In computing, the Windows registry is a database which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to "Control Panel" settings, or file associations, system policies, or installed software, the changes are reflected and stored in the registry.
The Windows Registry was introduced to tidy up the profusion of per-program INI files that had previously been used to store configuration settings for Windows programs. These files tended to be scattered all over the system, which made them difficult to keep track of.
The Registry is split into a number of logical sections. These are generally known by the names of the definitions used to access them in the Windows API, which all begin "HKEY" (an abbreviation for "Handle to a Key"); often, they are abbreviated to a three- or four-letter short name starting with "HK".
Each of these keys is divided into subkeys, which may contain further subkeys, and so on. Any key may contain values. These values can be:
- String Value
- Binary Value (0 and 1's)
- DWORD Value (numbers between 0 and 4,294,967,295 [232 – 1])
- Multi-String value
- Expandable String Value
Each key has a default value, which is in effect a value with the same name as the key. Registry keys and values are specified with a syntax similar to Windows' filenames, using backslashes to indicate levels of hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE key.
The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a similar structure to each other; applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found looking instead in the same location under the HKEY_LOCAL_MACHINE key. When writing settings back, the reverse approach is used — HKEY_LOCAL_MACHINE is written first, but if that cannot be written to (which is usually the case if the logged in user is not an administrator), the setting is stored in HKEY_CURRENT_USER instead.
Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, including associations from file extensions and OLE object class ids to the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes is used.
Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged in user. HKCU mirrors the current user's subkey of HKEY_USERS.
Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are general to all users on the computer. This key is found within the file %SystemRoot%\System32\Config\system on NT-based versions of Windows. Information about system hardware is located under the SYSTEM key.
Abbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.
Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.
Editing the Registry
The registry can be edited manually in Microsoft Windows by running regedit.exe or regedt32.exe in the Windows directory. However, careless registry editing can cause irreversible damage. Many optimization and "hacking" tools are available to modify this portion of the Windows operating system. It is preferable to use one of the many registry cleaners available.
A simple implementation of the current registry tool appeared in Windows 3.x, called the "Registration Info Editor" or "Registration Editor". This was basically just a database of applications used to edit embedded OLE objects in documents.
Windows NT introduced permissions for Registry editing. Windows NT 4 and Windows 2000 were distributed with both the Windows 9x REGEDIT.EXE program and Windows NT 3.x's REGEDT32.EXE program. There are several differences between the two editors on these platforms:
- REGEDIT.EXE had a left-side tree view that began at "My Computer" and listed all loaded hives. REGEDT32.EXE had a left-side tree view, but each hive had its own window, so the tree displayed only keys. * REGEDIT.EXE represented the three components of a value (its name, type, and data) as separate columns of a table. REGEDT32.EXE represented them as a list of strings.
- REGEDIT.EXE was written for the Win32 API and supported right-clicking of entries in a tree view to adjust properties and other settings. REGEDT32.EXE was written for the Win32 API and required all actions to be performed from the top menu bar.
- Because REGEDIT.EXE was directly ported from Windows 95, it did not support permission editing (permissions do not exist on Windows 9x). Therefore, the only way to access the full functionality of an NT registry was with REGEDT32.EXE.
- REGEDIT.EXE only supports string (REG_SZ), binary (REG_BINARY), and DWORD (REG_DWORD) values. REGEDT32.EXE supports those, plus expandable string (REG_EXPAND_SZ) and multi-string (REG_MULTI_SZ). Attempting to edit unsupported key types with REGEDIT.EXE on Windows 2000 or Windows NT 4 will result in registry corruption and, possibly, an unbootable system.
Windows XP was the first system to integrate these two programs into one, adopting the old REGEDIT.EXE interface and adding the REGEDT32.EXE functionality. The differences listed above are not applicable on Windows XP and newer systems; REGEDIT.EXE is the improved editor, and REGEDT32.EXE simply invokes REGEDIT.EXE.
Command line editing
reg.exe Operation [Parameter List]
Also, a .reg file (a text-based human-readable file format for storing portions of the registry) can be imported from the command line with the following command:
regedit.exe /s file
The /s means the file will be silent merged to the Registry. If the /s parameter is omitted the user will not be asked to confirm the operation. In windows 98 and windows 95 the /s switch also caused regedit.exe to ignore the setting in the registry that allows administrators to disable it. When using the /s switch Regedit does not return an appropriate return code if the operation fails, unlike reg.exe which does. This makes it hard to script, however a possible workaround is to add the following lines into your batch file:
regedit /s file.reg regedit /e test.reg "key" if not exist test.reg goto REGERROR del test.reg
Where is the Registry stored?
The Registry is stored in several files; depending upon the version of Windows, there will be different files and different locations for these files, but they are all on the local machine, except for the NTuser or user file which may be placed on another computer to allow for roaming profiles.
Windows NT, 2000, 2003, & XP
The following Registry files are stored in %SystemRoot%\System32\Config\:
- The NTUSER.dat file is stored in the profile folder.
Windows 95 & 98
The registry files are named User.dat and System.dat and are stored in the \Windows\ directory.
The registry files are named Classes.dat, User.dat, and System.dat and are stored in the \Windows\ directory.
The registry file is called Reg.dat and is stored in the \Windows\ directory.
Since Windows 95 administrators can include a special file in the registry, a policy file. The policy file allows administrators to enforce registry settings such as preventing users from changing the background picture of the desktop. The default extension for the policy file is .pol. The policy file filters the settings it enforces on a per user basis and per user group basis. To do that the policy file merges into the registry, preventing users from circumventing it by simply changing back the settings. The policy file is usually distributed through a LAN, but can be placed on the local computer.
