The HKEY_LOCAL_MACHINE Key
HKEY_LOCAL_MACHINE is one of the most important and most interesting root keys
of the registry. It contains configuration data for local computer. Information stored in
this registry key is used by applications and device drivers and by the operating system
itself for obtaining information on the local computer's configuration. Moreover, the
information doesn't depend on the user who's logged in to the system.
The HKEY_LOCAL_MACHINE root key contains five subkeys, briefly described in
Table 7.1
. The rest of this section describes the subkeys in greater detail.

Table 7.1: Subkeys Contained within the HKEY_LOCAL_MACHINE Root Key
Subkey Contents
HARDWARE This subkey contains a database describing all the hardware devices
installed on the computer, the method of interaction between device
drivers and hardware devices, and the data that connects kernel-mode
device drivers with user-mode code. All the data contained within this
subkey are volatile. The system re-creates these data each time it starts.
The Description subkey describes all the hardware physically present on
the computer. The hardware recognizer collects this information at system
startup and the kernel stores this information under the
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION registry key.
The DeviceMap subkey contains various data in formats defined by
certain device driver classes. As device drivers are loading, they pass their
information to the system so that it can associate specific hardware
devices and their drivers.
HARDWARE The ResourceMap subkey contains information on the system resources
allocated to each device (including ports, DMA addresses, IRQs). Notice
that all Windows NT-based operating systems, including Windows 2000,
Windows XP and Windows Server 2003 provide a much more convenient
way to view the contents of this subkey. To view (and possibly change)
this data, it is recommended that you use various administrative tools. For

example, if you're using Windows NT 4.0, you can view the information
using the Windows NT Diagnostics utility (Winmsdp.exe). In Windows
2000/XP and Windows Server 2003, you can use the MMC console or
Device Manager for the same purpose.
SAM This subkey contains the directory services database, which stores
information on user and group accounts and security subsystems (SAM
stands for the Security Account Manager). By default, you can't view this
Table 7.1: Subkeys Contained within the HKEY_LOCAL_MACHINE Root Key
Subkey Contents
key using registry editors even if you're logged in as an Administrator.
The data contained within the HKLM\SAM registry key isn't documented,
and user passwords are encrypted.
Note that for Windows NT domains the SAM database also stores a
domain directory services database. In native-mode Windows 2000 or
Windows Server 2003 domains, the directory services database is stored in
the Ntds.dit file on domain controllers. However, the SAM database
remains important, since it stores local accounts (required to log on
locally). If your computer that is running Windows XP or Windows
Server 2003 does not participate in a domain, SAM database is the main
storage of the user and group accounts information.
SECURITY This database contains the local security policy, including user rights and
permissions. The key is only used by the security subsystem. For example,
it contains information that defines whether or not an individual user can
reboot the computer, start or stop device drivers, backup/recover files, or
access the computer through the network. Information contained within
this key is also encrypted. The HKLM\SAM key is the link to the
HKLM\SECURITY\SAM key.
SOFTWARE This database contains information on the software products installed on
the local computer, along with various configuration data.
SYSTEM This database contains information on controlling the system startup, the

loading order of device drivers and system services, and on operating
system behavior.

Note You can read the information contained in any of these subkeys, but it only makes
sense to edit the contents of the Software and System keys.
If the HKEY_CURRENT_USER registry key contains data similar to that contained
under HKEY_LOCAL_MACHINE, then by default the HKEY_CURRENT_USER data
takes priority.

Note If you read the previous chapter carefully, you'll recall that the Policy setting under
HKEY_LOCAL_MACHINE is given priority over the individual settings specified
for each user. This is only true if you logged in to the system as an Administrator
and specified the default value for the power policy, as described in Chapter 5
.
However, the settings under this key may also extend the data under
HKEY_LOCAL_MACHINE rather than replace them. Furthermore, there are certain
settings (for example, those that manage the device driver loading order) that have no
meaning outside the HKEY_LOCAL_MACHINE root key.
The HKEY_LOCAL_MACHINE\HARDWARE Key
The HKEY_LOCAL_MACHINE\HARDWARE registry key contains hardware data
recreated during each system startup. This data includes information about the devices on
the motherboard and the data on the IRQs used by individual device drivers.
The HARDWARE key contains important data sets subdivided between the following
three subkeys: DESCRIPTION, DEVICEMAP, and RESOURCEMAP.
All the information contained under HKEY_LOCAL_MACHINE\HARDWARE is
volatile. This means that the settings are computed and recreated each time the system
starts up, and are lost when you shut the system down. All drivers and applications use
this subtree for obtaining information on system components and for storing the data
directly under the DEVICEMAP subkey and indirectly under the RESOURCEMAP
subkey (Fig. 7.1

).

Figure 7.1: The HKEY_LOCAL_MACHINE\HARDWARE registry key

Note As was explained in Chapter 5, integrated support for Plug and Play and power
management in Windows 2000, Windows XP, and Windows Server 2003 is only
available on computers that have an Advanced Configuration and Power Interface
(ACPI) BIOS. At boot time, the operating system loader checks whether such a
BIOS is loaded. If so, ACPI is enabled in the operating system. If such a BIOS is
not loaded, ACPI is disabled and the less reliable Advanced Power Management
(APM) model is used instead. Microsoft supplies the ACPI driver as part of the
operating system. On systems that have an ACPI BIOS, the HAL causes the ACPI
driver to be loaded during system start-up at the base of the device tree, where it
acts as the interface between the operating system and the BIOS. The ACPI driver
is transparent to other drivers. If your system has ACPI BIOS, the
HKEY_LOCAL_MACHINE\HARDWARE registry tree will contain the nested
ACPI subkey (Fig. 7.1
).
Don't try to edit the data under HKEY_LOCAL_MACHINE\HARDWARE directly. This
information is usually stored in binary format and is difficult to understand if you can't
interpret binary data.
Tip If you want to view this information in user-friendly format, select Programs |
Administrative Tools | Computer Management from the Start menu and expand
the MMC console tree (Windows 2000) or click Start | All Programs | Accessories |
System Tools | System Information (Windows XP and Windows Server 2003) to
open the System Information window (Fig. 7.2
).

Figure 7.2: The System Information utility allows you to view hardware information in
user-friendly format

The DESCRIPTION Subkey
The DESCRIPTION subkey under HKEY_LOCAL_MACHINE\HARDWARE displays
information from the hardware database. For x86 computers, this information contains
data on the devices detected by Ntdetect.com and Ntoskrnl.exe.
Ntdetect.com is the standard DOS-style program that uses BIOS calls for selecting
hardware information and configuring hardware devices. This includes date and time
information stored in the CMOS chip; bus types (for example, ISA, PCI, EISA) and
identifiers of the devices on these buses; data on the number, type, and capacity of the
hard drives installed in the system; and the number and types of parallel ports. Based on
this information, the system creates internal data structures that Ntoskrnl.exe stores under
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION during system startup.
A specific feature of the Ntdetect.com version included with Windows 2000, Windows
XP, and Windows Server 2003 is that PnP detection functions are delegated to PnP
drivers. In contrast, the Windows NT 4.0 version of Ntdetect.com detects all installed
hardware (due to limited PnP support in Windows NT 4.0).
Ntdetect.com detects the following hardware:

Type of bus\adapter

Keyboard

SCSI adapters

COM-ports

Machine ID

Video adapter

Arithmetic coprocessor


Mouse

Floppy drives

Parallel ports

Note Network adapters aren't detected at this phase. The system detects network adapters
either during OS installation, or when you install a new network adapter. More
detailed information on this topic will be provided in Chapters 8
.
There are more subkeys, each of them corresponding to a certain bus controller type.
These subkeys are located under
HKEY_LOCAL_MACHINE\Hardware\Description\System\MultifunctionAdapter. Each
of these keys describes a specific controller class (including hard disk controllers, display
controllers, parallel port controllers, and SCSI controllers). The path to the subkey
describes the component type. All physical devices are numbered, beginning from 0.
Each detected hardware component has Component Information and Configuration Data
settings, which contain binary data on the version of a specific component and its
configuration (Fig. 7.3
). The Identifier setting contains the component name (if
specified).

Figure 7.3: The
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdap
ter registry key