Figure 7.8: An example of the contents of the DeviceN nested key for the device driver
subkey under HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Services
Depending on the video driver implementation, this key may contain a variety of
parameters, including the VgaCompatible standard setting, which is set to FALSE for
most modern drivers. If the parameter is set to FALSE, the driver is based on the MS
VGA miniport driver.
The following REG_BINARY settings under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{56652C39-
3E1C-4A83-AD68-1CF58F0EDEE9}\0000:
HardwareInformation.AdapterString,
HardwareInformation.BiosString,
HardwareInformation.ChipType,
HardwareInformation.Crc32,
HardwareInformation.DacType
HardwareInformation.MemorySize
contain hardware information displayed by administrative utilities. Notice that similar
settings are also present in Windows NT/2000 registries, but under different locations.
When Windows GUI starts, the system reads the video settings contained under the
following registry key (Fig. 7.9
):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\System\CurrentControlSet\Control\VIDEO\
{56652C39-3E1C-4A83-AD68-1CF58F0EDEE9}\0000

Figure 7.9: Registry settings that specify the video mode
After reading these settings, the system checks whether the display driver supporting the
specified mode is present. As soon as the appropriate driver has been found, the startup
procedure continues. What happens, though, if the system can't find an appropriate
driver? The answer's simple: the system will use standard VGA mode (16 colors).
Thus, we have considered the usage of the

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP information for searching for
specific device driver data. We've used the video adapter as an example, but the system
uses a similar algorithm for locating the appropriate drivers for any other device. To
summarize, let's note that the HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP
data describes either an actual port name or the path to the appropriate subkey under
HKEY_LOCAL_MACHINE\System\ControlSetnnn\Services. This, in turn, contains the
necessary information on the device driver. Sometimes, system administrators may need
this information for troubleshooting purposes. It should be noted again that administrative
utilities, such as Device Manager, display the same information presented in user-friendly
format rather than raw binary data.
The RESOURCEMAP Subkey
The RESOURCEMAP subkey under HKEY_LOCAL_MACHINE\HARDWARE maps
device drivers and hardware resources allocated to these drivers. Each setting stored
within the RESOURCEMAP key contains the data reported by the device driver
concerning memory addresses, IRQs, and DMA channels requested by respective drivers.
All the data contained within this key is volatile. Windows NT/2000/XP and Windows
Server 2003 recreate the key during every system startup.
Because Windows 2000/XP and Windows Server 2003 implement full-featured Plug and
Play support and include a new kernel-mode component (Plug and Play Manager), the
contents of the HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP registry
key are different for Windows 2000/XP/Windows Server 2003 from what they are for
Windows NT 4.0. In the Windows NT 4.0 registry, the RESOURCEMAP key contains
multiple <DeviceClass> subkeys, which are used to store information on specific device
driver classes. Each of these keys contains one or more <DriverName> subkeys that
store information related to individual drivers.
The RESOURCEMAP key in Windows 2000\Windows XP\Windows Server 2003
registries looks somewhat different (Fig. 7.10
). The kernel-mode Plug and Play Manager
now controls all the hardware devices. Because of this, the data concerning system
resources is stored under the following registry key:

HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\PnP
Manager\PnpManager.

Figure 7.10: The RESOURCEMAP key in Windows XP/Windows Server 2003
The HKEY_LOCAL_MACHINE\SAM Key
For computers that are not joined to a domain, the HKEY_LOCAL_MACHINE\SAM
registry key contains information on local user and group accounts stored in the directory
database (which was formerly known as the SAM database). For Windows 2000 Server
and Windows Server 2003 computers joined to a domain, this key also contains security
data for domain users and groups.
This key references the HKEY_LOCAL_MACHINE\Security\SAM key, and any
modification introduced into one of these keys is immediately introduced into another
one.