Policy file editor
The policy file is created by a free tool by Microsoft that goes by the filename poledit.exe for Windows 95/Windows 98 and with a computer management module for NT- based systems. The module will not work in Windows XP Home, but it does work in the Pro edition. The editor requires administrative permissions to be run on systems that uses permissions. The editor can also directly change the current registry settings of the local computer and if the remote registry service is installed and started on another computer it can also change the registry on that computer. The policy editor loads the settings it can change from .adm files, of which one is included, that contains the settings the Windows shell provides. The .adm file is plain text and supports easy localisation by allowing all the strings to be stored in one place.
Useful Registry keys
The following registry keys may be of interest to users attempting to customise their Windows systems.
- HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate Creating this (as a DWORD) and setting it to 1 will prevent Windows (NT, 2000 or XP) from tracking the last access time of files, which speeds up a lot of operations (especially opening folders of items with previews).
- HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\SizReqBuf Specifies the size of buffers used for storing requests to the file/print server. Increasing this from the default of 4356 bytes can improve network performance: a figure of 14596 is frequently recommended.
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run (and the HKCU equivalent) specifies applications to run whenever a user logs in. These can include desirable programs, such as printer monitoring programs or frequently-used tools, but a lot of malware uses this registry key to ensure it is automatically run. This key is a good place to start looking for evidence of malware if you think your computer has been infected.
- Registry inspection and monitoring tools
- Regmon — A tool for detailed monitoring what applications are accessing registry items
- Registry Jumper — A freeware utility for quick access to registry keys
- Registry Patrol — Free scan utility to check registry settings of your system for errors
- CCleaner — A system optimization tool that, among other things, detects and corrects application-related registry problems
- Regclean — An unsupported tool, originally from Microsoft, to remove old Registry entries
- Regvac Registry Cleaner — A system optimization utility for registry cleaning
- RegSeeker — A system tuning utility that includes registry cleaning
- NTREGOPT — A registry optimiser for Windows NT/2000/2003/XP
- RegCompact.NET — A freeware registry compactor for Windows NT/2000/2003/XP*
- Registry Genius — An all-in-one registry tool, can repair and clean your windows registry and optimise windows system.
Advantages of the Registry concept
Changing from having one or more INI Files per program to one centralised registry has its good points:
- The registry keeps machine configuration separate from user configuration. When a user logs into a Windows NT/XP/2003 computer, their registry settings are merged with the system wide settings. This allows programs to more easily keep per-user configuration, as they can just work with the 'current user' key, whereas in the past they tended to just keep system-wide per-program settings. (This point doesn't apply to programs on *NIX based OSs as they have an accepted standard for per-user settings, where Windows previously did not).
- Group Policy allows administrators on a Windows-based computer network to centrally manage program and policy settings. Part of this involves being able to set what an entry in the registry will be for all the computers on the network, and affect nearly any installed program - something almost impossible with per-program configuration files each with custom layouts, stored in dispersed locations.
- Because the registry is accessed through a special API it is available to scripts and remote management using WMI. Each script does not have to be customised for every application's unique configuration file layouts and restrictions.
- The registry can be accessed as one item over a network connection for remote management/support, including from scripts, using the standard API.
- It can be backed up more easily, in that it is just a small number of files in specific locations.
Criticisms of the Registry concept
However, the centralised Registry introduces some problems as well:
- It is a single point of failure - damage to the Registry can render a Windows system unbootable, in extreme cases to a point that can not be fixed, and requires a full reinstall of Windows.
- Any program which wants to manipulate the registry must use special Windows API functions whereas a configuration file can be manipulated using normal text file-processing techniques. A user must edit the registry using the provided program 'regedit', but they could edit most other configuration files with any standard text editor.
- Configuration files can contain comments to help the user by explaining what values are for and how they can be changed, the registry cannot.
- It is more difficult to backup - it cannot be done 'live' because it is always in use, and thus requires special software such as ntbackup.
- Restoring parts of the registry is hard because you cannot easily extract data from backed up registry files
- Any application that doesn't uninstall properly, or doesn't have an uninstaller, can leave entries in the registry, which can lead over time to increased file size and decreased performance. Freeware utilities such as RegCleaner Standard can help alleviate this problem, but as with all registry cleaning utilities, there is always a small chance that applications can be damaged if a valid registry entry is deleted by mistake!
Registry Alternatives in Other Operating Systems
Other systems preserve the concept of separate configuration files for separate application subsystems, but group them together in a single filesystem directory for ease of management, such as the Preferences Folder in Mac OS, or the /etc and hidden directories (directories that start with a period) within the home directory in Unix-like systems. In those systems, fine-grained access to configuration settings can be controlled by normal filesystem protection mechanisms. Also, the only thing that could cause widespread damage to the configuration system would have to be major filesystem corruption.
RISC OS allows applications to be copied into directories easily without the need to install the application as you would in Windows, if you wish to remove the application, simply delete the folder belonging to the application . This contrasts with the Windows Registry: software that you think has been removed often gets left behind in the Registry.
Problems with Windows 9x OS
On Windows 9x computers, an older installation can have a very large registry that slows down the computer's startup and can make the computer unstable. This has led to frequent criticisms that the registry leads to instability. However, these problems occur slightly less often on the Windows NT family of systems, including Windows XP.
- Microsoft Knowledge Base article : "Description of the Microsoft Windows registry"
- Win32 Registry Activity Monitor (Utility and Source code)
- Registry Cleaner/Drive Cleaner, need one NOW Forum discussion on registry cleaners.
- Information on the Windows registry
- Registry Backup How to back up your registry.