM, contains all the settings that pertain to the
hardware currently installed on a system. It includes settings for
memory, device drivers, installed hardware, and startup.
Applications are supposed to store settings in HKLM only if the
related data pertains to everyone who uses the computer.
As Figure 2
shows, HKLM contains the following major subkeys:
-
BCD00000000 -
HARDWARE -
SAM -
SECURITY -
SOFTWARE -
SYSTEM
These subkeys are discussed in the sections that
follow.
The HKLM\BCD00000000 key stores information regarding the configuration and
state of the computer’s Boot Configuration Data (BCD). BCD
provides a firmware-independent approach for managing the boot
environment for Windows systems.
The BCD architecture has three main components: stores,
objects, and elements. A store is a top-level
component that establishes the namespace and acts as a container
for BCD objects and elements. There are three general types of BCD
objects:
-
Application
objects Describe boot environment objects, such as
Windows Boot Manager or Windows Boot Loader. -
Inheritable objects Act
as containers for elements that are shared across multiple
object instances. -
Device objects Act as
containers for elements that describe complex devices, such as
a RAM disk that was created from a Windows Imaging
file.
Application objects have an image type and an application
type associated with them. The image type specifies how the
executable for the application is loaded, such as through the
firmware or by a boot application. The application type specifies
what the application does and the standard application types are listed in Table 2. Table 2. BCD application types
|
Application type |
Description |
|
Boot sector |
A 16-bit real-mode application for BIOS-based
systems, which can be used to restart the boot process and
load a non-Windows operating system. |
|
Firmware boot manager |
Manages the firmware boot for EFI
systems. |
|
Ntldr |
Loads versions of Windows earlier than
Windows Vista on BIOS-based systems. |
|
Windows boot loader |
Loads a particular version or configuration of Windows. |
|
Windows boot manager |
Controls boot of the system. In a multi-boot
system, displays a boot selection menu to the
user. |
|
Windows memory tester |
An application for performing memory
diagnostics. |
|
Windows resume application |
Restores Windows to its running state when a
computer resumes from hibernation. |
Each BCD object has a globally unique identifier or GUID.
For example, the GUID of the Windows resume application is
5824ba7d-acee-11e1-ba52-cfa3fef36259. In the registry, the GUID sets the key path and each object has a description entry and
associated elements entries.
HKLM\HARDWARE stores information about the hardware
configuration for the computer. This key is re-created by the
operating system each time you start Windows Server 2012, and it
exists only in memory, not on disk. To build this key, the
operating system enumerates every device it can find by scanning
the system buses and by searching for specific classes of devices,
such as serial ports, keyboards, and pointer devices.
Under HKLM\HARDWARE, you’ll find four standard subkeys that are dynamically created at startup and
contain the information gathered by the operating system. These
subkeys are as follows:
-
ACPI
Contains information about the Advanced
Configuration and Power Interface (ACPI), which is a part of
system BIOS that supports Plug and Play and advanced power
management. This subkey doesn’t exist on non-ACPI-compliant
computers. -
DESCRIPTION Contains
hardware descriptions, including those for the system’s
central processor, floating-point processor, and multifunction
adapters. For portable computers, one of the multifunction
devices lists information about the docking state. For any
computer with multipurpose chip sets, one of the multifunction
devices lists information about the controllers for disks,
keyboards, parallel ports, serial ports, and pointer devices.
There’s also a catchall category for other controllers, such
as when a computer has a PC Card controller. -
DEVICEMAP Contains
information that maps devices to device drivers. You’ll find device mappings for keyboards, pointer devices,
parallel ports, Small Computer System Interface (SCSI) ports,
serial ports, and video devices. Of particular note is that
within the VIDEO subkey is a value entry for the
VGA–compatible video device installed on the computer. This
device is used when the computer must start in VGA display
mode. -
RESOURCEMAP Contains
mappings for the hardware abstraction layer
(HAL), for the Plug and Play Manager, and for available system
resources. Of particular note is the Plug and Play Manager. It
uses this subkey to record information about devices it knows
how to handle.
Additional nonstandard subkeys can exist under HKLM\HARDWARE. The subkeys are specific to the
hardware used by the computer.
HKLM\SAM stores the Security Accounts Manager (SAM)
database. When you create local users and groups on
member servers and workstations, the accounts are stored in
HKLM\SAM. This key is also used to store information about
built-in user and group accounts, as well as group membership and
aliases for accounts.
By default, the information stored in HKLM\SAM is
inaccessible through Registry Editor. This is a security feature designed
to help protect the security and integrity of the system.
HKLM\SECURITY stores security information for the local machine. It
contains information about cached logon credentials, policy
settings, service-related security settings, and default security
values. It also has a copy of the HKLM\SAM. As with the HKLM\SAM
subkey, this subkey is inaccessible through Registry Editor. This
is a security feature designed to help protect the security and
integrity of the system.
HKLM\SOFTWARE stores machine-wide settings for every application and
system component installed on the system. This includes setup
information, executable paths, default configuration settings, and registration
information. Because this subkey resides under HKLM, the
information here is applied globally. This is different from the
HKCU\SOFTWARE configuration settings, which are applied on a
per-user basis.
As Figure 3 shows,
you’ll find many important subkeys within HKLM\SOFTWARE, including the following:
-
Classes Contains all
file associations and OLE class identifiers.
This is also the key from which HKEY_CLASSES_ROOT is built. -
Clients Stores
information about protocols and shells used by every client
application installed on the system. This includes the
calendar, contacts, mail, media, and news clients. -
Microsoft Contains
information about every Microsoft application and component
installed on the system. This includes their complete
configuration settings, defaults, registration information,
and much more. You’ll find most of the graphical user
interface (GUI) preferences in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion. You’ll find
the configuration settings for most system components,
language packs, hot fixes, and more under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion. -
ODBC
Contains information about the Open Database
Connectivity (ODBC) configuration on the system. It includes
information about all ODBC drives and ODBC file Data Source
Names (DSNs). -
Policies Contains
information about local policies for applications and
components installed on the system.
HKLM\SYSTEM stores information about device drivers, services, startup
parameters, and other machine-wide settings. You’ll find several
important subkeys within HKLM\SYSTEM. One of the most
important is HKLM\SYSTEM\CurrentControlSet, as shown in Figure 4.
CurrentControlSet contains information about the set of
controls and services used for the last successful boot of the
system. This subkey always contains information on the set of
controls actually in use and represents the most recent successful
boot. The operating system writes the control set as the final
part of the boot process so that it updates the registry as
appropriate to reflect which set of controls and services was last
used for a successful boot. This is, in fact, how you can boot a
system to the Last Known Good Configuration after it crashes or
experiences a Stop error.
HKLM\SYSTEM also contains previously created control sets. These are saved under the subkeys
named ControlSet001, ControlSet002, and so forth. Within the
control sets, you’ll find four important subkeys:
-
Control Contains control
information about key operating system settings, tools, and
subcomponents, including the HAL, keyboard layouts, system
devices, interfaces, and device classes. Under BackupRestore,
you’ll find the saved settings for Backup, which include lists
of Automated System Recovery (ASR) keys, files, and registry settings not to
restore. Under the SafeBoot subkey, you’ll find the control
sets used for minimal and network-only boots of the
system. -
Enum Contains the
complete enumeration of devices found on the computer
when the operating system scans the system buses and searches
for specific classes of devices. This represents the complete
list of devices present during startup of the operating
system. -
Hardware
Profiles Contains a subkey for each hardware profile available on
the system. The first hardware profile, 0000, is an empty
profile. The other numbered profiles, beginning with 0001,
represent profiles that are available for use on the system.
The profile named Current always points to the profile being
used currently by the operating system. -
Services Contains a
subkey for each service installed on the system. These
subkeys store the necessary configuration
information for their related services, which
can include startup parameters as well as security and
performance settings.
Another interesting subkey is HKLM\SYSTEM\MountedDevices. The operating system
creates this key and uses it to store the list of mounted and
available disk devices. Disk devices are listed according to
logical volume configuration and drive-letter designator.
HKEY_USERS, abbreviated as HKU, contains user-profile data for every user who has
previously logged on to the computer locally, as well as a default
user profile. Each user’s profile is owned by that user unless you
change permissions or move profiles. Profile settings include the
user’s desktop configuration, environment variables, folder options,
menu options, printers, and network connections.
User profiles are saved in subkeys of HKEY_USERS
according to their security identifiers (SIDs). There is also a
SecurityID_Classes subkey that represents
file associations that are specific to a particular
user. For example, if a user sets Adobe Photoshop as the default
program for .jpeg and .jpg files and this is different from the
system default, there are entries within this subkey that show this
association.
The policy
settings are applied to the individual user profiles stored in this
key. The default profile specifies how the machine behaves when no
one is logged on and is also used as the base profile for new users
who log on to the computer. For example, if you want to ensure that
the computer uses a password-protected screen saver when no one is
logged on, you modify the default profile accordingly. The subkey
for the default user profile is easy to pick out because it is named
HKEY_USERS\.DEFAULT.
Note
The profile information stored in HKU is loaded from the profile data stored on disk.
The default location for profiles is
%SystemDrive%\Users\UserName, where
UserName is the user’s pre–Windows 2000 logon name.
HKEY_CLASSES_ROOT, abbreviated as HKCR, stores all file associations that tell the
computer which document file types are associated with which
applications, as well as which action to take for various tasks—such
as open, edit, close, or play—based on a specified document type.
For example, if you double-tap or double-click a .doc file, the
document typically is opened for editing in Microsoft Word. This
file association is added to HKCR when you install Microsoft Office
or Microsoft Word. If Microsoft Office or Microsoft Word isn’t
installed, a .doc file is opened instead in WordPad because of a
default file association created when the operating system is
installed.
HKCR is built from HKEY_LOCAL_MACHINE\SOFTWARE\Classes and
HKEY_CURRENT_USER\SOFTWARE\Classes. The former provides
computer-specific class registration, and the latter provides
user-specific class registration. Because the user-specific
class registrations have precedence, this allows for
different class registrations for each user of the machine. This is
different from previous versions of the Windows operating system for
which the same class registration information was provided for all
users of a particular machine.
HKEY_CURRENT_CONFIG, abbreviated as HKCC, contains information about the hardware
configuration with which you started the system, which is also
referred to as the machine’s boot configuration. This key contains information about the current device
assignments, device drivers, and system services that were present
at boot time.
HKCC is built from HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\Hardware Profiles\Current, which in turn
is a pointer to a numbered subkey that contains the current hardware
profile. If a system has multiple hardware profiles, the key points
to a different hardware profile, depending on the boot state or the
hardware profile selection made at startup.
HKEY_CURRENT_USER, abbreviated as HKCU, contains information about the user currently logged on. This
key has a pointer to HKEY_USERS\UserSID, where
UserSID is the security identifier for the
current user as well as for the default profile discussed
previously. Microsoft requires that applications store user-specific preferences under this key. For example,
Microsoft Office settings for individual users are stored under this
key. Additionally, as discussed previously,
HKEY_CURRENT_USER\SOFTWARE\Classes stores the user-specific settings
for file associations.
Tip
If you don’t want users to be able to set their own file
associations, you could change the permissions on
HKLM\SOFTWARE\Classes so that users can’t alter the global
settings you want them to have.
|