Note Starting with Windows 2000, domain controllers both in Windows 2000 and
Windows Server 2003 domains store security data in the Active Directory database
file (Ntds.dit). However, SAM database is still preserved for storing local security
information on servers that are not joined to a domain, as well as for backward
compatibility with the existing Windows NT 4.0 domains. Besides this, it is used
for restoring Active Directory information when the user selects the Directory
Services Restore Mode (Windows domain controllers only option from the
Windows Advanced Startup Options menu during system boot.
Default security settings both in Windows 2000 Server and in Windows Server 2003
prevent users (even those with administrative permissions) from viewing the contents of
this registry key. More detailed information on this topic will be provided in Chapter 9
.
The HKEY_LOCAL_MACHINE\SECURITY Key
The HKEY_LOCAL_MACHINE\SECURITY registry key contains information about
the security subsystem on the local computer, including user rights and permissions,
password policies, and local group membership. All of this information is specified using

administrative utilities such as User Manager (Windows NT 4.0 Workstation), User
Manager for Domains (Windows NT 4.0 Server), User Management MMC snap-in
(Windows 2000 Professional and Windows XP) and Active Directory Users and
Computers (Windows 2000 and Windows Server 2003 domain controllers).
The HKEY_LOCAL_MACHINE\SECURITY\SAM key references the
HKEY_LOCAL_MACHINE\SAM key; because of this, any modification introduced
into one of these keys will immediately appear within another one.
The HKEY_LOCAL_MACHINE\SOFTWARE Key
The HKEY_LOCAL_MACHINE\SOFTWARE registry key contains configuration data
concerning the software installed on the local computer. Settings that reside under this
key contain settings for the software installed on the local PC and are in force for any
user who's logged on to the local system.
The HKEY_LOCAL_MACHINE\SOFTWARE\Classes key contains filename extension
association data. It also stores registry data associated to COM objects. The data stored
under the Classes key are also displayed under HKEY_CLASSES_ROOT. Fig. 7.11

shows the typical contents of the HKEY_LOCAL_MACHINE\Software registry key.

Figure 7.11: Typical contents of the HKEY_LOCAL_MACHINE\SOFTWARE key
The HKEY_LOCAL_MACHINE\SOFTWARE subtree contains several nested keys, the
most important being the Classes, Program Groups, and Secure subkeys. Later in this
chapter, we'll discuss several <Description> subkeys that may appear in the registry.
The Classes Subkey
The parameters contained under this key are the same as the parameters stored under
HKEY_CLASSES_ROOT. Detailed information on the contents of this key is provided
in the "OLE Programmer's Reference" document included with the Windows Platform
Software Development Kit. The HKEY_LOCAL_MACHINE\SOFTWARE\Classes key
contains subkeys of the following types:

Subkeys of the <Filename-extension> type associate applications installed on

local computers with file types (identified by filename extensions). These subkeys
contain data that you can add using the File Types tab of the Folder Options
window, as well as information added by the Setup programs that install Windows
applications.

<Class-definition> subkeys. These subkeys contain information associated with
COM objects. The data contained within these keys specify the shell and OLE
(COM) properties for specific objects. If the application supports DDE (Dynamic
Data Exchange), the Shell subkey may, in turn, contain other subkeys such as
Open and Print. The subkeys define DDE commands for opening and printing
files. Notice that the information contained under these keys is very similar to that
which is stored in the registry database of previous Windows versions, such as
Windows 3.1x.

Note The COM object information contained in the registry must be created by an
application supporting COM. Direct registry editing can't be considered the easiest
method of editing the information. If you need to perform this task in Windows NT
4.0, select the Options command from the View menu in Windows NT Explorer,
then go to the File Types tab of the Options dialog. If you need to perform the
same task in Windows 2000, Windows XP, or one of the Windows Server 2003
products, start the Folder Options applet from the Control Panel, or select the
Folder Options command from the Tools menu in Windows Explorer; then go to
the File Types tab in the Folder Options window.
The Description Subkeys
The HKEY_LOCAL_MACHINE\Software\Description keys contain names and version
numbers of the software installed on the local computer. (Configuration settings specified
for individual users are stored under HKEY_CURRENT_USER.)
During installation, applications register this information in the following form: